Common Weakness Enumeration

CWE-440

Allowed

Expected Behavior Violation

Abstraction: Base · Status: Draft

A feature, API, or function does not perform according to its specification.

79 vulnerabilities reference this CWE, most recent first.

CVE-2018-12550 (GCVE-0-2018-12550)

Vulnerability from cvelistv5 – Published: 2019-03-27 17:26 – Updated: 2024-08-05 08:38
VLAI
Summary
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.
Severity
No CVSS data available.
CWE
  • CWE-440 - Expected Behavior Violation
Assigner
References
Impacted products
Vendor Product Version
The Eclipse Foundation Eclipse Mosquitto Affected: 1.0 , < unspecified (custom)
Affected: unspecified , ≤ 1.5.5 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:38:06.290Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870"
          },
          {
            "name": "[debian-lts-announce] 20191026 [SECURITY] [DLA 1972-1] mosquitto security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Eclipse Mosquitto",
          "vendor": "The Eclipse Foundation",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "1.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "1.5.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-26T23:06:12.000Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870"
        },
        {
          "name": "[debian-lts-announce] 20191026 [SECURITY] [DLA 1972-1] mosquitto security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@eclipse.org",
          "ID": "CVE-2018-12550",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Eclipse Mosquitto",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "1.0"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "1.5.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The Eclipse Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-440: Expected Behavior Violation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870",
              "refsource": "CONFIRM",
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=541870"
            },
            {
              "name": "[debian-lts-announce] 20191026 [SECURITY] [DLA 1972-1] mosquitto security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2018-12550",
    "datePublished": "2019-03-27T17:26:20.000Z",
    "dateReserved": "2018-06-18T00:00:00.000Z",
    "dateUpdated": "2024-08-05T08:38:06.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-26MG-P594-Q328

Vulnerability from github – Published: 2025-04-10 03:31 – Updated: 2025-05-08 15:30
VLAI
Details

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-10T02:15:30Z",
    "severity": "MODERATE"
  },
  "details": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.",
  "id": "GHSA-26mg-p594-q328",
  "modified": "2025-05-08T15:30:40Z",
  "published": "2025-04-10T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367"
    },
    {
      "type": "WEB",
      "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/013_ssh.patch.sig"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-April/041879.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250425-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.openssh.com/txt/release-10.0"
    },
    {
      "type": "WEB",
      "url": "https://www.openssh.com/txt/release-7.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32G6-MG92-GHM2

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 23:57
VLAI
Summary
SageMaker Workflow component allows possibility of MD5 hash collisions
Details

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sagemaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.237.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-0508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-328",
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T23:57:42Z",
    "nvd_published_at": "2025-03-20T10:15:53Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.",
  "id": "GHSA-32g6-mg92-ghm2",
  "modified": "2025-03-21T23:57:42Z",
  "published": "2025-03-20T12:32:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/sagemaker-python-sdk"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SageMaker Workflow component allows possibility of MD5 hash collisions"
}

GHSA-3J8V-CGW4-2G6Q

Vulnerability from github – Published: 2026-04-09 16:41 – Updated: 2026-04-09 19:05
VLAI
Summary
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Details

Impact

Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided.

Such modifiers are: - /g : Global matching - /y : Sticky matching

This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern, leading to: - Intermittent user authentication failures - Potential retry storms in applications - Operational monitoring alerts

Affected Configurations

This vulnerability ONLY affects applications that:

  • Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
  • Use stateful RegExp modifiers such a /g or /y

Example: allowedAud: /abc/g ← IMPACTED Example: allowedAud: "/abc/" ← SAFE

Not Affected

  • Applications using string patterns for audience validation (most common)
  • Applications using RegExp patterns without stateful modifiers

Assessment Guide

To determine if you're affected:

Check if allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options use RegExp objects (/pattern/ or new RegExp()) If yes, review the pattern for stateful modifiers like /g, /y If no RegExp usage or no stateful modifiers, you are NOT affected

Mitigation Options

While a fix will be coming in the next version of the package you can take steps to mitigate the issue immediately by removing any such modifiers (/g, /y) from the regex.


Summary

fast-jwt accepts RegExp for allowedAud, allowedIss, allowedSub, allowedJti, and allowedNonce.

If the provided regular expression uses the g (global) or y (sticky) flag, verification becomes non-deterministic: the same valid token alternates between acceptance and rejection across successive calls.

This occurs because RegExp.prototype.test() is stateful when g/y is set (it mutates lastIndex), and fast-jwt reuses the same RegExp object without resetting lastIndex.

Affected component

src/verifier.js

ensureStringClaimMatcher() returns the RegExp object directly.

validateClaimValues() performs repeated a.test(v) calls without resetting lastIndex.

