Common Weakness Enumeration

CWE-1395

Allowed-with-Review

Dependency on Vulnerable Third-Party Component

Abstraction: Class · Status: Incomplete

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

110 vulnerabilities reference this CWE, most recent first.

GHSA-7HH9-GP72-WH7H

Vulnerability from github – Published: 2025-12-17 20:55 – Updated: 2025-12-17 20:55
VLAI
Summary
Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency
Details

Description

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

Affected product and versions

Users are affected if they meet the following preconditions:

  • Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0,
  • Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.

Resolution

Upgrade Auth0/laravel-auth0 to version 7.20.0 or greater.

Acknowledgement

Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/login"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-17T20:55:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nUsers are affected if they meet the following preconditions:\n\n- Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0,\n- Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0/laravel-auth0 to version 7.20.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
  "id": "GHSA-7hh9-gp72-wh7h",
  "modified": "2025-12-17T20:55:50Z",
  "published": "2025-12-17T20:55:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/laravel-auth0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/releases/tag/7.20.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency"
}

GHSA-7PRJ-HGX4-2XC3

Vulnerability from github – Published: 2024-12-12 19:20 – Updated: 2024-12-13 21:46
VLAI
Summary
Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy
Details

A security issue was identified in the NanoProxy project related to the golang.org/x/crypto dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates.

Impact: The specific vulnerabilities in the outdated version of golang.org/x/crypto could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.

Resolution: The issue has been fixed in NanoProxy by upgrading the golang.org/x/crypto dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies.

Fixed Version: * golang.org/x/crypto upgraded to version 0.31.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ryanbekhen/nanoproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-12T19:20:26Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates.\n\nImpact:\nThe specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.\n\nResolution:\nThe issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies.\n\nFixed Version:\n* `golang.org/x/crypto` upgraded to version 0.31.0.",
  "id": "GHSA-7prj-hgx4-2xc3",
  "modified": "2024-12-13T21:46:53Z",
  "published": "2024-12-12T19:20:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ryanbekhen/nanoproxy/security/advisories/GHSA-7prj-hgx4-2xc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ryanbekhen/nanoproxy"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy"
}

GHSA-94V7-WXJ6-R2Q5

Vulnerability from github – Published: 2025-05-28 21:07 – Updated: 2025-05-28 21:07
VLAI
Summary
multicast in source builds from vulnerable setuptools dependency
Details

Impact

  • Some source-builds may be impacted by a CWE-1395 (eg. vulnerable setuptools dependency).
  • Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use setuptools <78.1.1 and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified.

Patches

  • Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to setuptools>=80.4
  • Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0

Workarounds

  • Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations.

References

Fixes

  • https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32
  • https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27
  • https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26
  • https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "multicast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.9a0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T21:07:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n * Some source-builds may be impacted by a CWE-1395 (eg. vulnerable `setuptools` dependency).\n   * Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use `setuptools \u003c78.1.1` and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified.\n\n### Patches\n * Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to `setuptools\u003e=80.4`\n   * Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0\n\n### Workarounds\n * Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations.\n\n### References\n* [GHSA-5rjg-fvgr-3xxf](https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf)\n* pypa/setuptools#4946\n\n### Fixes\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2",
  "id": "GHSA-94v7-wxj6-r2q5",
  "modified": "2025-05-28T21:07:05Z",
  "published": "2025-05-28T21:07:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactive-firewall/multicast/security/advisories/GHSA-94v7-wxj6-r2q5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/setuptools/issues/4946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactive-firewall/multicast/commit/c5c7c7de272421d944beca8452871bca6bfd151f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reactive-firewall/multicast"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "multicast in source builds from vulnerable setuptools dependency"
}

GHSA-C42H-56WX-H85Q

Vulnerability from github – Published: 2025-06-06 15:20 – Updated: 2025-06-06 15:20
VLAI
Summary
laravel-auth0 SDK Deserialization of Untrusted Data vulnerability
Details

Overview The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.

Am I Affected? You are affected by this vulnerability if you meet the following preconditions:

  1. Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1.
  2. Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.

Fix Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0).

Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.2.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/login"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0-BETA1"
            },
            {
              "fixed": "7.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T15:20:46Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "**Overview**\nThe laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.\n\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following preconditions:\n\n1. Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1.\n2. Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.\n\n**Fix**\nUpgrade Auth0/laravel-auth0 to the latest version (v7.17.0).\n\n**Acknowledgement**\nOkta would like to thank Andreas Forsblom for discovering this vulnerability.",
  "id": "GHSA-c42h-56wx-h85q",
  "modified": "2025-06-06T15:20:47Z",
  "published": "2025-06-06T15:20:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48951"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/laravel-auth0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "laravel-auth0 SDK Deserialization of Untrusted Data vulnerability"
}

GHSA-C6M7-Q6PR-C64R

Vulnerability from github – Published: 2025-12-12 16:41 – Updated: 2025-12-12 16:41
VLAI
Summary
Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components
Details

Impact

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4

Patches

Upgrade immediately to @vitejs/plugin-rsc@0.5.7 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@vitejs/plugin-rsc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-497",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-12T16:41:58Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository\u0027s advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4\n\n### Patches\n\nUpgrade immediately to `@vitejs/plugin-rsc@0.5.7` or later.",
  "id": "GHSA-c6m7-q6pr-c64r",
  "modified": "2025-12-12T16:41:58Z",
  "published": "2025-12-12T16:41:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-c6m7-q6pr-c64r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitejs/vite-plugin-react"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components"
}

GHSA-CPQF-F22C-R95X

Vulnerability from github – Published: 2025-12-12 16:41 – Updated: 2025-12-12 16:41
VLAI
Summary
Vite Plugin React has a Denial of Service Vulnerability in React Server Components
Details

Impact

@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9

Patches

Upgrade immediately to @vitejs/plugin-rsc@0.5.7 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@vitejs/plugin-rsc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-400",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-12T16:41:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository\u0027s advisory https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9\n\n### Patches\n\nUpgrade immediately to `@vitejs/plugin-rsc@0.5.7` or later.",
  "id": "GHSA-cpqf-f22c-r95x",
  "modified": "2025-12-12T16:41:08Z",
  "published": "2025-12-12T16:41:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-cpqf-f22c-r95x"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitejs/vite-plugin-react"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vite Plugin React has a Denial of Service Vulnerability in React Server Components"
}

GHSA-F3R2-88MQ-9V4G

Vulnerability from github – Published: 2025-12-17 20:56 – Updated: 2025-12-17 20:56
VLAI
Summary
Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK
Details

Description

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

Affected product and versions

Projects are affected if they meet the following preconditions:

  • Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0
  • Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.

Resolution

Upgrade Auth0/symfony to version 5.6.0 or greater.

Acknowledgement

Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "auth0/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-345",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-17T20:56:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nProjects are affected if they meet the following preconditions:\n\n- Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0\n- Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0/symfony to version 5.6.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
  "id": "GHSA-f3r2-88mq-9v4g",
  "modified": "2025-12-17T20:56:37Z",
  "published": "2025-12-17T20:56:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/symfony"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/symfony/releases/tag/5.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK"
}

GHSA-F7CQ-5V43-8PWP

Vulnerability from github – Published: 2024-05-23 15:19 – Updated: 2024-05-23 15:19
VLAI
Summary
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
Details

Impact

There is a vulnerability in GO managing malformed DNS message, which impacts Traefik. This vulnerability could be exploited to cause a denial of service.

