Common Weakness Enumeration

CWE-345

Discouraged

Insufficient Verification of Data Authenticity

Abstraction: Class · Status: Draft

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

939 vulnerabilities reference this CWE, most recent first.

GHSA-WVRW-2FV8-CJVX

Vulnerability from github – Published: 2024-06-29 06:31 – Updated: 2026-05-12 12:31
VLAI
Details

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-28T22:15:02Z",
    "severity": "HIGH"
  },
  "details": "In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.",
  "id": "GHSA-wvrw-2fv8-cjvx",
  "modified": "2026-05-12T12:31:57Z",
  "published": "2024-06-29T06:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241108-0007"
    },
    {
      "type": "WEB",
      "url": "https://web.mit.edu/kerberos/www/advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW7X-3GXH-QM6R

Vulnerability from github – Published: 2023-11-28 18:52 – Updated: 2023-12-06 21:08
VLAI
Summary
Validation of SignedInfo
Details

Validation of an XML Signature requires verification that the hash value of the related XML-document (after any optional transformations and/or normalizations) matches a specific DigestValue-value, but also that the cryptografic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key.

Within the simpleSAMLphp/xml-security library (https://github.com/simplesamlphp/xml-security), the hash is being validated using SignedElementTrait::validateReference, and the signature is being verified in SignedElementTrait::verifyInternal

https://github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.php:

afbeelding

What stands out is that the signature is being calculated over the canonical version of the SignedInfo-tree. The validateReference method, however, uses the original non-canonicalized version of SignedInfo.

Impact

If an attacker somehow (i.e. by exploiting a bug in PHP's canonicalization function) manages to manipulate the canonicalized version's DigestValue, it would be potentially be possible to forge the signature. No possibilities to exploit this were found during the investigation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/xml-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.11"
            },
            {
              "fixed": "1.6.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.6.11"
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "simplesamlphp/saml2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha.12"
            },
            {
              "fixed": "5.0.0-alpha.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.0.0-alpha.12"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T18:52:19Z",
    "nvd_published_at": "2023-11-30T06:15:47Z",
    "severity": "HIGH"
  },
  "details": "Validation of an XML Signature requires verification that the hash value of the related XML-document (after any optional transformations and/or normalizations) matches a specific DigestValue-value, but also that the cryptografic signature on the SignedInfo-tree (the one that contains the DigestValue) verifies and matches a trusted public key.\n\nWithin the simpleSAMLphp/xml-security library (https://github.com/simplesamlphp/xml-security), the hash is being validated using SignedElementTrait::validateReference, and the signature is being verified in SignedElementTrait::verifyInternal\n\nhttps://github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.php:\n\n![afbeelding](https://user-images.githubusercontent.com/841045/285817284-a7b7b3b4-768a-46e8-a34b-61790b6e23a5.png)\n\nWhat stands out is that the signature is being calculated over the canonical version of the SignedInfo-tree. The validateReference method, however, uses the original non-canonicalized version of SignedInfo.\n\n### Impact\nIf an attacker somehow (i.e. by exploiting a bug in PHP\u0027s canonicalization function) manages to manipulate the canonicalized version\u0027s DigestValue, it would be potentially be possible to forge the signature. No possibilities to exploit this were found during the investigation.",
  "id": "GHSA-ww7x-3gxh-qm6r",
  "modified": "2023-12-06T21:08:04Z",
  "published": "2023-11-28T18:52:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/xml-security/security/advisories/GHSA-ww7x-3gxh-qm6r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/xml-security/commit/f509e3083dd7870cce5880c804b5122317287581"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/simplesamlphp/xml-security"
    },
    {
      "type": "WEB",
      "url": "https://github.com/simplesamlphp/xml-security/blob/master/src/XML/SignedElementTrait.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Validation of SignedInfo"
}

GHSA-WW9Q-8R59-XV46

Vulnerability from github – Published: 2026-07-06 21:23 – Updated: 2026-07-06 21:23
VLAI
Summary
Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness
Details

Summary

A soundness vulnerability in the variable-base scalar multiplication gadget of halo2_gadgets allowed a malicious prover to produce a valid proof for an Orchard Action with an under-constrained base point. Because this gadget enforces the diversified-address-integrity condition of the Orchard Action statement, the flaw let a prover satisfy that condition for an arbitrary (pkd, gd, ivk) triple, effectively bypassing the check that binds an Action to the correct incoming viewing key — and therefore to the correct nullifier (nf) and spend validating key (ak) — of the note being spent.

