CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-84R8-W725-7J27
Vulnerability from github – Published: 2022-11-25 15:30 – Updated: 2022-11-30 21:30In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-38166"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T15:15:00Z",
"severity": "HIGH"
},
"details": "In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.",
"id": "GHSA-84r8-w725-7j27",
"modified": "2022-11-30T21:30:22Z",
"published": "2022-11-25T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38166"
},
{
"type": "WEB",
"url": "https://www.f-secure.com/en/home/support/security-advisories/cve-2022-38166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-877P-G3P3-329R
Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-07 21:30An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.
{
"affected": [],
"aliases": [
"CVE-2026-37554"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T16:16:31Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser\u0027s catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.",
"id": "GHSA-877p-g3p3-329r",
"modified": "2026-05-07T21:30:24Z",
"published": "2026-05-01T18:31:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza/security/advisories/GHSA-44qj-vh8c-5354"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37554"
},
{
"type": "WEB",
"url": "https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f"
},
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza"
},
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp"
},
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87MF-GV2C-C62C
Vulnerability from github – Published: 2026-06-19 06:31 – Updated: 2026-06-19 21:41Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ts-deepmerge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-12644"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:41:52Z",
"nvd_published_at": "2026-06-19T06:17:01Z",
"severity": "MODERATE"
},
"details": "Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken \u2014 any string context operation throws a TypeError, crashing the application.",
"id": "GHSA-87mf-gv2c-c62c",
"modified": "2026-06-19T21:41:52Z",
"published": "2026-06-19T06:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12644"
},
{
"type": "WEB",
"url": "https://github.com/voodoocreation/ts-deepmerge/commit/305a05831a462fb2c353d3cbbff55a0733286f8c"
},
{
"type": "WEB",
"url": "https://gist.github.com/igorg1312/775fa00114c4d47df6ae0551779ab407"
},
{
"type": "PACKAGE",
"url": "https://github.com/voodoocreation/ts-deepmerge"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-17339141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "ts-deepmerge: Prototype Method Override leads to DoS"
}
GHSA-8C5G-69WP-X3WV
Vulnerability from github – Published: 2025-06-06 09:30 – Updated: 2025-06-06 09:30Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2025-48907"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T07:15:26Z",
"severity": "MODERATE"
},
"details": "Deserialization vulnerability in the IPC module\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-8c5g-69wp-x3wv",
"modified": "2025-06-06T09:30:24Z",
"published": "2025-06-06T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48907"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8GV7-MMCH-W6H8
Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2024-29076"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T21:15:15Z",
"severity": "MODERATE"
},
"details": "Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.",
"id": "GHSA-8gv7-mmch-w6h8",
"modified": "2024-11-13T21:30:36Z",
"published": "2024-11-13T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29076"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8R4G-CG4M-X23C
Vulnerability from github – Published: 2021-09-22 18:22 – Updated: 2025-10-03 18:27All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-static"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-22T18:21:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access `http://host/%00` and crash the server.",
"id": "GHSA-8r4g-cg4m-x23c",
"modified": "2025-10-03T18:27:42Z",
"published": "2021-09-22T18:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11149"
},
{
"type": "WEB",
"url": "https://github.com/cloudhead/node-static/pull/213"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/6248"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudhead/node-static"
},
{
"type": "WEB",
"url": "https://github.com/cloudhead/node-static/blob/643a528ec7bbd05a59c4030655d94810570afb3f/CHANGES.md#-unreleased"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Denial of Service in node-static"
}
GHSA-8RF5-92JH-3VC9
Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2021-04-06 21:46OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.mikesamuel:json-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23900"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-06T21:46:21Z",
"nvd_published_at": "2021-01-13T16:15:00Z",
"severity": "HIGH"
},
"details": "OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.",
"id": "GHSA-8rf5-92jh-3vc9",
"modified": "2021-04-06T21:46:21Z",
"published": "2021-05-13T22:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23900"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception leading to Denial of Service in json-sanitizer"
}
GHSA-8RJ5-2857-877J
Vulnerability from github – Published: 2023-08-23 13:19 – Updated: 2024-09-27 15:46The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "json2xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25024"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-23T13:19:55Z",
"nvd_published_at": "2023-08-22T19:16:22Z",
"severity": "HIGH"
},
"details": "The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.",
"id": "GHSA-8rj5-2857-877j",
"modified": "2024-09-27T15:46:25Z",
"published": "2023-08-23T13:19:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25024"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/issues/106"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/pull/107"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/pull/107/files"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vinitkumar/json2xml"
},
{
"type": "WEB",
"url": "https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "json2xml Uncaught Exception vulnerability"
}
GHSA-8RVJ-6HP5-GF5X
Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 18:31On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153
{
"affected": [],
"aliases": [
"CVE-2025-8870"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-14T16:15:59Z",
"severity": "MODERATE"
},
"details": "On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153",
"id": "GHSA-8rvj-6hp5-gf5x",
"modified": "2025-11-14T18:31:39Z",
"published": "2025-11-14T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8870"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22811-security-advisory-0125"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8XFF-473H-F863
Vulnerability from github – Published: 2024-02-21 00:00 – Updated: 2024-02-21 00:00The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.
Impact
A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.
Patches
- Version 1.2.1 and later are not affected by this issue.
Workarounds
Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
References
-
3527
- https://github.com/StarlaneStudios/Surrealist/issues/177
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.0"
},
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:00:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.2.1 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3527\n- https://github.com/StarlaneStudios/Surrealist/issues/177",
"id": "GHSA-8xff-473h-f863",
"modified": "2024-02-21T00:00:54Z",
"published": "2024-02-21T00:00:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-8xff-473h-f863"
},
{
"type": "WEB",
"url": "https://github.com/StarlaneStudios/Surrealist/issues/177"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception Handling Parsing Errors on Line Terminators"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.