CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-M744-JHQ9-PPW6
Vulnerability from github – Published: 2026-06-19 20:46 – Updated: 2026-06-19 20:46Impact
A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.
Preconditions
The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Only allow authenticated writes to a topic
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "CoreWCF.Kafka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "CoreWCF.Kafka"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.0"
},
{
"fixed": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54775"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T20:46:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.\n\n#### Preconditions\nThe attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required. \n\n### Patches\nFixed in CoreWCF v1.8.1 and v1.9.1\n\n### Workarounds\nOnly allow authenticated writes to a topic",
"id": "GHSA-m744-jhq9-ppw6",
"modified": "2026-06-19T20:46:49Z",
"published": "2026-06-19T20:46:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6"
},
{
"type": "PACKAGE",
"url": "https://github.com/CoreWCF/CoreWCF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service."
}
GHSA-M758-WJHJ-P3JQ
Vulnerability from github – Published: 2026-04-09 20:22 – Updated: 2026-04-24 21:03Impact
Wasmtime contains a possible panic which can happen when a flags-typed component model value is lifted with the Val type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime's implementation of lifting into Val, not when using the flags! macro. This additionally only affects flags-typed values which are part of a WIT interface.
This has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector.
Patches
Wasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.
Workarounds
There is no workaround for this bug if a host meets the criteria to be affected. To be affected a host must be using wasmtime::component::Val and possibly work with a flags type in the component model.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "36.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "37.0.0"
},
{
"fixed": "42.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "43.0.0"
},
{
"fixed": "43.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"43.0.0"
]
}
],
"aliases": [
"CVE-2026-34943"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T20:22:34Z",
"nvd_published_at": "2026-04-09T19:16:24Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWasmtime contains a possible panic which can happen when a `flags`-typed component model value is lifted with the `Val` type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. This panic only affects wasmtime\u0027s implementation of lifting into `Val`, not when using the `flags!` macro. This additionally only affects `flags`-typed values which are part of a WIT interface. \n\nThis has the risk of being a guest-controlled panic within the host which Wasmtime considers a DoS vector.\n\n### Patches\n\nWasmtime 24.0.7, 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nThere is no workaround for this bug if a host meets the criteria to be affected. To be affected a host must be using `wasmtime::component::Val` and possibly work with a `flags` type in the component model.",
"id": "GHSA-m758-wjhj-p3jq",
"modified": "2026-04-24T21:03:43Z",
"published": "2026-04-09T20:22:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34943"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0085.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Wasmtime has a possible panic when lifting `flags` component value"
}
GHSA-M8VH-V6R6-W7P6
Vulnerability from github – Published: 2025-12-02 00:46 – Updated: 2025-12-02 00:46Endpoint: admin/config/system
Submenu: Languages
Parameter: Supported
Application: Grav v 1.7.48
Summary
A Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (/) or an XSS test string—it causes a fatal regular expression parsing error on the server.
This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in the following error:
preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244
Once triggered, the site becomes completely unavailable to all users.
Details
-
Vulnerable Endpoint:
POST /admin/config/system -
Submenu:
Languages -
Parameter:
Supported
The application dynamically constructs a regular expression using the contents of the Supported field without escaping the input using preg_quote() or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.
Stack trace excerpt:
Whoops \ Exception \ ErrorException (E_WARNING) preg_match(): Unknown modifier 'o' /system/src/Grav/Common/Language/Language.php244
Proof of Concept (PoC)
Payloads:
/
Steps to Reproduce:
-
Log into the Grav Admin Panel.
-
Navigate to: Configuration → System → Languages.
-
Locate the
Supportedfield. -
Insert one of the payloads above (e.g., a single slash
/). -
Click Save.
- Observe: All pages in the application begin throwing a fatal error and become inaccessible.