Impact

Logical denial-of-service / authentication flapping.

A valid signed JWT can be intermittently rejected.

Causes unpredictable authentication outcomes across repeated verification calls.

Can trigger retry storms and cascading failures in API gateways and authentication middleware.

Affects any deployment that configures allowed* using RegExp and includes g or y flags.

Root cause

validateClaimValues() uses: allowed.some(a => a.test(v))

When a is a RegExp with g or y, a.test() mutates a.lastIndex.

Subsequent calls against the same input can return different results.

Proof of concept

Environment

  • fast-jwt: 6.1.0 (repo HEAD)
  • Node.js: v24.13.1

PoC const { createSigner, createVerifier } = require('fast-jwt')

const sign = createSigner({ key: 'secret' }) const token = sign({ aud: 'admin', iss: 'issuer' })

function run(name, opts) { const verify = createVerifier({ key: 'secret', ...opts }) console.log('\n==', name) for (let i = 0; i < 8; i++) { try { verify(token); console.log(i, 'PASS') } catch (e) { console.log(i, 'FAIL', e.code || e.message) } } }

run('allowedAud global regex', { allowedAud: /^admin$/g }) run('allowedIss global regex', { allowedIss: /^issuer$/g }) run('control (non-global regex)', { allowedAud: /^admin$/ })

Observed behavior

  • allowedAud with /g alternates PASS/FAIL across calls
  • allowedIss with /g alternates PASS/FAIL across calls
  • control regex (no g/y) is deterministic and always PASS

Expected behavior

Validation must be deterministic.

The same token under the same verifier configuration must always yield the same decision.

Suggested fix (minimal and safe)

Wrap RegExp matchers inside ensureStringClaimMatcher() to reset lastIndex before calling test(): if (r instanceof RegExp) { return { test: v => { r.lastIndex = 0; return r.test(v) } } }

This preserves semantics for non-global regexes, makes g/y deterministic, and avoids changes in the rest of the verifier logic.

Security classification

Logical DoS / authentication reliability failure.

This can be weaponized to produce production outages via retry storms and auth instability.

Why this is not “misuse”

  • The library explicitly accepts RegExp for allowed* claim validation.
  • The behavior difference is caused by internal state mutation of RegExp.test().
  • The same token, same verifier config, same runtime yields different outcomes.
  • Security decisions must be deterministic; non-determinism at the verification layer is a correctness flaw.
  • Consumers cannot reliably defend against this unless the library normalizes matcher state.

Notes

  • Affects allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce equally (shared matcher logic).
  • Independent from the previously reported ReDoS; this is a determinism and correctness failure that can still produce production DoS effects.

PoC Code: 'use strict'

/* * PoC: Stateful RegExp flags (g/y) cause non-deterministic allowed-claim validation * fast-jwt reuses the same RegExp object; RegExp.test() mutates lastIndex when g/y is set. * * This script prints a human-readable log AND writes evidence to JSON. * * Usage: * node poc_regex_state_evidence.js /

const fs = require('node:fs') const path = require('node:path') const { createSigner, createVerifier } = require('fast-jwt')

const OUT_JSON = path.join(process.cwd(), 'evidence-regex-stateful-fastjwt.json') const OUT_LOG = path.join(process.cwd(), 'evidence-regex-stateful-fastjwt.log')

// Make a stable, valid token const sign = createSigner({ key: 'secret' }) const token = sign({ aud: 'admin', iss: 'issuer', sub: 'subject', jti: 'id-123', nonce: 'nonce-xyz' })

function runCase(name, verifierOpts, iterations = 12) { const verify = createVerifier({ key: 'secret', ...verifierOpts })

const results = [] for (let i = 0; i < iterations; i++) { try { verify(token) results.push({ i, ok: true }) } catch (e) { results.push({ i, ok: false, code: e.code || null, message: e.message || String(e) }) } }

return results }

function summarize(results) { const seq = results.map(r => (r.ok ? 'PASS' : 'FAIL')).join(' ') const pass = results.filter(r => r.ok).length const fail = results.length - pass return { pass, fail, seq } }

function printCase(name, opts, results) { const s = summarize(results) const lines = [] lines.push(== ${name}) lines.push(opts: ${JSON.stringify(opts)}) lines.push(PASS=${s.pass} FAIL=${s.fail}) lines.push(sequence: ${s.seq}) lines.push('') return lines.join('\n') }

function main() { const meta = { poc: 'stateful-regexp-allowed-claims', package: 'fast-jwt', node: process.version, timestamp: new Date().toISOString(), note: 'RegExp.test is stateful when g/y flags are set; lastIndex mutation causes alternating PASS/FAIL.' }

// