CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
GHSA-7HH9-GP72-WH7H
Vulnerability from github – Published: 2025-12-17 20:55 – Updated: 2025-12-17 20:55Description
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
Affected product and versions
Users are affected if they meet the following preconditions:
- Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0,
- Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.
Resolution
Upgrade Auth0/laravel-auth0 to version 7.20.0 or greater.
Acknowledgement
Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "auth0/login"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-17T20:55:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nUsers are affected if they meet the following preconditions:\n\n- Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0,\n- Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0/laravel-auth0 to version 7.20.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
"id": "GHSA-7hh9-gp72-wh7h",
"modified": "2025-12-17T20:55:50Z",
"published": "2025-12-17T20:55:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h"
},
{
"type": "WEB",
"url": "https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/laravel-auth0"
},
{
"type": "WEB",
"url": "https://github.com/auth0/laravel-auth0/releases/tag/7.20.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency"
}
GHSA-7PRJ-HGX4-2XC3
Vulnerability from github – Published: 2024-12-12 19:20 – Updated: 2024-12-13 21:46A security issue was identified in the NanoProxy project related to the golang.org/x/crypto dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates.
Impact:
The specific vulnerabilities in the outdated version of golang.org/x/crypto could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.
Resolution:
The issue has been fixed in NanoProxy by upgrading the golang.org/x/crypto dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies.
Fixed Version:
* golang.org/x/crypto upgraded to version 0.31.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ryanbekhen/nanoproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-12T19:20:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates.\n\nImpact:\nThe specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system.\n\nResolution:\nThe issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies.\n\nFixed Version:\n* `golang.org/x/crypto` upgraded to version 0.31.0.",
"id": "GHSA-7prj-hgx4-2xc3",
"modified": "2024-12-13T21:46:53Z",
"published": "2024-12-12T19:20:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ryanbekhen/nanoproxy/security/advisories/GHSA-7prj-hgx4-2xc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337"
},
{
"type": "PACKAGE",
"url": "https://github.com/ryanbekhen/nanoproxy"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3330"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy"
}
GHSA-94V7-WXJ6-R2Q5
Vulnerability from github – Published: 2025-05-28 21:07 – Updated: 2025-05-28 21:07Impact
- Some source-builds may be impacted by a CWE-1395 (eg. vulnerable
setuptoolsdependency). - Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use
setuptools <78.1.1and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified.
Patches
- Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to
setuptools>=80.4 - Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0
Workarounds
- Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations.
References
- GHSA-5rjg-fvgr-3xxf
- pypa/setuptools#4946
Fixes
- https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32
- https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27
- https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26
- https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "multicast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.9a0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T21:07:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n * Some source-builds may be impacted by a CWE-1395 (eg. vulnerable `setuptools` dependency).\n * Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use `setuptools \u003c78.1.1` and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified.\n\n### Patches\n * Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to `setuptools\u003e=80.4`\n * Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0\n\n### Workarounds\n * Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations.\n\n### References\n* [GHSA-5rjg-fvgr-3xxf](https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf)\n* pypa/setuptools#4946\n\n### Fixes\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26\n* https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2",
"id": "GHSA-94v7-wxj6-r2q5",
"modified": "2025-05-28T21:07:05Z",
"published": "2025-05-28T21:07:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
},
{
"type": "WEB",
"url": "https://github.com/reactive-firewall/multicast/security/advisories/GHSA-94v7-wxj6-r2q5"
},
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"type": "WEB",
"url": "https://github.com/reactive-firewall/multicast/commit/c5c7c7de272421d944beca8452871bca6bfd151f"
},
{
"type": "PACKAGE",
"url": "https://github.com/reactive-firewall/multicast"
},
{
"type": "WEB",
"url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/docs/requirements.txt#L27"
},
{
"type": "WEB",
"url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/pyproject.toml#L2"
},
{
"type": "WEB",
"url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/requirements.txt#L26"
},
{
"type": "WEB",
"url": "https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca8452871bca6bfd151f/tests/requirements.txt#L32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "multicast in source builds from vulnerable setuptools dependency"
}
GHSA-C42H-56WX-H85Q
Vulnerability from github – Published: 2025-06-06 15:20 – Updated: 2025-06-06 15:20Overview The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.
