CWE-178
AllowedImproper Handling of Case Sensitivity
Abstraction: Base · Status: Incomplete
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
136 vulnerabilities reference this CWE, most recent first.
GHSA-M654-769V-QJV7
Vulnerability from github – Published: 2025-12-10 20:11 – Updated: 2025-12-11 15:51Security Advisory: Unauthorized permission elevation through specially crafted request path
Summary: A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.
Impact: In affected configurations, an unauthenticated or unauthorized request could retrieve data from endpoints that should be protected.
Affected versions: <= 3.5.6 <= 4.4.2
Fixed in: 3.5.7 4.4.3
Mitigation / Workarounds: Upgrade to 3.5.7 or later.
Disclosure timeline: Discovered 2025-05-22; fixed 2025-05-30; publicly disclosed 2025-12.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "formio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "formio"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-rc.1"
},
{
"fixed": "4.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67718"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-10T20:11:40Z",
"nvd_published_at": "2025-12-11T01:16:01Z",
"severity": "HIGH"
},
"details": "# Security Advisory: Unauthorized permission elevation through specially crafted request path\n\n**Summary:** A flaw in path handling could allow an attacker to access protected API endpoints by sending a crafted request path. This issue could result in unauthorized data disclosure under certain configurations.\n\n**Impact:** In affected configurations, an unauthenticated or unauthorized request could retrieve data from endpoints that should be protected.\n\n**Affected versions:** \n\u003c= 3.5.6\n\u003c= 4.4.2\n\n**Fixed in:** \n3.5.7\n4.4.3\n\n**Mitigation / Workarounds:** \nUpgrade to 3.5.7 or later. \n\n**Disclosure timeline:** \nDiscovered 2025-05-22; fixed 2025-05-30; publicly disclosed 2025-12.",
"id": "GHSA-m654-769v-qjv7",
"modified": "2025-12-11T15:51:30Z",
"published": "2025-12-10T20:11:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67718"
},
{
"type": "WEB",
"url": "https://github.com/formio/formio/commit/1665b7c99e3cf3246db7ff0b4ff732231dc6903b"
},
{
"type": "WEB",
"url": "https://github.com/formio/formio/commit/1836bdd9f55f5888ff397c257b2108c09d3de478"
},
{
"type": "PACKAGE",
"url": "https://github.com/formio/formio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Formio improperly authorized permission elevation through specially crafted request path"
}
GHSA-M65M-XRGM-J736
Vulnerability from github – Published: 2022-05-01 01:48 – Updated: 2024-02-02 03:30The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
{
"affected": [],
"aliases": [
"CVE-2005-0269"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-05-02T04:00:00Z",
"severity": "HIGH"
},
"details": "The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.",
"id": "GHSA-m65m-xrgm-j736",
"modified": "2024-02-02T03:30:30Z",
"published": "2022-05-01T01:48:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-0269"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/18729"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=110477648219738\u0026w=2"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/13711"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/12149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M675-2P33-XV9G
Vulnerability from github – Published: 2026-05-18 13:40 – Updated: 2026-05-18 13:40Summary
The FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw.
This function was adapted from FrankenPHP's code (see the source comment) and inherits the same bugs. Both were originally reported against FrankenPHP by @KC1zs4 as GHSA-3g8v-8r37-cgjm (which absorbed the duplicate GHSA-v4h7-cj44-8fc8). Credit for finding the underlying flaws belongs to @KC1zs4.
Details
var splitSearchNonASCII = search.New(language.Und, search.IgnoreCase)
func (t Transport) splitPos(path string) int {
if len(t.SplitPath) == 0 {
return 0
}
pathLen := len(path)
for _, split := range t.SplitPath {
splitLen := len(split)
for i := range pathLen {
if path[i] >= utf8.RuneSelf {
if _, end := splitSearchNonASCII.IndexString(path, split); end > -1 {
return end
}
break
}
if i+splitLen > pathLen {
continue
}
match := true
for j := range splitLen {
c := path[i+j]
if c >= utf8.RuneSelf {
if _, end := splitSearchNonASCII.IndexString(path, split); end > -1 {
return end
}
break // <-- flaw 1: 'match' is still true
}
if 'A' <= c && c <= 'Z' {
c += 'a' - 'A'
}
if c != split[j] {
match = false
break
}
}
if match {
return i + splitLen
}
}
}
return -1
}
Flaw 1 — Control-flow: stale match after inner non-ASCII fallback
In the inner for j loop, when a byte satisfies c >= utf8.RuneSelf and splitSearchNonASCII.IndexString(...) returns -1, the loop breaks without setting match = false. The outer code then evaluates if match { return i + splitLen } with match still true, returning a position as if the configured extension had been matched. The script-name suffix actually present at that offset is whatever bytes the attacker chose, so a file named name.<U+00A1>.txt gets routed as PHP.
