CWE-134
AllowedUse of Externally-Controlled Format String
Abstraction: Base · Status: Draft
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
501 vulnerabilities reference this CWE, most recent first.
GHSA-HMPV-PVG5-4FPQ
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2025-10-22 00:32Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.
{
"affected": [],
"aliases": [
"CVE-2021-25489"
],
"database_specific": {
"cwe_ids": [
"CWE-134",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "Assuming radio permission is gained, missing input validation in modem interface driver prior to SMR Oct-2021 Release 1 results in format string bug leading to kernel panic.",
"id": "GHSA-hmpv-pvg5-4fpq",
"modified": "2025-10-22T00:32:25Z",
"published": "2022-05-24T19:16:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25489"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2021\u0026month=10"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HP64-JG7M-F9MQ
Vulnerability from github – Published: 2022-05-02 00:05 – Updated: 2022-05-02 00:05MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b'' (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.
{
"affected": [],
"aliases": [
"CVE-2008-3963"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-09-11T01:13:00Z",
"severity": "MODERATE"
},
"details": "MySQL 5.0 before 5.0.66, 5.1 before 5.1.26, and 6.0 before 6.0.6 does not properly handle a b\u0027\u0027 (b single-quote single-quote) token, aka an empty bit-string literal, which allows remote attackers to cause a denial of service (daemon crash) by using this token in a SQL statement.",
"id": "GHSA-hp64-jg7m-f9mq",
"modified": "2022-05-02T00:05:26Z",
"published": "2022-05-02T00:05:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3963"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/237166"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45042"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10521"
},
{
"type": "WEB",
"url": "http://bugs.mysql.com/bug.php?id=35658"
},
{
"type": "WEB",
"url": "http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-66.html"
},
{
"type": "WEB",
"url": "http://dev.mysql.com/doc/refman/5.1/en/news-5-1-26.html"
},
{
"type": "WEB",
"url": "http://dev.mysql.com/doc/refman/6.0/en/news-6-0-6.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31769"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32759"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32769"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/34907"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36566"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2009/dsa-1783"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:094"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/7"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2009-1067.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2009-1289.html"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1020858"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1397-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-671-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/2554"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HPHW-V67P-V2G2
Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.
{
"affected": [],
"aliases": [
"CVE-2025-36202"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T16:15:43Z",
"severity": "HIGH"
},
"details": "IBM webMethods Integration 10.15 and 11.1 could allow an authenticated user with required execute Services to execute commands on the system due to the improper validation of format string strings passed as an argument from an external source.",
"id": "GHSA-hphw-v67p-v2g2",
"modified": "2025-09-22T18:30:36Z",
"published": "2025-09-22T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36202"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7245720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HPVQ-MG46-42WP
Vulnerability from github – Published: 2022-05-01 06:53 – Updated: 2022-05-01 06:53Multiple format string vulnerabilities in Empire Server before 4.3.1 allow attackers to cause a denial of service (crash) via the (1) load, (2) spy and (3) bomb functions.
{
"affected": [],
"aliases": [
"CVE-2006-1840"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-04-19T16:06:00Z",
"severity": "MODERATE"
},
"details": "Multiple format string vulnerabilities in Empire Server before 4.3.1 allow attackers to cause a denial of service (crash) via the (1) load, (2) spy and (3) bomb functions.",
"id": "GHSA-hpvq-mg46-42wp",
"modified": "2022-05-01T06:53:17Z",
"published": "2022-05-01T06:53:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-1840"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/25863"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/19674"
},
{
"type": "WEB",
"url": "http://sourceforge.net/project/shownotes.php?release_id=410001\u0026group_id=24031"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/24700"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/17585"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/1380"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HR7H-RPPP-W8X4
Vulnerability from github – Published: 2022-05-17 01:52 – Updated: 2022-05-17 01:52Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.
