Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-J6XC-HHQX-8W7P

Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2025-02-05 18:34
VLAI
Details

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.

This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T17:15:24Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.\n\nThis vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\u0026nbsp;\nThis vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.",
  "id": "GHSA-j6xc-hhqx-8w7p",
  "modified": "2025-02-05T18:34:45Z",
  "published": "2025-02-05T18:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20176"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8P6-96VP-F3R9

Vulnerability from github – Published: 2026-05-18 20:20 – Updated: 2026-06-09 10:58
VLAI
Summary
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages
Details

Summary

Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.

Details

MongoDB parsing support was introduced by commit 2070f568a (Add Initial support for mongodb), so the explicit released version minimum affected is v0.1.0.

There are two related panic conditions in released go.opentelemetry.io/obi versions:

  • In v0.1.0 through v0.3.0, parseOpMessage reads OP_MSG flag bits from buf[msgHeaderSize:msgHeaderSize+int32Size] without first ensuring the buffer is at least msgHeaderSize + int32Size bytes long. A truncated OP_MSG packet can therefore trigger a slice-bounds panic before the parser returns an error.
  • In v0.1.0 through v0.3.0, parseSections consumes the section type byte and then reads the document-sequence length from buf[offSet:offSet+int32Size] without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic.
  • In v0.1.0 through v0.8.0, parseFirstField assumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion on field.Value. A malformed BSON document can therefore trigger a runtime panic with interface conversion instead of returning a parse error.

The bounds-check panic was fixed by commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb (Fix MongoDB client panic), which first appears in release v0.4.0. The unchecked BSON type assertion is still present in v0.8.0.

Because this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.

Affected code paths are in pkg/ebpf/common/mongo_detect_transform.go and correspond to parseOpMessage, parseSections, and parseFirstField.

PoC

The following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run go test against the real parser code in the repository.

  1. Reproduce the v0.1.0 through v0.3.0 bounds-check panics:

```bash git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc cd obi-poc git checkout v0.3.0

cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF' package ebpfcommon

import "testing"

func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) { parseOpMessage(make([]byte, 16), 0, false, nil) }

func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) { parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03}) } EOF

go test ./pkg/ebpf/common -run 'TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics' -count=1 ```

Expected result:

  • TestSecurityPoCParseOpMessageShortPanics panics with a message similar to slice bounds out of range [:20] with capacity 16
  • TestSecurityPoCParseSectionsShortDocSequencePanics panics with a message similar to slice bounds out of range [:5] with capacity 4

  • Reproduce the v0.1.0 through v0.8.0 unchecked BSON type-assertion panic:

```bash git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc cd obi-poc git checkout v0.8.0

cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF' package ebpfcommon

import ( "testing"

   "go.mongodb.org/mongo-driver/v2/bson"

)

func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) { parseFirstField(bson.E{Key: commFind, Value: int32(123)}) } EOF

go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1 ```

Expected result: panic with a message similar to interface conversion: interface {} is int32, not string.

Impact

This is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP_MSG packet or malformed BSON document, causing loss of observability until the process is restarted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/obi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248",
      "CWE-704"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:20:03Z",
    "nvd_published_at": "2026-06-02T16:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nMalformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.\n\n### Details\n\nMongoDB parsing support was introduced by commit `2070f568a` (`Add Initial support for mongodb`), so the explicit released version minimum affected is `v0.1.0`.\n\nThere are two related panic conditions in released `go.opentelemetry.io/obi` versions:\n\n- In `v0.1.0` through `v0.3.0`, `parseOpMessage` reads OP_MSG flag bits from `buf[msgHeaderSize:msgHeaderSize+int32Size]` without first ensuring the buffer is at least `msgHeaderSize + int32Size` bytes long. A truncated OP_MSG packet can therefore trigger a slice-bounds panic before the parser returns an error.\n- In `v0.1.0` through `v0.3.0`, `parseSections` consumes the section type byte and then reads the document-sequence length from `buf[offSet:offSet+int32Size]` without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic.\n- In `v0.1.0` through `v0.8.0`, `parseFirstField` assumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion on `field.Value`. A malformed BSON document can therefore trigger a runtime panic with `interface conversion` instead of returning a parse error.\n\nThe bounds-check panic was fixed by commit `3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb` (`Fix MongoDB client panic`), which first appears in release `v0.4.0`. The unchecked BSON type assertion is still present in `v0.8.0`.\n\nBecause this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.\n\nAffected code paths are in `pkg/ebpf/common/mongo_detect_transform.go` and correspond to `parseOpMessage`, `parseSections`, and `parseFirstField`.\n\n### PoC\n\nThe following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run `go test` against the real parser code in the repository.\n\n1. Reproduce the `v0.1.0` through `v0.3.0` bounds-check panics:\n\n   ```bash\n   git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc\n   cd obi-poc\n   git checkout v0.3.0\n\n   cat \u003e pkg/ebpf/common/mongo_security_poc_test.go \u003c\u003c\u0027EOF\u0027\n   package ebpfcommon\n\n   import \"testing\"\n\n   func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) {\n\t   parseOpMessage(make([]byte, 16), 0, false, nil)\n   }\n\n   func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) {\n\t   parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03})\n   }\n   EOF\n\n   go test ./pkg/ebpf/common -run \u0027TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics\u0027 -count=1\n   ```\n\n   Expected result:\n\n   - `TestSecurityPoCParseOpMessageShortPanics` panics with a message similar to `slice bounds out of range [:20] with capacity 16`\n   - `TestSecurityPoCParseSectionsShortDocSequencePanics` panics with a message similar to `slice bounds out of range [:5] with capacity 4`\n\n1. Reproduce the `v0.1.0` through `v0.8.0` unchecked BSON type-assertion panic:\n\n   ```bash\n   git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc\n   cd obi-poc\n   git checkout v0.8.0\n\n   cat \u003e pkg/ebpf/common/mongo_security_poc_test.go \u003c\u003c\u0027EOF\u0027\n   package ebpfcommon\n\n   import (\n\t   \"testing\"\n\n\t   \"go.mongodb.org/mongo-driver/v2/bson\"\n   )\n\n   func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) {\n\t   parseFirstField(bson.E{Key: commFind, Value: int32(123)})\n   }\n   EOF\n\n   go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1\n   ```\n\n   Expected result: panic with a message similar to `interface conversion: interface {} is int32, not string`.\n\n### Impact\n\nThis is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP_MSG packet or malformed BSON document, causing loss of observability until the process is restarted.",
  "id": "GHSA-j8p6-96vp-f3r9",
  "modified": "2026-06-09T10:58:53Z",
  "published": "2026-05-18T20:20:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-j8p6-96vp-f3r9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45685"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages"
}

GHSA-J8PJ-M24V-J29H

Vulnerability from github – Published: 2025-10-27 12:32 – Updated: 2025-10-27 12:32
VLAI
Details

An attacker who tampers with the C++ CLI client may crash the UpdateService during file transfers, disrupting updates and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59462"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T11:15:41Z",
    "severity": "MODERATE"
  },
  "details": "An attacker who tampers with the C++ CLI client may crash the UpdateService during file transfers, disrupting updates and availability.",
  "id": "GHSA-j8pj-m24v-j29h",
  "modified": "2025-10-27T12:32:52Z",
  "published": "2025-10-27T12:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59462"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0013.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0013.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J972-J939-P2V3

Vulnerability from github – Published: 2025-06-03 06:09 – Updated: 2025-06-04 20:57
VLAI
Summary
quic-go Has Panic in Path Probe Loss Recovery Handling
Details

Impact

The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client.

In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference.

Patches

v0.50.1 contains a patch that fixes the vulnerability.

This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases.

Workarounds

No.

References

This issue has been reported publicly, but without any context, in https://github.com/quic-go/quic-go/issues/4981.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.50.0"
            },
            {
              "fixed": "0.50.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-29785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-03T06:09:56Z",
    "nvd_published_at": "2025-06-02T11:15:21Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client.\n\nIn order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference.\n\n### Patches\n\nv0.50.1 contains a patch that fixes the vulnerability.\n\nThis release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases.\n\n### Workarounds\n\nNo.\n\n### References\n\nThis issue has been reported publicly, but without any context, in https://github.com/quic-go/quic-go/issues/4981.",
  "id": "GHSA-j972-j939-p2v3",
  "modified": "2025-06-04T20:57:25Z",
  "published": "2025-06-03T06:09:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-j972-j939-p2v3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/issues/4981"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/b90058aba5f65f48e0e150c89bbaa21a72dda4de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quic-go/quic-go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "quic-go Has Panic in Path Probe Loss Recovery Handling"
}

GHSA-J975-95F5-7WQH

Vulnerability from github – Published: 2025-07-04 22:06 – Updated: 2025-07-05 01:45
VLAI
Summary
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service
Details

If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.