The main practical consequence is that an adversary could have performed a double-spend within the Orchard pool, resulting in a balance violation: the same note could be spent multiple times, each time revealing a distinct, valid-looking nullifier. The total ZEC supply was protected by Zcash's turnstile mechanism, which bounds value flowing out of any pool, so unbounded inflation of the overall supply was not possible; the exposure was inflation of value within the Orchard pool up to the turnstile-enforced limit.

Exploiting the vulnerability via a double-spend is undetectable on-chain. Exploitation only requires setting private circuit inputs to chosen values, and nullifiers produced by a double-spend are indistinguishable from honest nullifiers, so the zero-knowledge property hides any signature of the attack.

Alternatively, an adversary could (before the fix) have stolen funds by forging a spend authorization for an existing note. To do so they would have to know the note plaintext, which in practice they might obtain by knowing the corresponding incoming viewing key. For example, this could be used to bypass the protection provided by holding spending keys on a hardware wallet, if the linked software wallet were compromised. This form of exploitation cannot be detected via the turnstile (which might be a motivation to exploit the vulnerability in this way rather than via balance violation). It can be detected by the legitimate holder of stolen funds being unable to spend them, or by seeing the note's nullifier on-chain — but this cannot necessarily be distinguished from compromise of the spending key by other means.

The vulnerability has existed since the Orchard pool was introduced in the NU5 network upgrade (activated May 31, 2022). There is no evidence it was exploited prior to remediation.

Note that use of the vulnerability, either for balance violation or for theft of funds, would need to have occurred before it was remediated. Theft would be in principle detectable from that point (since the real nullifier would appear on-chain). Balance violation would not be detectable at the point of exploitation.

Root cause

The defect is in the double-and-add implementation of variable-base scalar multiplication in halo2_gadgets/src/ecc/chip/mul/incomplete.rs. For performance, the algorithm uses incomplete point-addition formulas in its intermediate stage. (Incomplete addition is safe here in principle: the first and last stages use complete addition, and reaching a degenerate case would require breaking discrete log.)

The base point is fed into the incomplete-addition stage via assign_advice(), which assigns a witness value (a private circuit input) without introducing a constraint that ties that value to the actual base the algorithm is supposed to operate on:

region.assign_advice(|| "x_p", self.double_and_add.x_p, row + offset, || x_p)?;
region.assign_advice(|| "y_p", self.y_p, row + offset, || y_p)?;

(halo2_gadgets/src/ecc/chip/mul/incomplete.rs, around L309–L310 at commit 32a87582dfb0ad9364ef3ffe71751ceab2a502ea.)

The existing q_mul_2 constraint forces the base values used across the incomplete-addition loop to be equal to one another, but nothing forces them to equal the actual base. A malicious prover therefore has complete freedom to choose the base used by the loop. Given target pkd, gd, and ivk, the prover can solve for the base value that makes the computed [ivk] gd equal the desired pkd, satisfying the diversified-address-integrity equation pkdold = [ivk] gdold for inputs that an honest prover could never satisfy.

Why this enables a double-spend

The Orchard Action statement constrains the nullifier of the spent note to be derived from the correct nullifier key nk, which in turn is bound to the correct incoming viewing key ivk, via ivk = Commitivkrivk(Extractℙ(ak), nk). The diversified-address-integrity check pkd = [ivk] gd is what normally guarantees the prover used the correct ivk —and hence the correct nk— for the note. With that check bypassable:

  1. The prover picks a fresh, incorrect nk for the note being spent. Since nk feeds the nullifier computation, a wrong nk yields a different nullifier for the same note.
  2. Other circuit constraints still force the prover to derive ivk honestly from that wrong nk, producing a wrong ivk for the note — which would normally be caught by the integrity check.
  3. The prover uses the under-constrained base to satisfy pkd = [ivk] gd anyway, defeating the check.
  4. Each distinct wrong nk produces a distinct valid nullifier, allowing the note to be spent repeatedly.

Why this enables theft

The spend validating key, ak (essentially equivalent to ak), is also constrained via ivk = Commitivkrivk(Extractℙ(ak), nk). As above, the diversified-address-integrity check is what normally guarantees the prover used the correct ivk —and hence the correct ak— for the note. With that check bypassable:

  1. The prover picks an ak for which they know the private key, ask.
  2. They construct a transaction that spends the victim's notes, and sign it using that ask.

Impact

  • Integrity: High. A malicious prover could spend Orchard notes multiple times, inflating value within the Orchard pool. This is bounded only by the turnstile limit on the pool. Alternatively, the prover could authorize spending other users' notes without having the spending key.
  • Confidentiality: None. The zero-knowledge property is intact; no private data is disclosed. This is also why the attack leaves no observable on-chain signature.
  • Availability: Not directly affected by the bug. (The coordinated response temporarily disabled Orchard actions as a mitigation; that was an operational choice, not an effect of the vulnerability.) On the other hand, either theft of funds, or inability to spend funds due to a future turnstile violation could be considered an availability consequence.

Affected versions

  • halo2_gadgets < 0.5.0
  • orchard < 0.14.0
  • zcash_primitives < 0.28.0
  • zcashd < 6.20.0
  • zebrad < 5.0.0

Patches

The circuit-level fix replaces the first-iteration assign_advice() calls for the base point with copy_advice(), introducing a copy constraint that requires the first base value to equal the correct base. Combined with the existing q_mul_2 equality constraint across the loop, this transitively constrains every base value in the incomplete-addition stage to the correct base, closing the freedom the attacker relied on.

Because remediating a zero-knowledge circuit changes the pinned verifying key, the network-level fix required a hard fork (NU6.2). NU6.2 re-enables Orchard with the corrected circuit and routes Orchard proofs to a per-circuit verifying key (InsecurePreNu6_2 / FixedPostNu6_2).

  • halo2_gadgets 0.5.0
  • orchard 0.14.0
  • zcash_primitives 0.28.0
  • zebrad 5.0.0 (NU6.2); 4.5.3 ships the interim soft-fork mitigation
  • zcashd 6.20.0 (NU6.2)

Workarounds / mitigations

There is no client-side workaround for the underlying soundness flaw short of the circuit fix. The deployed interim mitigation (Zebra 4.5.3 / equivalent) was a soft fork that rejected all Orchard-containing transactions and blocks, fully neutralizing exploitation until NU6.2 activated.

Downstream projects that depend on the affected crates should:

  • Upgrade halo2_gadgets, orchard, and zcash_primitives to the patched versions above.
  • Audit any other use of assign_advice() (and similar non-constraining assignment APIs) where the intended invariant is that a witnessed value equals a known/fixed value; such sites should use copy_advice() (or otherwise enforce an explicit constraint).

Indicators / detection

Exploitation produces no distinguishing on-chain signature. The turnstile mechanism, which tracks total ZEC across all value pools, provides a ground-truth supply check and confirmed the total supply remained intact. Heuristic analysis of Orchard transaction arity (e.g. patterns of duplicate-then-consolidate behavior) is possible but inconclusive against normal shielded-activity variance.

Timeline (MDT)

Date / Time Event
2022-05-31 11:50 Vulnerable NU5 upgrade activates (bug introduced)
2026-05-29 (evening) Vulnerability discovered during a protocol audit
2026-05-29 23:53 Responsibly disclosed to ZODL core engineers
2026-05-30 06:30 Disclosure acknowledged by ZODL
2026-06-01 (~21:30) Emergency soft-fork mitigation activated (block 3,363,426)
2026-06-03 00:05 EDT NU6.2 hard fork activates, Orchard re-enabled with fix (block 3,364,600)

Credits

Discovered and responsibly disclosed by Taylor Hornby, independent security researcher, during a protocol audit conducted on behalf of Shielded Labs. Analysis and remediation was led by ZODL engineers Jack Grigg, Daira-Emma Hopwood, and Kris Nuttycombe, with Zebra patch work by Arya Solhi (Zcash Foundation).

Resources

  • Zcash Foundation: Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation — https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/
  • Affected source (pre-fix): halo2_gadgets/src/ecc/chip/mul/incomplete.rs @ commit 32a87582dfb0ad9364ef3ffe71751ceab2a502ea, L309–L310
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "halo2_gadgets"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "orchard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zcash_primitives"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.28.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T21:23:41Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nA soundness vulnerability in the variable-base scalar multiplication gadget of `halo2_gadgets` allowed a malicious prover to produce a valid proof for an Orchard Action with an *under-constrained* base point. Because this gadget enforces the diversified-address-integrity condition of the Orchard Action statement, the flaw let a prover satisfy that condition for an arbitrary (pk\u003csub\u003ed\u003c/sub\u003e, g\u003csub\u003ed\u003c/sub\u003e, ivk) triple, effectively bypassing the check that binds an Action to the correct incoming viewing key \u2014 and therefore to the correct nullifier (nf) and spend validating key (ak) \u2014 of the note being spent.\n\nThe main practical consequence is that an adversary could have performed a **double-spend within the Orchard pool**, resulting in a balance violation: the same note could be spent multiple times, each time revealing a distinct, valid-looking nullifier. The total ZEC supply was protected by Zcash\u0027s turnstile mechanism, which bounds value flowing out of any pool, so unbounded inflation of the overall supply was not possible; the exposure was inflation of value *within* the Orchard pool up to the turnstile-enforced limit.\n\nExploiting the vulnerability via a double-spend is **undetectable on-chain**. Exploitation only requires setting private circuit inputs to chosen values, and nullifiers produced by a double-spend are indistinguishable from honest nullifiers, so the zero-knowledge property hides any signature of the attack.\n\nAlternatively, an adversary could (before the fix) have **stolen funds** by forging a spend authorization for an existing note. To do so they would have to know the note plaintext, which in practice they might obtain by knowing the corresponding incoming viewing key. For example, this could be used to bypass the protection provided by holding spending keys on a hardware wallet, if the linked software wallet were compromised. This form of exploitation cannot be detected via the turnstile (which might be a motivation to exploit the vulnerability in this way rather than via balance violation). It can be detected by the legitimate holder of stolen funds being unable to spend them, or by seeing the note\u0027s nullifier on-chain \u2014 but this cannot necessarily be distinguished from compromise of the spending key by other means.\n\nThe vulnerability has existed since the Orchard pool was introduced in the NU5 network upgrade (activated May 31, 2022). There is no evidence it was exploited prior to remediation.\n\nNote that use of the vulnerability, either for balance violation or for theft of funds, would need to have occurred before it was remediated. Theft would be in principle detectable from that point (since the real nullifier would appear on-chain). Balance violation would not be detectable at the point of exploitation.\n\n### Root cause\n\nThe defect is in the double-and-add implementation of variable-base scalar multiplication in `halo2_gadgets/src/ecc/chip/mul/incomplete.rs`. For performance, the algorithm uses incomplete point-addition formulas in its intermediate stage. (Incomplete addition is safe here in principle: the first and last stages use complete addition, and reaching a degenerate case would require breaking discrete log.)\n\nThe base point is fed into the incomplete-addition stage via `assign_advice()`, which assigns a witness value (a private circuit input) **without** introducing a constraint that ties that value to the actual base the algorithm is supposed to operate on:\n\n```rust\nregion.assign_advice(|| \"x_p\", self.double_and_add.x_p, row + offset, || x_p)?;\nregion.assign_advice(|| \"y_p\", self.y_p, row + offset, || y_p)?;\n```\n*(`halo2_gadgets/src/ecc/chip/mul/incomplete.rs`, around L309\u2013L310 at commit `32a87582dfb0ad9364ef3ffe71751ceab2a502ea`.)*\n\nThe existing `q_mul_2` constraint forces the base values used *across* the incomplete-addition loop to be equal to one another, but nothing forces them to equal the **actual base**. A malicious prover therefore has complete freedom to choose the base used by the loop. Given target pk\u003csub\u003ed\u003c/sub\u003e, g\u003csub\u003ed\u003c/sub\u003e, and ivk, the prover can solve for the base value that makes the computed [ivk] g\u003csub\u003ed\u003c/sub\u003e equal the desired pk\u003csub\u003ed\u003c/sub\u003e, satisfying the diversified-address-integrity equation pk\u003csub\u003ed\u003c/sub\u003e\u003csup\u003eold\u003c/sup\u003e = [ivk] g\u003csub\u003ed\u003c/sub\u003e\u003csup\u003eold\u003c/sup\u003e for inputs that an honest prover could never satisfy.\n\n### Why this enables a double-spend\n\nThe Orchard Action statement constrains the nullifier of the spent note to be derived from the correct nullifier key nk, which in turn is bound to the correct incoming viewing key ivk, via ivk = Commit\u003csup\u003eivk\u003c/sup\u003e\u003csub\u003erivk\u003c/sub\u003e(Extract\u003csub\u003e\u2119\u003c/sub\u003e(ak\u003csup\u003e\u2119\u003c/sup\u003e), nk). The diversified-address-integrity check pk\u003csub\u003ed\u003c/sub\u003e = [ivk] g\u003csub\u003ed\u003c/sub\u003e is what normally guarantees the prover used the correct ivk \u2014and hence the correct nk\u2014 for the note. With that check bypassable:\n\n1. The prover picks a fresh, **incorrect** nk for the note being spent. Since nk feeds the nullifier computation, a wrong nk yields a different nullifier for the same note.\n2. Other circuit constraints still force the prover to derive ivk honestly from that wrong nk, producing a wrong ivk for the note \u2014 which would normally be caught by the integrity check.\n3. The prover uses the under-constrained base to satisfy pk\u003csub\u003ed\u003c/sub\u003e = [ivk] g\u003csub\u003ed\u003c/sub\u003e anyway, defeating the check.\n4. Each distinct wrong nk produces a distinct valid nullifier, allowing the note to be spent repeatedly.\n\n### Why this enables theft\n\nThe spend validating key, ak\u003csup\u003e\u2119\u003c/sup\u003e (essentially equivalent to ak), is also constrained via ivk = Commit\u003csup\u003eivk\u003c/sup\u003e\u003csub\u003erivk\u003c/sub\u003e(Extract\u003csub\u003e\u2119\u003c/sub\u003e(ak\u003csup\u003e\u2119\u003c/sup\u003e), nk). As above, the diversified-address-integrity check is what normally guarantees the prover used the correct ivk \u2014and hence the correct ak\u2014 for the note. With that check bypassable:\n\n1. The prover picks an ak for which they know the private key, ask.\n2. They construct a transaction that spends the victim\u0027s notes, and sign it using that ask.\n\n### Impact\n\n- **Integrity:** High. A malicious prover could spend Orchard notes multiple times, inflating value within the Orchard pool. This is bounded only by the turnstile limit on the pool. Alternatively, the prover could authorize spending other users\u0027 notes without having the spending key.\n- **Confidentiality:** None. The zero-knowledge property is intact; no private data is disclosed. This is also why the attack leaves no observable on-chain signature.\n- **Availability:** Not directly affected by the bug. (The coordinated response temporarily disabled Orchard actions as a mitigation; that was an operational choice, not an effect of the vulnerability.) On the other hand, either theft of funds, or inability to spend funds due to a future turnstile violation could be considered an availability consequence.\n\n### Affected versions\n\n- `halo2_gadgets` `\u003c 0.5.0`\n- `orchard` `\u003c 0.14.0`\n- `zcash_primitives` `\u003c 0.28.0`\n- `zcashd` `\u003c 6.20.0`\n- `zebrad` `\u003c 5.0.0`\n\n### Patches\n\nThe circuit-level fix replaces the first-iteration `assign_advice()` calls for the base point with `copy_advice()`, introducing a copy constraint that requires the first base value to equal the correct base. Combined with the existing `q_mul_2` equality constraint across the loop, this transitively constrains every base value in the incomplete-addition stage to the correct base, closing the freedom the attacker relied on.\n\nBecause remediating a zero-knowledge circuit changes the pinned verifying key, the network-level fix required a hard fork (NU6.2). NU6.2 re-enables Orchard with the corrected circuit and routes Orchard proofs to a per-circuit verifying key (`InsecurePreNu6_2` / `FixedPostNu6_2`).\n\n- `halo2_gadgets` 0.5.0\n- `orchard` 0.14.0\n- `zcash_primitives` 0.28.0\n- `zebrad` 5.0.0 (NU6.2); 4.5.3 ships the interim soft-fork mitigation\n-  `zcashd` 6.20.0 (NU6.2)\n\n### Workarounds / mitigations\n\nThere is no client-side workaround for the underlying soundness flaw short of the circuit fix. The deployed interim mitigation (Zebra 4.5.3 / equivalent) was a soft fork that rejected all Orchard-containing transactions and blocks, fully neutralizing exploitation until NU6.2 activated.\n\nDownstream projects that depend on the affected crates should:\n\n- Upgrade `halo2_gadgets`, `orchard`, and `zcash_primitives` to the patched versions above.\n- Audit any other use of `assign_advice()` (and similar non-constraining assignment APIs) where the intended invariant is that a witnessed value equals a known/fixed value; such sites should use `copy_advice()` (or otherwise enforce an explicit constraint).\n\n### Indicators / detection\n\nExploitation produces no distinguishing on-chain signature. The turnstile mechanism, which tracks total ZEC across all value pools, provides a ground-truth supply check and confirmed the total supply remained intact. Heuristic analysis of Orchard transaction arity (e.g. patterns of duplicate-then-consolidate behavior) is possible but inconclusive against normal shielded-activity variance.\n\n### Timeline (MDT)\n\n| Date / Time | Event |\n|---|---|\n| 2022-05-31 11:50 | Vulnerable NU5 upgrade activates (bug introduced) |\n| 2026-05-29 (evening) | Vulnerability discovered during a protocol audit |\n| 2026-05-29 23:53 | Responsibly disclosed to ZODL core engineers |\n| 2026-05-30 06:30 | Disclosure acknowledged by ZODL |\n| 2026-06-01 (~21:30) | Emergency soft-fork mitigation activated (block 3,363,426) |\n| 2026-06-03 00:05 EDT | NU6.2 hard fork activates, Orchard re-enabled with fix (block 3,364,600) |\n\n### Credits\n\nDiscovered and responsibly disclosed by **Taylor Hornby**, independent security researcher, during a protocol audit conducted on behalf of **Shielded Labs**. Analysis and remediation was led by ZODL engineers **Jack Grigg**, **Daira-Emma Hopwood**, and **Kris Nuttycombe**, with Zebra patch work by **Arya Solhi** (Zcash Foundation).\n\n### Resources\n\n- Zcash Foundation: *Zebra 4.5.3 and 5.0.0: Emergency Soft Fork and NU6.2 Activation* \u2014 https://zfnd.org/zebra-4-5-3-and-5-0-0-emergency-soft-fork-and-nu6-2-activation/\n- Affected source (pre-fix): `halo2_gadgets/src/ecc/chip/mul/incomplete.rs` @ commit `32a87582dfb0ad9364ef3ffe71751ceab2a502ea`, L309\u2013L310",
  "id": "GHSA-ww9q-8r59-xv46",
  "modified": "2026-07-06T21:23:41Z",
  "published": "2026-07-06T21:23:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-ww9q-8r59-xv46"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness"
}