Flaw 2 — Unicode equivalence: search.IgnoreCase folds non-ASCII lookalikes onto ASCII
search.New(language.Und, search.IgnoreCase) performs Unicode equivalence matching (compatibility decomposition + case folding), which goes far beyond the ASCII-only case folding the surrounding code is built for. Many code points fold onto ASCII ., p, h, p, so a path containing ﹒php, .php, .php, .ⓟⓗⓟ, .𝗽𝗵𝗽, .𝓅𝒽𝓅, .𝖕𝖍𝖕, etc. is reported as .php.
Both flaws share the same root cause: invoking search.IgnoreCase to match an ASCII-only, validated-lower-case SplitPath entry against an arbitrary path. Provision() already guarantees every entry is ASCII and lower-cased, so any byte >= utf8.RuneSelf in the path can never be part of a legitimate match — but the fallback ignored that guarantee.
PoC
Run against a Caddy build serving FastCGI to PHP-FPM (or any FastCGI app where script lookup is gated by split_path). Caddyfile:
:8080 {
root * /app/public
php_fastcgi unix//run/php/php-fpm.sock
}
Place attacker-controlled files in /app/public:
/app/public/poc-match-unset.\xc2\xa1.—<?php echo "marker=flaw1\n";/app/public/poc-search-norm.𝗽𝗵𝗽—<?php echo "marker=flaw2\n";
Trigger:
# baseline (correctly NOT routed to PHP)
curl -i --path-as-is "http://127.0.0.1:8080/poc-match-unset.txt/trigger"
curl -i --path-as-is "http://127.0.0.1:8080/poc-search-norm/trigger"
# flaw 1 — the .¡.txt file ends up as SCRIPT_FILENAME
curl -i --path-as-is "http://127.0.0.1:8080/poc-match-unset.%C2%A1.txt/trigger"
# flaw 2 — the .𝗽𝗵𝗽 file ends up as SCRIPT_FILENAME
curl -i --path-as-is "http://127.0.0.1:8080/poc-search-norm.%F0%9D%97%BD%F0%9D%97%B5%F0%9D%97%BD.anything-after-payload.php/trigger"
Both crafted requests respond with the marker payload from the non-.php file, confirming arbitrary code execution through the body of attacker-controlled files.
A standalone reproducer of splitPos() in isolation (no Caddy build needed) is included in GHSA-3g8v-8r37-cgjm; the function in this module is the same logic, so the same payloads apply.
Impact
Comparable to the previous FastCGI split_path issue (GHSA-g966-83w7-6w38 / CVE-2026-24895) but with a stricter precondition: the attacker needs the ability to place content into a file whose name matches one of the bypass patterns (the Unicode lookalike forms or a name containing a non-ASCII byte after a .). Where that precondition holds — common in upload endpoints, user-content stores, package mirrors — the bypass yields RCE in the FastCGI upstream via a single crafted URL, without authentication, over the network.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H — High (8.1).
Patch
Drop the golang.org/x/text/search fallback entirely and treat any byte >= utf8.RuneSelf in the path as a non-match. SplitPath entries are validated ASCII-only and lower-cased upstream, so this preserves correct behavior for every legitimate path while making the Unicode bypasses unrepresentable. The replacement is a tight byte loop with no library calls in the hot path. See fix/fastcgi-splitpos-unicode-bypass (commit 4ddad83c) for the implementation and regression tests.