Impact
-
Application-wide Denial of Service (DoS)
-
All login and admin views crash with the same error
-
Potentially exploitable by:
-
Admin panel users
-
CSRF if misconfigured
-
References
-
CWE-1333: Improper Regular Expression
-
CWE-20: Improper Input Validation
Discoverer
by CVE-Hunters
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.0-beta.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66305"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T00:46:05Z",
"nvd_published_at": "2025-12-01T22:15:50Z",
"severity": "HIGH"
},
"details": "**Endpoint**: `admin/config/system` \n**Submenu**: `Languages` \n**Parameter**: `Supported` \n**Application**: Grav v 1.7.48\n\n---\n\n## Summary\n\nA Denial of Service (DoS) vulnerability was identified in the **\"Languages\"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted\u2014such as a single forward slash (`/`) or an XSS test string\u2014it causes a fatal regular expression parsing error on the server.\n\nThis leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error:\n\n`preg_match(): Unknown modifier \u0027o\u0027 File: /system/src/Grav/Common/Language/Language.php line 244`\n\nOnce triggered, the site becomes completely unavailable to all users.\n\n---\n\n## Details\n\n- **Vulnerable Endpoint**: `POST /admin/config/system`\n \n- **Submenu**: `Languages`\n \n- **Parameter**: `Supported` \n \n\nThe application dynamically constructs a regular expression using the contents of the `Supported` field without escaping the input using `preg_quote()` or proper validation. This allows attackers to inject invalid syntax into the regex engine, crashing the application during language resolution.\n\n**Stack trace excerpt**:\n\n`Whoops \\ Exception \\ ErrorException (E_WARNING) preg_match(): Unknown modifier \u0027o\u0027 /system/src/Grav/Common/Language/Language.php244`\n\n---\n\n## Proof of Concept (PoC)\n\n### Payloads:\n\n`/ `\n\n### Steps to Reproduce:\n\n1. Log into the Grav Admin Panel.\n \n2. Navigate to: **Configuration** \u2192 **System** \u2192 **Languages**.\n \n3. Locate the `Supported` field.\n \n4. Insert one of the payloads above (e.g., a single slash `/`).\n \n5. Click **Save**.\n\n\u003cimg width=\"1897\" height=\"639\" alt=\"Pasted image 20250719183223\" src=\"https://github.com/user-attachments/assets/d3a54a20-d30d-46c6-9015-722f80701cfb\" /\u003e\n\n1. Observe: All pages in the application begin throwing a fatal error and become inaccessible.\n\n\u003cimg width=\"1802\" height=\"998\" alt=\"Pasted image 20250719175229\" src=\"https://github.com/user-attachments/assets/b16750c2-507f-4c30-a9bb-d07fa92bb777\" /\u003e\n\n---\n\n## Impact\n\n- Application-wide Denial of Service (DoS)\n \n- All login and admin views crash with the same error\n \n- Potentially exploitable by:\n \n - Admin panel users\n \n - CSRF if misconfigured \n \n\n---\n\n## References\n\n- **CWE-1333**: Improper Regular Expression\n \n- **CWE-20**: Improper Input Validation\n\n\n## Discoverer\n\n[Marcelo Queiroz](www.linkedin.com/in/marceloqueirozjr) \n\nby [CVE-Hunters](https://github.com/Sec-Dojo-Cyber-House/cve-hunters)",
"id": "GHSA-m8vh-v6r6-w7p6",
"modified": "2025-12-02T00:46:05Z",
"published": "2025-12-02T00:46:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66305"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Grav vulnerable to Denial of Service via Improper Input Handling in \u0027Supported\u0027 Parameter"
}
GHSA-M9X3-4G44-FW28
Vulnerability from github – Published: 2025-04-07 06:30 – Updated: 2025-04-07 15:31In wlan AP driver, there is a possible information disclosure due to an uncaught exception. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00406217; Issue ID: MSV-2773.
{
"affected": [],
"aliases": [
"CVE-2025-20664"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T04:15:20Z",
"severity": "HIGH"
},
"details": "In wlan AP driver, there is a possible information disclosure due to an uncaught exception. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00406217; Issue ID: MSV-2773.",
"id": "GHSA-m9x3-4g44-fw28",
"modified": "2025-04-07T15:31:16Z",
"published": "2025-04-07T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20664"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFFW-J524-MRJP
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2020-15796"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request.",
"id": "GHSA-mffw-j524-mrjp",
"modified": "2022-05-24T17:36:16Z",
"published": "2022-05-24T17:36:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15796"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-700697.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MHGM-R3R5-6CWP
Vulnerability from github – Published: 2025-04-14 12:30 – Updated: 2025-10-28 18:30Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to client-side Denial of Servise (DoS) attacks. An attacker might trick a user into using an URL with a d parameter set to an unhandled value. All the subsequent requests will not be accepted as the server returns an error message. Since this parameter is sent as part of a session cookie, the issue persists until the session expires or the user deletes cookies manually. Similar effect might be achieved when a user tries to change platform language to an unimplemented one. This vulnerability has been patched in version 79.0
{
"affected": [],
"aliases": [
"CVE-2024-49705"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T12:15:15Z",
"severity": "MODERATE"
},
"details": "Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to client-side Denial of Servise (DoS) attacks. An attacker might trick a user into using an URL with a d parameter set to an unhandled value. All the subsequent requests will not be accepted as the server returns an error message. Since this parameter is sent as part of a session cookie, the issue persists until the session expires or the user deletes cookies manually.\u00a0\nSimilar effect might be achieved when\u00a0a user tries to change platform language to an unimplemented one.\nThis vulnerability has been patched in version 79.0",
"id": "GHSA-mhgm-r3r5-6cwp",
"modified": "2025-10-28T18:30:25Z",
"published": "2025-04-14T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49705"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/04/CVE-2024-10087"
},
{
"type": "WEB",
"url": "https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MJV8-W698-V8WQ
Vulnerability from github – Published: 2025-04-07 06:30 – Updated: 2025-04-07 15:31In wlan AP driver, there is a possible information disclosure due to an uncaught exception. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00408868; Issue ID: MSV-3031.
{
"affected": [],
"aliases": [
"CVE-2025-20663"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T04:15:20Z",
"severity": "HIGH"
},
"details": "In wlan AP driver, there is a possible information disclosure due to an uncaught exception. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00408868; Issue ID: MSV-3031.",
"id": "GHSA-mjv8-w698-v8wq",
"modified": "2025-04-07T15:31:16Z",
"published": "2025-04-07T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20663"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJW4-JJ88-V687
Vulnerability from github – Published: 2024-07-09 14:13 – Updated: 2024-11-18 16:26Impact
The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.
In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.
Since f69abee1/0.3.4/#52.
0.2.x series is not affected.
Patches
Upgrade to 0.3.6 or higher.
Workarounds
n/a
References
Whereas https://github.com/whisperfish/rust-phonenumber/issues/69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "phonenumber"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.4"
},
{
"fixed": "0.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39697"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-248",
"CWE-392"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-09T14:13:48Z",
"nvd_published_at": "2024-07-09T15:15:11Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThe phonenumber parsing code may panic due to a reachable `assert!` guard on the phonenumber string.\n\nIn a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56.\n\nSince f69abee1/0.3.4/#52.\n\n0.2.x series is not affected.\n\n### Patches\nUpgrade to 0.3.6 or higher.\n\n### Workarounds\nn/a\n\n### References\nWhereas https://github.com/whisperfish/rust-phonenumber/issues/69 did not provide an example code path, property testing found a few: `+dwPAA;phone-context=AA`.\n",
"id": "GHSA-mjw4-jj88-v687",
"modified": "2024-11-18T16:26:50Z",
"published": "2024-07-09T14:13:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39697"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/issues/69"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/pull/52"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407"
},
{
"type": "PACKAGE",
"url": "https://github.com/whisperfish/rust-phonenumber"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0369.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "panic on parsing crafted phonenumber inputs"
}
GHSA-MR7R-M37J-HFQC
Vulnerability from github – Published: 2025-12-02 03:31 – Updated: 2025-12-02 15:30In Modem, there is a possible system crash due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689251; Issue ID: MSV-4840.
{
"affected": [],
"aliases": [
"CVE-2025-20754"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T03:16:16Z",
"severity": "MODERATE"
},
"details": "In Modem, there is a possible system crash due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689251; Issue ID: MSV-4840.",
"id": "GHSA-mr7r-m37j-hfqc",
"modified": "2025-12-02T15:30:30Z",
"published": "2025-12-02T03:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20754"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/December-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MW3Q-R9WH-H2FF
Vulnerability from github – Published: 2026-05-21 19:50 – Updated: 2026-06-10 13:41Impact
A remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).
A malicious peer can respond to a RequestChunk with a ResponseChunk::Chunk whose first TrieItem.key is the empty (ROOT) key. The chunk passes sorting, range, and Merkle-proof validation, but when put_raw tries to store a value at the root node, it calls TrieNode::put_value(...).unwrap(), which returns Err(RootCantHaveValue) and panics, aborting the node process. The panic fires on the first malicious chunk the victim commits; no rate limit or authentication gate caps the attack.
Impacted: any node running state sync against untrusted peers — this includes fresh nodes performing initial download and existing nodes recovering from data loss. Honest nodes never construct ROOT-keyed items, so non-syncing operation is unaffected.
Patches
See PR.
Workarounds
There is no safe in-process workaround: any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag.
Resources
- Fix commit: (link to the merged PR commit, once merged)
- Affected code:
primitives/trie/src/trie.rs—put_chunk(around line 819) andput_raw(around line 351)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nimiq-primitives"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46545"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T19:50:31Z",
"nvd_published_at": "2026-06-10T00:16:54Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA remote, unauthenticated denial-of-service vulnerability in `MerkleRadixTrie::put_chunk` allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).\n\nA malicious peer can respond to a `RequestChunk` with a `ResponseChunk::Chunk` whose first `TrieItem.key` is the empty (ROOT) key. The chunk passes sorting, range, and Merkle-proof validation, but when `put_raw` tries to store a value at the root node, it calls `TrieNode::put_value(...).unwrap()`, which returns `Err(RootCantHaveValue)` and panics, aborting the node process. The panic fires on the first malicious chunk the victim commits; no rate limit or authentication gate caps the attack.\n\nImpacted: any node running state sync against untrusted peers \u2014 this includes fresh nodes performing initial download and existing nodes recovering from data loss. Honest nodes never construct ROOT-keyed items, so non-syncing operation is unaffected.\n\n### Patches\n\nSee [PR](https://github.com/nimiq/core-rs-albatross/pull/3762).\n\n### Workarounds\n\nThere is no safe in-process workaround: any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag.\n\n### Resources\n\n- Fix commit: (link to the merged PR commit, once merged)\n- Affected code: [`primitives/trie/src/trie.rs`](https://github.com/nimiq/core-rs-albatross/blob/albatross/primitives/trie/src/trie.rs) \u2014 `put_chunk` (around line 819) and `put_raw` (around line 351)",
"id": "GHSA-mw3q-r9wh-h2ff",
"modified": "2026-06-10T13:41:41Z",
"published": "2026-05-21T19:50:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-mw3q-r9wh-h2ff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46545"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/pull/3762"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/commit/0fb8766adea91e038af00e635a6eb92756e50172"
},
{
"type": "PACKAGE",
"url": "https://github.com/nimiq/core-rs-albatross"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.