GHSA-WX4H-WGR2-66H2

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

When SAML authentication is enabled, Juniper Networks Mist Cloud UI might incorrectly handle child elements in SAML responses, allowing a remote attacker to modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls. This issue affects all Juniper Networks Mist Cloud UI versions prior to September 2 2020.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-16T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "When SAML authentication is enabled, Juniper Networks Mist Cloud UI might incorrectly handle child elements in SAML responses, allowing a remote attacker to modify a valid SAML response without invalidating its cryptographic signature to bypass SAML authentication security controls. This issue affects all Juniper Networks Mist Cloud UI versions prior to September 2 2020.",
  "id": "GHSA-wx4h-wgr2-66h2",
  "modified": "2022-05-24T17:30:52Z",
  "published": "2022-05-24T17:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1677"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WXW3-Q3M9-C3JR

Vulnerability from github – Published: 2026-05-15 17:33 – Updated: 2026-05-15 17:33
VLAI
Summary
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
Details

Am I affected?

Users are affected if all of the following are true:

  • The application uses better-auth at a version below 1.6.2 (or @better-auth/sso paired with such a version).
  • betterAuth({ account: { storeStateStrategy } }) is set to "cookie". The default "database" is not affected.
  • The application wires at least one OAuth provider through genericOAuth({ config }) with pkce: false, or it supplies a custom getToken or tokenUrl that does not require the stored codeVerifier. Stock social providers with PKCE on are not affected.
  • The provider returns arbitrary code values to the configured callback URL.

If users are on better-auth@1.6.2 or later, they are not affected.

Fix:

  1. Upgrade to better-auth@1.6.2 or later (current stable is 1.6.10).
  2. If users cannot upgrade, see workarounds below.

Summary

In parseGenericState, the cookie branch decrypted the oauth_state cookie and validated expiry, but did not compare the incoming OAuth state query parameter to the nonce that generateGenericState issued at sign-in. Any callback to /api/auth/oauth2/callback/<providerId> that arrived with a forged state and any code was therefore accepted as long as the browser still held a live oauth_state cookie. With pkce: false (or any getToken path that does not enforce a code-verifier round-trip), an attacker who forced the victim to deliver an attacker-controlled authorization code to the callback would mint a session bound to the attacker's external identity in the victim's browser. Account-linking flows behaved the same way, binding the attacker's external account to an authenticated victim row.

Details

The cookie branch of parseGenericState did not compare the cookie's stored nonce to the incoming state parameter. The database branch (the default) was not affected because the verification row is keyed by state and the lookup itself enforces equality.

The fix re-binds the cookie to the nonce: generateGenericState writes oauthState: state into the encrypted payload before storage, and parseGenericState rejects when parsedData.oauthState !== state. The same primitive covers every caller (generic-oauth, social, account-link, oauth-proxy passthrough, OIDC SSO, SAML relay state).

Patches

Fixed in better-auth@1.6.2 via PR #8949 (commit 9deb7936a, merged 2026-04-09). The cookie branch of parseGenericState now rejects when the encrypted payload's nonce does not match the incoming state parameter; the database branch gained a defense-in-depth equality check.

Workarounds

If users cannot upgrade immediately:

  • Switch storeStateStrategy back to "database" (the default). This closes the cookie-only bypass without a code change.
  • Enable pkce: true on every affected genericOAuth provider. The codeVerifier is the missing primitive that the attacker cannot supply.

Impact

  • Forced-login (CSRF on OAuth callback): the attacker forces the victim's browser into an authenticated session bound to the attacker's external identity, allowing the attacker to observe the victim's actions inside the application.
  • Persistent account linking: account-link flows bind the attacker's external account to the victim's authenticated row, granting persistent access until the link is removed.

Credit

Reported by @Jvr2022 via private advisory disclosure, and by @alavesa (PatchPilots audit) via the public duplicate issue #8897.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "better-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-345",
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-15T17:33:40Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Am I affected?\n\nUsers are affected if all of the following are true:\n\n- The application uses `better-auth` at a version below `1.6.2` (or `@better-auth/sso` paired with such a version).\n- `betterAuth({ account: { storeStateStrategy } })` is set to `\"cookie\"`. The default `\"database\"` is not affected.\n- The application wires at least one OAuth provider through `genericOAuth({ config })` with `pkce: false`, or it supplies a custom `getToken` or `tokenUrl` that does not require the stored `codeVerifier`. Stock social providers with PKCE on are not affected.\n- The provider returns arbitrary `code` values to the configured callback URL.\n\nIf users are on `better-auth@1.6.2` or later, they are not affected.\n\nFix:\n\n1. Upgrade to `better-auth@1.6.2` or later (current stable is `1.6.10`).\n2. If users cannot upgrade, see workarounds below.\n\n### Summary\n\nIn `parseGenericState`, the cookie branch decrypted the `oauth_state` cookie and validated expiry, but did not compare the incoming OAuth `state` query parameter to the nonce that `generateGenericState` issued at sign-in. Any callback to `/api/auth/oauth2/callback/\u003cproviderId\u003e` that arrived with a forged `state` and any `code` was therefore accepted as long as the browser still held a live `oauth_state` cookie. With `pkce: false` (or any `getToken` path that does not enforce a code-verifier round-trip), an attacker who forced the victim to deliver an attacker-controlled authorization code to the callback would mint a session bound to the attacker\u0027s external identity in the victim\u0027s browser. Account-linking flows behaved the same way, binding the attacker\u0027s external account to an authenticated victim row.\n\n### Details\n\nThe cookie branch of `parseGenericState` did not compare the cookie\u0027s stored nonce to the incoming `state` parameter. The database branch (the default) was not affected because the verification row is keyed by `state` and the lookup itself enforces equality.\n\nThe fix re-binds the cookie to the nonce: `generateGenericState` writes `oauthState: state` into the encrypted payload before storage, and `parseGenericState` rejects when `parsedData.oauthState !== state`. The same primitive covers every caller (`generic-oauth`, social, account-link, oauth-proxy passthrough, OIDC SSO, SAML relay state).\n\n### Patches\n\nFixed in `better-auth@1.6.2` via [PR #8949](https://github.com/better-auth/better-auth/pull/8949) (commit `9deb7936a`, merged 2026-04-09). The cookie branch of `parseGenericState` now rejects when the encrypted payload\u0027s nonce does not match the incoming `state` parameter; the database branch gained a defense-in-depth equality check.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- **Switch `storeStateStrategy` back to `\"database\"`** (the default). This closes the cookie-only bypass without a code change.\n- **Enable `pkce: true`** on every affected `genericOAuth` provider. The `codeVerifier` is the missing primitive that the attacker cannot supply.\n\n### Impact\n\n- **Forced-login (CSRF on OAuth callback)**: the attacker forces the victim\u0027s browser into an authenticated session bound to the attacker\u0027s external identity, allowing the attacker to observe the victim\u0027s actions inside the application.\n- **Persistent account linking**: account-link flows bind the attacker\u0027s external account to the victim\u0027s authenticated row, granting persistent access until the link is removed.\n\n### Credit\n\nReported by @Jvr2022 via private advisory disclosure, and by @alavesa (PatchPilots audit) via the public duplicate [issue #8897](https://github.com/better-auth/better-auth/issues/8897).\n\n### Resources\n\n- [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html)\n- [CWE-345: Insufficient Verification of Data Authenticity](https://cwe.mitre.org/data/definitions/345.html)\n- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)\n- [RFC 6749 \u00a710.12: Cross-Site Request Forgery](https://datatracker.ietf.org/doc/html/rfc6749#section-10.12)\n- [RFC 7636: Proof Key for Code Exchange](https://datatracker.ietf.org/doc/html/rfc7636)",
  "id": "GHSA-wxw3-q3m9-c3jr",
  "modified": "2026-05-15T17:33:40Z",
  "published": "2026-05-15T17:33:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-wxw3-q3m9-c3jr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/issues/8897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/pull/8949"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/commit/9deb7936aba7931f2db4b460141f476508f11bfd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/better-auth/better-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE"
}