Credit
Both flaws were originally found and reported by @KC1zs4 against FrankenPHP, where the offending splitPos() function was first introduced before being adapted into this module. The Caddy maintainers thank @KC1zs4 for the high-quality reports.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.10.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.11.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45135"
],
"database_specific": {
"cwe_ids": [
"CWE-176",
"CWE-178",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T13:40:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe FastCGI transport\u0027s `splitPos()` in [`modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go`](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses `golang.org/x/text/search` with `search.IgnoreCase` when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy\u0027s FastCGI splitting into treating a non-`.php` (or other configured `split_path` extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw.\n\nThis function was adapted from FrankenPHP\u0027s code (see [the source comment](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go#L429)) and inherits the same bugs. Both were originally reported against FrankenPHP by @KC1zs4 as [GHSA-3g8v-8r37-cgjm](https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm) (which absorbed the duplicate GHSA-v4h7-cj44-8fc8). Credit for finding the underlying flaws belongs to @KC1zs4.\n\n### Details\n\n```go\nvar splitSearchNonASCII = search.New(language.Und, search.IgnoreCase)\n\nfunc (t Transport) splitPos(path string) int {\n\tif len(t.SplitPath) == 0 {\n\t\treturn 0\n\t}\n\tpathLen := len(path)\n\tfor _, split := range t.SplitPath {\n\t\tsplitLen := len(split)\n\t\tfor i := range pathLen {\n\t\t\tif path[i] \u003e= utf8.RuneSelf {\n\t\t\t\tif _, end := splitSearchNonASCII.IndexString(path, split); end \u003e -1 {\n\t\t\t\t\treturn end\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tif i+splitLen \u003e pathLen {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tmatch := true\n\t\t\tfor j := range splitLen {\n\t\t\t\tc := path[i+j]\n\t\t\t\tif c \u003e= utf8.RuneSelf {\n\t\t\t\t\tif _, end := splitSearchNonASCII.IndexString(path, split); end \u003e -1 {\n\t\t\t\t\t\treturn end\n\t\t\t\t\t}\n\t\t\t\t\tbreak // \u003c-- flaw 1: \u0027match\u0027 is still true\n\t\t\t\t}\n\t\t\t\tif \u0027A\u0027 \u003c= c \u0026\u0026 c \u003c= \u0027Z\u0027 {\n\t\t\t\t\tc += \u0027a\u0027 - \u0027A\u0027\n\t\t\t\t}\n\t\t\t\tif c != split[j] {\n\t\t\t\t\tmatch = false\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\tif match {\n\t\t\t\treturn i + splitLen\n\t\t\t}\n\t\t}\n\t}\n\treturn -1\n}\n```\n\n#### Flaw 1 \u2014 Control-flow: stale `match` after inner non-ASCII fallback\n\nIn the inner `for j` loop, when a byte satisfies `c \u003e= utf8.RuneSelf` and `splitSearchNonASCII.IndexString(...)` returns `-1`, the loop `break`s without setting `match = false`. The outer code then evaluates `if match { return i + splitLen }` with `match` still `true`, returning a position as if the configured extension had been matched. The script-name suffix actually present at that offset is whatever bytes the attacker chose, so a file named `name.\u003cU+00A1\u003e.txt` gets routed as PHP.\n\n#### Flaw 2 \u2014 Unicode equivalence: `search.IgnoreCase` folds non-ASCII lookalikes onto ASCII\n\n`search.New(language.Und, search.IgnoreCase)` performs Unicode equivalence matching (compatibility decomposition + case folding), which goes far beyond the ASCII-only case folding the surrounding code is built for. Many code points fold onto ASCII `.`, `p`, `h`, `p`, so a path containing `\ufe52php`, `\uff0ephp`, `.\uff50hp`, `.\u24df\u24d7\u24df`, `.\ud835\uddfd\ud835\uddf5\ud835\uddfd`, `.\ud835\udcc5\ud835\udcbd\ud835\udcc5`, `.\ud835\udd95\ud835\udd8d\ud835\udd95`, etc. is reported as `.php`.\n\nBoth flaws share the same root cause: invoking `search.IgnoreCase` to match an ASCII-only, validated-lower-case `SplitPath` entry against an arbitrary path. `Provision()` already guarantees every entry is ASCII and lower-cased, so any byte `\u003e= utf8.RuneSelf` in the path can never be part of a legitimate match \u2014 but the fallback ignored that guarantee.\n\n### PoC\n\nRun against a Caddy build serving FastCGI to PHP-FPM (or any FastCGI app where script lookup is gated by `split_path`). Caddyfile:\n\n```text\n:8080 {\n root * /app/public\n php_fastcgi unix//run/php/php-fpm.sock\n}\n```\n\nPlace attacker-controlled files in `/app/public`:\n\n- `/app/public/poc-match-unset.\\xc2\\xa1.` \u2014 `\u003c?php echo \"marker=flaw1\\n\";`\n- `/app/public/poc-search-norm.