Am I Affected? You are affected by this vulnerability if you meet the following preconditions:
- Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1.
- Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.
Fix Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0).
Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.2.1"
},
"package": {
"ecosystem": "Packagist",
"name": "auth0/login"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-BETA1"
},
{
"fixed": "7.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-06T15:20:46Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "**Overview**\nThe laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.\n\n\n**Am I Affected?**\nYou are affected by this vulnerability if you meet the following preconditions:\n\n1. Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1.\n2. Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.\n\n**Fix**\nUpgrade Auth0/laravel-auth0 to the latest version (v7.17.0).\n\n**Acknowledgement**\nOkta would like to thank Andreas Forsblom for discovering this vulnerability.",
"id": "GHSA-c42h-56wx-h85q",
"modified": "2025-06-06T15:20:47Z",
"published": "2025-06-06T15:20:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492"
},
{
"type": "WEB",
"url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34"
},
{
"type": "WEB",
"url": "https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48951"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/laravel-auth0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "laravel-auth0 SDK Deserialization of Untrusted Data vulnerability"
}
GHSA-C6M7-Q6PR-C64R
Vulnerability from github – Published: 2025-12-12 16:41 – Updated: 2025-12-12 16:41Impact
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4
Patches
Upgrade immediately to @vitejs/plugin-rsc@0.5.7 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.6"
},
"package": {
"ecosystem": "npm",
"name": "@vitejs/plugin-rsc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-497",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-12T16:41:58Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository\u0027s advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4\n\n### Patches\n\nUpgrade immediately to `@vitejs/plugin-rsc@0.5.7` or later.",
"id": "GHSA-c6m7-q6pr-c64r",
"modified": "2025-12-12T16:41:58Z",
"published": "2025-12-12T16:41:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-c6m7-q6pr-c64r"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitejs/vite-plugin-react"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components"
}
GHSA-CPQF-F22C-R95X
Vulnerability from github – Published: 2025-12-12 16:41 – Updated: 2025-12-12 16:41Impact
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9
Patches
Upgrade immediately to @vitejs/plugin-rsc@0.5.7 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.6"
},
"package": {
"ecosystem": "npm",
"name": "@vitejs/plugin-rsc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-400",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-12T16:41:08Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository\u0027s advisory https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9\n\n### Patches\n\nUpgrade immediately to `@vitejs/plugin-rsc@0.5.7` or later.",
"id": "GHSA-cpqf-f22c-r95x",
"modified": "2025-12-12T16:41:08Z",
"published": "2025-12-12T16:41:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-cpqf-f22c-r95x"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitejs/vite-plugin-react"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Vite Plugin React has a Denial of Service Vulnerability in React Server Components"
}
GHSA-F3R2-88MQ-9V4G
Vulnerability from github – Published: 2025-12-17 20:56 – Updated: 2025-12-17 20:56Description
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
Affected product and versions
Projects are affected if they meet the following preconditions:
- Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0
- Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.
Resolution
Upgrade Auth0/symfony to version 5.6.0 or greater.
Acknowledgement
Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.5.0"
},
"package": {
"ecosystem": "Packagist",
"name": "auth0/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-345",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-17T20:56:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nProjects are affected if they meet the following preconditions:\n\n- Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0\n- Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0/symfony to version 5.6.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
"id": "GHSA-f3r2-88mq-9v4g",
"modified": "2025-12-17T20:56:37Z",
"published": "2025-12-17T20:56:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479"
},
{
"type": "PACKAGE",
"url": "https://github.com/auth0/symfony"
},
{
"type": "WEB",
"url": "https://github.com/auth0/symfony/releases/tag/5.6.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK"
}
GHSA-F7CQ-5V43-8PWP
Vulnerability from github – Published: 2024-05-23 15:19 – Updated: 2024-05-23 15:19Impact
There is a vulnerability in GO managing malformed DNS message, which impacts Traefik. This vulnerability could be exploited to cause a denial of service.