GHSA-X274-9M9R-FM5G

Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2025-03-13 17:58
VLAI
Summary
Jenkins does not Verify Checksums for Plugin Files
Details

The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.625.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.626"
            },
            {
              "fixed": "1.640"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-7539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-13T17:58:11Z",
    "nvd_published_at": "2016-02-03T18:59:00Z",
    "severity": "HIGH"
  },
  "details": "The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.",
  "id": "GHSA-x274-9m9r-fm5g",
  "modified": "2025-03-13T17:58:11Z",
  "published": "2022-05-13T01:30:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/11479a2cc0a322a6bcd7e65667f3d24aa4d444bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/97adb71aa4509f91e408a16ba312e817ec015cf4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/9ec88357a354d8354728cc06e2b8c8b68aee58bf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/c158648afa8888bc49ac337c973d4e4bc050118e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/f99cb46e06f394637067730a82f46bddc3567295"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:0070"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-12-09"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0489.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins does not Verify Checksums for Plugin Files"
}

GHSA-X39V-FRQ9-5HH8

Vulnerability from github – Published: 2023-10-18 06:30 – Updated: 2025-11-04 00:30
VLAI
Details

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-18T04:15:11Z",
    "severity": "HIGH"
  },
  "details": "When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node\u0027s policy implementation, thus effectively disabling the integrity check.\nImpacts:\nThis vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x.\nPlease note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.",
  "id": "GHSA-x39v-frq9-5hh8",
  "modified": "2025-11-04T00:30:40Z",
  "published": "2023-10-18T06:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38552"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2094235"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231116-0013"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241108-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3GG-M9C9-95RP

Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 03:30
VLAI
Details

Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a proprietary local area network (LAN) protocol that does not verify updates to the device. An attacker could upload a malformed update file to the device and execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-30T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior use a proprietary local area network (LAN) protocol that does not verify updates to the device. An attacker could upload a malformed update file to the device and execute arbitrary code.",
  "id": "GHSA-x3gg-m9c9-95rp",
  "modified": "2023-02-07T03:30:23Z",
  "published": "2023-01-31T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22315"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X3M2-F92M-6Q4J

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2022-10-26 12:00
VLAI
Details

A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "LOW"
  },
  "details": "A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.",
  "id": "GHSA-x3m2-f92m-6q4j",
  "modified": "2022-10-26T12:00:29Z",
  "published": "2022-10-25T19:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34845"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1580"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5C4-2C4M-RFJ5

Vulnerability from github – Published: 2025-09-30 18:30 – Updated: 2025-09-30 18:30
VLAI
Details

Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the uniqueness of project names when editing them outside the application in affected versions. This vulnerability was remediated in version 7.5.021 of the product.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-30T18:15:49Z",
    "severity": "LOW"
  },
  "details": "Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the uniqueness of project names when editing them outside the application in affected versions. This vulnerability was remediated in version 7.5.021 of the product.",
  "id": "GHSA-x5c4-2c4m-rfj5",
  "modified": "2025-09-30T18:30:25Z",
  "published": "2025-09-30T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11195"
    },
    {
      "type": "WEB",
      "url": "https://docs.rapid7.com/insight/releasenotes-2025sep/#application-security-insightappsec-and-appspider"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)

An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.

CAPEC-141: Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

CAPEC-142: DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

CAPEC-148: Content Spoofing

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

CAPEC-218: Spoofing of UDDI/ebXML Messages

An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.

CAPEC-384: Application API Message Manipulation via Man-in-the-Middle

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.

CAPEC-385: Transaction or Event Tampering via Application API Manipulation

An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.

CAPEC-386: Application API Navigation Remapping

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.

CAPEC-387: Navigation Remapping To Propagate Malicious Content

An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.

CAPEC-388: Application API Button Hijacking

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

CAPEC-701: Browser in the Middle (BiTM)

An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.