\ud835\uddfd\ud835\uddf5\ud835\uddfd` \u2014 `\u003c?php echo \"marker=flaw2\\n\";`\n\nTrigger:\n\n```bash\n# baseline (correctly NOT routed to PHP)\ncurl -i --path-as-is \"http://127.0.0.1:8080/poc-match-unset.txt/trigger\"\ncurl -i --path-as-is \"http://127.0.0.1:8080/poc-search-norm/trigger\"\n\n# flaw 1 \u2014 the .\u00a1.txt file ends up as SCRIPT_FILENAME\ncurl -i --path-as-is \"http://127.0.0.1:8080/poc-match-unset.%C2%A1.txt/trigger\"\n\n# flaw 2 \u2014 the .\ud835\uddfd\ud835\uddf5\ud835\uddfd file ends up as SCRIPT_FILENAME\ncurl -i --path-as-is \"http://127.0.0.1:8080/poc-search-norm.%F0%9D%97%BD%F0%9D%97%B5%F0%9D%97%BD.anything-after-payload.php/trigger\"\n```\n\nBoth crafted requests respond with the marker payload from the non-`.php` file, confirming arbitrary code execution through the body of attacker-controlled files.\n\nA standalone reproducer of `splitPos()` in isolation (no Caddy build needed) is included in [GHSA-3g8v-8r37-cgjm](https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm); the function in this module is the same logic, so the same payloads apply.\n\n### Impact\n\nComparable to the previous FastCGI `split_path` issue ([GHSA-g966-83w7-6w38 / CVE-2026-24895](https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38)) but with a stricter precondition: the attacker needs the ability to place content into a file whose name matches one of the bypass patterns (the Unicode lookalike forms or a name containing a non-ASCII byte after a `.`). Where that precondition holds \u2014 common in upload endpoints, user-content stores, package mirrors \u2014 the bypass yields RCE in the FastCGI upstream via a single crafted URL, without authentication, over the network.\n\nCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H \u2014 High (8.1).\n\n### Patch\n\nDrop the `golang.org/x/text/search` fallback entirely and treat any byte `\u003e= utf8.RuneSelf` in the path as a non-match. `SplitPath` entries are validated ASCII-only and lower-cased upstream, so this preserves correct behavior for every legitimate path while making the Unicode bypasses unrepresentable. The replacement is a tight byte loop with no library calls in the hot path. See `fix/fastcgi-splitpos-unicode-bypass` (commit `4ddad83c`) for the implementation and regression tests.\n\n### Credit\n\nBoth flaws were originally found and reported by @KC1zs4 against FrankenPHP, where the offending `splitPos()` function was first introduced before being adapted into this module. The Caddy maintainers thank @KC1zs4 for the high-quality reports.",
"id": "GHSA-m675-2p33-xv9g",
"modified": "2026-05-18T13:40:59Z",
"published": "2026-05-18T13:40:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m675-2p33-xv9g"
},
{
"type": "WEB",
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-3g8v-8r37-cgjm"
},
{
"type": "WEB",
"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38"
},
{
"type": "PACKAGE",
"url": "https://github.com/caddyserver/caddy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files"
}
GHSA-MM7M-92G8-7M47
Vulnerability from github – Published: 2026-06-16 13:48 – Updated: 2026-06-16 13:48Impact
Nuxt looks up routeRules for the current navigation by calling
getRouteRules({ path: to.path }) from the page-router plugin and the
no-pages router plugin. The compiled routeRules matcher (built on
rou3) performs case-sensitive matching, while vue-router is configured
with its default sensitive: false and matches paths case-insensitively.
The two routers therefore disagree on which rules apply to a given
request path: vue-router still matches the page record for
/Admin/dashboard, but the routeRules lookup for the same path
returns no match. Any appMiddleware declared via routeRules is never
added to the middleware set and never runs, on both SSR and client
navigations. The same path skips other path-keyed route rules in the
same way (ssr, redirect, appLayout, and the prerender / payload
hints used client-side).
For applications using routeRules with appMiddleware as an
authorization gate (a documented pattern), an attacker can flip the case
of any static segment in a protected URL (for example /Admin/dashboard
instead of /admin/dashboard) to render the protected page with the
middleware skipped. The server returns the fully server-rendered page
including any useFetch / useAsyncData results captured during SSR.
This is an instance of CWE-178 (Improper Handling of Case Sensitivity)
leading to CWE-863 (Incorrect Authorization) for apps that treat
appMiddleware as an authorization boundary.
Mitigating factors
- Only affects apps that use
routeRules.appMiddleware. The more idiomaticdefinePageMeta({ middleware })is bound to the matched route record and is unaffected. - Nuxt route middleware is documented as an app-layer concern, not a server-side auth boundary; well-built apps enforce authorization again at the API / data-fetching layer.