References
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.3
- https://github.com/traefik/traefik/releases/tag/v3.0.1
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7.34"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-23T15:19:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThere is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik.\nThis vulnerability could be exploited to cause a denial of service.\n\n### References\n\n- [CVE-2024-24788](https://www.cve.org/CVERecord?id=CVE-2024-24788)\n\n### Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.3\n- https://github.com/traefik/traefik/releases/tag/v3.0.1\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
"id": "GHSA-f7cq-5v43-8pwp",
"modified": "2024-05-23T15:19:41Z",
"published": "2024-05-23T15:19:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-f7cq-5v43-8pwp"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5fq7-4mxc-535h"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.3"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.0.1"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24788"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop"
}
GHSA-G3QJ-J598-CXMQ
Vulnerability from github – Published: 2026-03-24 19:10 – Updated: 2026-03-24 19:10Summary
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.
The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.
Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.
Affected versions
fido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old cbor package — not affected.
Only affects systems where cbor-extract native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.
PoC
const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)
CBOR text string header claiming 268MB in a 5-byte buffer. extractStrings() in extract.cpp line 87 calls readString() without bounds check. Reads past buffer into unmapped memory.
In context: attacker intercepts WebAuthn registration response, replaces attestationObject with the 5-byte payload, POSTs to the registration verification endpoint. Server calls attestationResult() → cbor-x.decode() → cbor-extract → SIGSEGV.
Fix
Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).
-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"
— Malik X (@Xvush)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.7"
},
"package": {
"ecosystem": "npm",
"name": "fido2-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:10:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nfido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract \u003c= 2.2.0 has a heap buffer over-read in `extractStrings()` \u2014 a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.\n\nThe crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint \u2014 single request, unauthenticated, instant kill.\n\nFixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.\n\n## Affected versions\n\nfido2-lib \u003c= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old `cbor` package \u2014 not affected.\n\nOnly affects systems where `cbor-extract` native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.\n\n## PoC\n\n```js\nconst { decode } = require(\"cbor-x\");\ndecode(Buffer.from(\"7a10000000\", \"hex\")); // exit code 139 (SIGSEGV)\n```\n\nCBOR text string header claiming 268MB in a 5-byte buffer. `extractStrings()` in extract.cpp line 87 calls `readString()` without bounds check. Reads past buffer into unmapped memory.\n\nIn context: attacker intercepts WebAuthn registration response, replaces `attestationObject` with the 5-byte payload, POSTs to the registration verification endpoint. Server calls `attestationResult()` \u2192 `cbor-x.decode()` \u2192 `cbor-extract` \u2192 SIGSEGV.\n\n## Fix\n\nBump cbor-x to \u003e= 1.6.3 (which pulls cbor-extract \u003e= 2.2.1).\n\n```diff\n-\"cbor-x\": \"~1.6.0\"\n+\"cbor-x\": \"^1.6.3\"\n```\n\n\u2014 Malik X (@Xvush)",
"id": "GHSA-g3qj-j598-cxmq",
"modified": "2026-03-24T19:10:38Z",
"published": "2026-03-24T19:10:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/webauthn-open-source/fido2-lib/security/advisories/GHSA-g3qj-j598-cxmq"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/commit/1f6e0d9704149bdb5531d25f5d08a0280a71e2ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/webauthn-open-source/fido2-lib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing"
}
GHSA-G9PC-8G42-G6VQ
Vulnerability from github – Published: 2025-04-08 21:31 – Updated: 2026-05-13 16:22The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "spiral/roadrunner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2025.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22871"
],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-24T20:57:40Z",
"nvd_published_at": "2025-04-08T20:15:20Z",
"severity": "CRITICAL"
},
"details": "The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.",
"id": "GHSA-g9pc-8g42-g6vq",
"modified": "2026-05-13T16:22:16Z",
"published": "2025-04-08T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"type": "WEB",
"url": "https://github.com/roadrunner-server/roadrunner/issues/2166"
},
{
"type": "WEB",
"url": "https://github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-783943.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/roadrunner-server/roadrunner"
},
{
"type": "WEB",
"url": "https://github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0"
},
{
"type": "WEB",
"url": "https://go.dev/cl/652998"
},
{
"type": "WEB",
"url": "https://go.dev/issue/71988"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3563"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.