{
"affected": [],
"aliases": [
"CVE-2011-4357"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-12-10T17:55:00Z",
"severity": "HIGH"
},
"details": "Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.",
"id": "GHSA-hr7h-rppp-w8x4",
"modified": "2022-05-17T01:52:07Z",
"published": "2022-05-17T01:52:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4357"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71599"
},
{
"type": "WEB",
"url": "http://code.google.com/p/clearsilver/source/detail?r=919"
},
{
"type": "WEB",
"url": "http://osvdb.org/77419"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47016"
},
{
"type": "WEB",
"url": "http://tech.groups.yahoo.com/group/ClearSilver/message/1422"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2011/dsa-2355"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/11/27/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HRFH-7J5F-8CCR
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2025-04-02 23:10Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "RabbitMQ"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "RabbitMQ"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "RabbitMQ"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Hex",
"name": "RabbitMQ"
},
"ranges": [
{
"events": [
{
"introduced": "1.17.0"
},
{
"fixed": "1.17.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11287"
],
"database_specific": {
"cwe_ids": [
"CWE-134",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T11:48:49Z",
"nvd_published_at": "2019-11-23T00:15:00Z",
"severity": "HIGH"
},
"details": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.",
"id": "GHSA-hrfh-7j5f-8ccr",
"modified": "2025-04-02T23:10:37Z",
"published": "2022-05-24T17:01:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11287"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0078"
},
{
"type": "WEB",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
},
{
"type": "PACKAGE",
"url": "https://github.com/rabbitmq/rabbitmq-server"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2019-11287"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pivotal RabbitMQ is vulnerable to a denial of service attack"
}
GHSA-HVH3-476H-JJ48
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow an attacker to escalate its privileges via specially crafted requests.
{
"affected": [],
"aliases": [
"CVE-2025-68648"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:00Z",
"severity": "HIGH"
},
"details": "A use of externally-controlled format string vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow an attacker to escalate its privileges via specially crafted requests.",
"id": "GHSA-hvh3-476h-jj48",
"modified": "2026-03-10T18:31:18Z",
"published": "2026-03-10T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68648"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-092"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HW76-48P4-4G5C
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name.
{
"affected": [],
"aliases": [
"CVE-2017-9212"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-23T14:29:00Z",
"severity": "HIGH"
},
"details": "The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the CD/Multimedia software via %x or %c format string specifiers in a device name.",
"id": "GHSA-hw76-48p4-4g5c",
"modified": "2022-05-13T01:47:50Z",
"published": "2022-05-13T01:47:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9212"
},
{
"type": "WEB",
"url": "https://twitter.com/__Obzy__/status/864704956116254720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWPJ-2V36-69R4
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:36Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.
{
"affected": [],
"aliases": [
"CVE-2018-14713"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-13T13:29:00Z",
"severity": "HIGH"
},
"details": "Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version 3.0.0.4.382.50010 allows attackers to read arbitrary sections of memory and CPU registers via the \"hook\" URL parameter.",
"id": "GHSA-hwpj-2v36-69r4",
"modified": "2024-04-04T00:36:20Z",
"published": "2022-05-24T16:45:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14713"
},
{
"type": "WEB",
"url": "https://blog.securityevaluators.com/asus-routers-overflow-with-vulnerabilities-b111bc1c8eb8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXG7-68HM-96PC
Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-27 19:00Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via controlURL XML tag, as used within the DoUpdateUPnPbyService action handler.
{
"affected": [],
"aliases": [
"CVE-2022-35879"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-25T17:15:00Z",
"severity": "HIGH"
},
"details": "Four format string injection vulnerabilities exist in the UPnP logging functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. A specially-crafted UPnP negotiation can lead to memory corruption, information disclosure, and denial of service. An attacker can host a malicious UPnP service to trigger these vulnerabilities.This vulnerability arises from format string injection via `controlURL` XML tag, as used within the `DoUpdateUPnPbyService` action handler.",
"id": "GHSA-hxg7-68hm-96pc",
"modified": "2022-10-27T19:00:32Z",
"published": "2022-10-25T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35879"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1583"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that is not subject to this flaw.
Mitigation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.