Thank you to Rich Harang for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-04T22:06:31Z",
    "nvd_published_at": "2025-07-04T22:15:22Z",
    "severity": "HIGH"
  },
  "details": "If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures.\n\nThank you to Rich Harang for reporting this issue.",
  "id": "GHSA-j975-95f5-7wqh",
  "modified": "2025-07-05T01:45:45Z",
  "published": "2025-07-04T22:06:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/python-sdk/pull/967"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/python-sdk/commit/7b420656de48cfdb90b39eb582e60b6d55c2f891"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/python-sdk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service"
}

GHSA-JC55-246C-R88F

Vulnerability from github – Published: 2024-11-22 20:11 – Updated: 2024-11-22 20:11
VLAI
Summary
SurrealDB has an Uncaught Exception Handling Nonexistent Role
Details

Roles for system users are stored as generic Ident values and converted as strings and into the Role enum whenever IAM operations are to be performed that require processing the user roles. This conversion expects those identifiers to only contain the values owner, editor and viewer and will return an error otherwise. However, the unwrap() method would be called on this result when implementing std::convert::From<&Ident> for Role, which would result in a panic where a nonexistent role was used.

Impact

A privileged user with the owner role at any level in SurrealDB would be able to define a user with DEFINE USER with an nonexistent role, which would panic when being converted to a Role enum in order to perform certain IAM operations with that user. These operations included signing in with the user. This would crash the server, leading to denial of service.

Patches

Unexistent roles are no longer accepted during parsing when defining a user. Even when successfully associated with a user, referencing unexistent roles will no longer result in a panic and will instead throw an InvalidRole error.

  • Version 2.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update may want to limit access to users with the owner role at any level to trusted parties only. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • 5079

  • 5092

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-22T20:11:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Roles for system users are stored as generic `Ident` values and converted as strings and into the `Role` enum whenever IAM operations are to be performed that require processing the user roles. This conversion expects those identifiers to only contain the values `owner`, `editor` and `viewer` and will return an error otherwise. However, the `unwrap()` method would be called on this result when implementing `std::convert::From\u003c\u0026Ident\u003e for Role`, which would result in a panic where a nonexistent role was used.\n\n### Impact\n\nA privileged user with the `owner` role at any level in SurrealDB would be able to define a user with `DEFINE USER` with an nonexistent role, which would panic when being converted to a `Role` enum in order to perform certain IAM operations with that user. These operations included signing in with the user. This would crash the server, leading to denial of service.\n\n### Patches\n\nUnexistent roles are no longer accepted during parsing when defining a user. Even when successfully associated with a user, referencing unexistent roles will no longer result in a panic and will instead throw an `InvalidRole` error.\n\n- Version 2.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update may want to limit access to users with the `owner` role at any level to trusted parties only. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #5079\n- #5092",
  "id": "GHSA-jc55-246c-r88f",
  "modified": "2024-11-22T20:11:44Z",
  "published": "2024-11-22T20:11:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-jc55-246c-r88f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5079"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5092"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has an Uncaught Exception Handling Nonexistent Role"
}

GHSA-JC6W-8R7F-VMP5

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-12-03 19:29
VLAI
Summary
Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names
Details

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0-rc1"
            },
            {
              "fixed": "4.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0-rc1"
            },
            {
              "fixed": "4.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0-rc1"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-03T19:29:16Z",
    "nvd_published_at": "2020-06-19T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.",
  "id": "GHSA-jc6w-8r7f-vmp5",
  "modified": "2025-12-03T19:29:17Z",
  "published": "2022-05-24T17:21:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18871"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names"
}

GHSA-JM4V-58R5-66HJ

Vulnerability from github – Published: 2024-01-18 15:44 – Updated: 2024-01-18 15:44
VLAI
Summary
Uncaught Exception in surrealdb
Details

Although custom parameters and functions are only supported at the database level, it was allowed to invoke those entities at the root or namespace level. This would cause a panic which would crash the SurrealDB server, leading to denial of service.

Impact

A client that is authorized to run queries at the root or namespace level in a SurrealDB server is able to run a query invoking a parameter or a function at that level, which will cause a panic. This will crash the server, leading to denial of service.

Patches

  • Version 1.1.1 and later are not affected by this issue.

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB to the database level. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • 3297

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-18T15:44:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Although custom parameters and functions are only supported at the database level, it was allowed to invoke those entities at the root or namespace level. This would cause a panic which would crash the SurrealDB server, leading to denial of service.\n\n### Impact\n\nA client that is authorized to run queries at the root or namespace level in a SurrealDB server is able to run a query invoking a parameter or a function at that level, which will cause a panic. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.1.1 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB to the database level. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3297",
  "id": "GHSA-jm4v-58r5-66hj",
  "modified": "2024-01-18T15:44:51Z",
  "published": "2024-01-18T15:44:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-jm4v-58r5-66hj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/618a4d1b422df0d12772532bb2c195f830b40399"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception in surrealdb"
}

GHSA-M52V-24P8-654F

Vulnerability from github – Published: 2024-11-22 20:11 – Updated: 2024-11-22 20:11
VLAI
Summary
SurrealDB has an Uncaught Exception Sorting Tables by Random Order
Details

Sorting table records using an ORDER BY clause with the rand() function as sorting mechanism could cause a panic due to relying on a comparison function that did not implement total order. This event resulted in a panic due to a recent change in Rust 1.81.

Impact

A client that is authorized to run queries in a SurrealDB server would be able to query a table with ORDER BY rand() in order to potentially cause a panic in the sorting function. This would crash the server, leading to denial of service.

Patches

The sorting algorithm has been updated to guarantee total order when shuffling records.

  • Version 2.1.0 and later are not affected by this issue.

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • https://github.com/surrealdb/surrealdb/issues/4969
  • https://github.com/surrealdb/surrealdb/pull/4989
  • https://github.com/surrealdb/surrealdb/pull/4805
  • https://github.com/surrealdb/surrealdb/pull/4906
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-22T20:11:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Sorting table records using an `ORDER BY` clause with the `rand()` function as sorting mechanism could cause a panic due to relying on a comparison function that did not implement total order. This event resulted in a panic due to a recent [change in Rust 1.81](https://blog.rust-lang.org/2024/09/05/Rust-1.81.0.html#new-sort-implementations).\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server would be able to query a table with `ORDER BY rand()` in order to potentially cause a panic in the sorting function. This would crash the server, leading to denial of service.\n\n### Patches\n\nThe sorting algorithm has been updated to guarantee total order when shuffling records.\n\n- Version 2.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- https://github.com/surrealdb/surrealdb/issues/4969\n- https://github.com/surrealdb/surrealdb/pull/4989\n- https://github.com/surrealdb/surrealdb/pull/4805\n- https://github.com/surrealdb/surrealdb/pull/4906",
  "id": "GHSA-m52v-24p8-654f",
  "modified": "2024-11-22T20:11:48Z",
  "published": "2024-11-22T20:11:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m52v-24p8-654f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/issues/4969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/4805"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/4906"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/4989"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has an Uncaught Exception Sorting Tables by Random Order"
}

GHSA-M72M-MHQ2-9P6C

Vulnerability from github – Published: 2021-08-23 19:42 – Updated: 2022-02-08 20:59
VLAI
Summary
Uncaught Exception in jsoup
Details

Impact

What kind of vulnerability is it? Who is impacted? Those using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.

Patches

Has the problem been patched? What versions should users upgrade to? Users should upgrade to jsoup 1.14.2

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? Users may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jsoup:jsoup"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-23T17:20:30Z",
    "nvd_published_at": "2021-08-18T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nThose using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nUsers should upgrade to jsoup 1.14.2\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nUsers may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.\n",
  "id": "GHSA-m72m-mhq2-9p6c",
  "modified": "2022-02-08T20:59:16Z",
  "published": "2021-08-23T19:42:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37714"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jhy/jsoup"
    },
    {
      "type": "WEB",
      "url": "https://jsoup.org/news/release-1.14.1"
    },
    {
      "type": "WEB",
      "url": "https://jsoup.org/news/release-1.14.2"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220210-0022"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception in jsoup"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.