References

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.3
  • https://github.com/traefik/traefik/releases/tag/v3.0.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T15:19:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThere is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik.\nThis vulnerability could be exploited to cause a denial of service.\n\n### References\n\n- [CVE-2024-24788](https://www.cve.org/CVERecord?id=CVE-2024-24788)\n\n### Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.3\n- https://github.com/traefik/traefik/releases/tag/v3.0.1\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
  "id": "GHSA-f7cq-5v43-8pwp",
  "modified": "2024-05-23T15:19:41Z",
  "published": "2024-05-23T15:19:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-f7cq-5v43-8pwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-5fq7-4mxc-535h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.0.1"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24788"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop"
}

GHSA-G3QJ-J598-CXMQ

Vulnerability from github – Published: 2026-03-24 19:10 – Updated: 2026-03-24 19:10
VLAI
Summary
fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
Details

Summary

fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.

The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.

Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.

Affected versions

fido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old cbor package — not affected.

Only affects systems where cbor-extract native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.

PoC

const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)

CBOR text string header claiming 268MB in a 5-byte buffer. extractStrings() in extract.cpp line 87 calls readString() without bounds check. Reads past buffer into unmapped memory.

In context: attacker intercepts WebAuthn registration response, replaces attestationObject with the 5-byte payload, POSTs to the registration verification endpoint. Server calls attestationResult()cbor-x.decode()cbor-extract → SIGSEGV.

Fix

Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).

-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"

— Malik X (@Xvush)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.5.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fido2-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-126",
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:10:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nfido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract \u003c= 2.2.0 has a heap buffer over-read in `extractStrings()` \u2014 a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.\n\nThe crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint \u2014 single request, unauthenticated, instant kill.\n\nFixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.\n\n## Affected versions\n\nfido2-lib \u003c= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old `cbor` package \u2014 not affected.\n\nOnly affects systems where `cbor-extract` native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.\n\n## PoC\n\n```js\nconst { decode } = require(\"cbor-x\");\ndecode(Buffer.from(\"7a10000000\", \"hex\")); // exit code 139 (SIGSEGV)\n```\n\nCBOR text string header claiming 268MB in a 5-byte buffer. `extractStrings()` in extract.cpp line 87 calls `readString()` without bounds check. Reads past buffer into unmapped memory.\n\nIn context: attacker intercepts WebAuthn registration response, replaces `attestationObject` with the 5-byte payload, POSTs to the registration verification endpoint. Server calls `attestationResult()` \u2192 `cbor-x.decode()` \u2192 `cbor-extract` \u2192 SIGSEGV.\n\n## Fix\n\nBump cbor-x to \u003e= 1.6.3 (which pulls cbor-extract \u003e= 2.2.1).\n\n```diff\n-\"cbor-x\": \"~1.6.0\"\n+\"cbor-x\": \"^1.6.3\"\n```\n\n\u2014 Malik X (@Xvush)",
  "id": "GHSA-g3qj-j598-cxmq",
  "modified": "2026-03-24T19:10:38Z",
  "published": "2026-03-24T19:10:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/webauthn-open-source/fido2-lib/security/advisories/GHSA-g3qj-j598-cxmq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/cbor-extract/issues/2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/cbor-extract/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/cbor-extract/commit/1f6e0d9704149bdb5531d25f5d08a0280a71e2ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webauthn-open-source/fido2-lib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing"
}

GHSA-G9PC-8G42-G6VQ

Vulnerability from github – Published: 2025-04-08 21:31 – Updated: 2026-05-13 16:22
VLAI
Summary
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
Details

The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "spiral/roadrunner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2025.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-22871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-24T20:57:40Z",
    "nvd_published_at": "2025-04-08T20:15:20Z",
    "severity": "CRITICAL"
  },
  "details": "The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.",
  "id": "GHSA-g9pc-8g42-g6vq",
  "modified": "2026-05-13T16:22:16Z",
  "published": "2025-04-08T21:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roadrunner-server/roadrunner/issues/2166"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-783943.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/roadrunner-server/roadrunner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/652998"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/71988"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3563"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency"
}

Mitigation
Requirements Policy

In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.

Mitigation
Requirements

Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].

Mitigation
Architecture and Design Implementation Integration Manufacturing

Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."

Mitigation
Operation Patching and Maintenance

Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.

Mitigation
Operation Patching and Maintenance

Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.

No CAPEC attack patterns related to this CWE.