- Apps that explicitly set
router.options.sensitive = trueare not affected.
Patches
Fixed in nuxt@4.4.7 (commit 07e39cd6) and backported to nuxt@3.21.7 (commit 3f3e3fa7). The fix normalizes the path used for routeRules lookups so it matches vue-router's default case-insensitive semantics.
Workarounds
Until you can upgrade, you can mitigate by either:
- Setting
router.options.sensitive = trueso vue-router matches case-sensitively (this changes route-matching behaviour app-wide). - Moving security-critical middleware off
routeRules.appMiddlewareand ontodefinePageMeta({ middleware: [...] })on the protected page components, which is bound to the matched record. - Enforcing authorization at the API / data-fetching layer (which you should be doing in any case).
Credit
Reported by Anthropic / Claude through Anthropic's coordinated vulnerability disclosure process. Reference: ANT-2026-9FSEBYMC.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "3.11.0"
},
{
"fixed": "3.21.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53721"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T13:48:31Z",
"nvd_published_at": "2026-06-12T15:16:31Z",
"severity": "HIGH"
},
"details": "## Impact\n\nNuxt looks up `routeRules` for the current navigation by calling\n`getRouteRules({ path: to.path })` from the page-router plugin and the\nno-pages router plugin. The compiled `routeRules` matcher (built on\n`rou3`) performs case-sensitive matching, while vue-router is configured\nwith its default `sensitive: false` and matches paths case-insensitively.\n\nThe two routers therefore disagree on which rules apply to a given\nrequest path: vue-router still matches the page record for\n`/Admin/dashboard`, but the `routeRules` lookup for the same path\nreturns no match. Any `appMiddleware` declared via `routeRules` is never\nadded to the middleware set and never runs, on both SSR and client\nnavigations. The same path skips other path-keyed route rules in the\nsame way (`ssr`, `redirect`, `appLayout`, and the prerender / payload\nhints used client-side).\n\nFor applications using `routeRules` with `appMiddleware` as an\nauthorization gate (a documented pattern), an attacker can flip the case\nof any static segment in a protected URL (for example `/Admin/dashboard`\ninstead of `/admin/dashboard`) to render the protected page with the\nmiddleware skipped. The server returns the fully server-rendered page\nincluding any `useFetch` / `useAsyncData` results captured during SSR.\n\nThis is an instance of CWE-178 (Improper Handling of Case Sensitivity)\nleading to CWE-863 (Incorrect Authorization) for apps that treat\n`appMiddleware` as an authorization boundary.\n\n## Mitigating factors\n\n- Only affects apps that use `routeRules.appMiddleware`. The more\n idiomatic `definePageMeta({ middleware })` is bound to the matched\n route record and is unaffected.\n- Nuxt route middleware is documented as an app-layer concern, not a\n server-side auth boundary; well-built apps enforce authorization\n again at the API / data-fetching layer.\n- Apps that explicitly set `router.options.sensitive = true` are not\n affected.\n\n## Patches\n\nFixed in `nuxt@4.4.7` (commit [`07e39cd6`](https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb)) and backported to `nuxt@3.21.7` (commit [`3f3e3fa7`](https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e)). The fix normalizes the path used for `routeRules` lookups so it matches vue-router\u0027s default case-insensitive semantics.\n\n## Workarounds\n\nUntil you can upgrade, you can mitigate by either:\n\n1. Setting `router.options.sensitive = true` so vue-router matches\n case-sensitively (this changes route-matching behaviour app-wide).\n2. Moving security-critical middleware off `routeRules.appMiddleware`\n and onto `definePageMeta({ middleware: [...] })` on the protected\n page components, which is bound to the matched record.\n3. Enforcing authorization at the API / data-fetching layer (which you\n should be doing in any case).\n\n## Credit\n\nReported by Anthropic / Claude through Anthropic\u0027s coordinated\nvulnerability disclosure process. Reference: ANT-2026-9FSEBYMC.",
"id": "GHSA-mm7m-92g8-7m47",
"modified": "2026-06-16T13:48:31Z",
"published": "2026-06-16T13:48:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53721"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/nuxt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher"
}
GHSA-MP9H-8RRX-27F5
Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-02-08 03:32Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.
{
"affected": [],
"aliases": [
"CVE-2002-2119"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "HIGH"
},
"details": "Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.",
"id": "GHSA-mp9h-8rrx-27f5",
"modified": "2024-02-08T03:32:43Z",
"published": "2022-04-30T18:22:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2119"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-05/0273.html"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/9229.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/4893"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQVR-2RP8-J7H4
Vulnerability from github – Published: 2024-12-04 21:30 – Updated: 2024-12-10 16:29A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.ldap:spring-ldap-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.ldap:spring-ldap-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38829"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-04T22:33:48Z",
"nvd_published_at": "2024-12-04T21:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0.\n\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried\nRelated to CVE-2024-38820 https://spring.io/security/cve-2024-38820",
"id": "GHSA-mqvr-2rp8-j7h4",
"modified": "2024-12-10T16:29:00Z",
"published": "2024-12-04T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38829"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-ldap"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2024-38829"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Spring LDAP data exposure vulnerability"
}
GHSA-P8XC-86CG-8CGM
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-07-30 00:00The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".
{
"affected": [],
"aliases": [
"CVE-2021-24347"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-14T14:15:00Z",
"severity": "HIGH"
},
"details": "The SP Project \u0026 Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension\u0027s case, for example, from \"php\" to \"pHP\".",
"id": "GHSA-p8xc-86cg-8cgm",
"modified": "2022-07-30T00:00:36Z",
"published": "2022-05-24T19:05:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24347"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163434/WordPress-SP-Project-And-Document-Manager-4.21-Shell-Upload.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163675/WordPress-SP-Project-And-Document-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCQ9-M482-5R7J
Vulnerability from github – Published: 2026-04-03 21:31 – Updated: 2026-04-03 21:31prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.
{
"affected": [],
"aliases": [
"CVE-2026-22665"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T21:17:09Z",
"severity": "HIGH"
},
"details": "prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that bypass uniqueness checks. Attackers can exploit non-deterministic username resolution to impersonate victim accounts, replace profile content on canonical URLs, and inject attacker-controlled metadata and content across the platform.",
"id": "GHSA-pcq9-m482-5r7j",
"modified": "2026-04-03T21:31:42Z",
"published": "2026-04-03T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22665"
},
{
"type": "WEB",
"url": "https://github.com/f/prompts.chat/pull/1098"
},
{
"type": "WEB",
"url": "https://github.com/f/prompts.chat/commit/1464475df2698fb7ccd0cdbc382b0750466f891d"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/prompts-chat-identity-confusion-via-case-sensitive-username-handling"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PXQG-8RWP-Q2X2
Vulnerability from github – Published: 2026-07-04 00:31 – Updated: 2026-07-04 00:31A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: "[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path."
{
"affected": [],
"aliases": [
"CVE-2026-14617"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T22:16:52Z",
"severity": "LOW"
},
"details": "A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. Affected is the function GatewayStreamConsumer._filter_and_accumulate of the file gateway/stream_consumer.py of the component Streaming Reasoning Tag Filter. The manipulation leads to improper handling of case sensitivity. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The project decided to not implement a dedicated fix: \"[T]he analysis and the fix are both sound. It just lands below the bar for the maintenance cost of a duplicated scrub path.\"",
"id": "GHSA-pxqg-8rwp-q2x2",
"modified": "2026-07-04T00:31:23Z",
"published": "2026-07-04T00:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14617"
},
{
"type": "WEB",
"url": "https://github.com/NousResearch/hermes-agent/issues/27288"
},
{
"type": "WEB",
"url": "https://github.com/NousResearch/hermes-agent/pull/28631#issuecomment-4622188016"
},
{
"type": "WEB",
"url": "https://gist.github.com/YLChen-007/2229e5505bcbb3e15a7ae8fba4c4be37"
},
{
"type": "WEB",
"url": "https://github.com/NousResearch/hermes-agent"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-14617"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/844654"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376134"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/376134/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q534-42FM-GQR8
Vulnerability from github – Published: 2022-05-01 18:13 – Updated: 2024-02-08 03:32MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI.
{
"affected": [],
"aliases": [
"CVE-2007-3365"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-06-22T18:30:00Z",
"severity": "HIGH"
},
"details": "MyServer 0.8.9 and earlier does not properly handle uppercase characters in filename extensions, which allows remote attackers to obtain sensitive information (script source code) via a modified extension, as demonstrated by post.mscgI.",
"id": "GHSA-q534-42fm-gqr8",
"modified": "2024-02-08T03:32:44Z",
"published": "2022-05-01T18:13:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3365"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34977"
},
{
"type": "WEB",
"url": "http://osvdb.org/37505"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/25754"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/2827"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/471914/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/24571"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-44
Strategy: Input Validation
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.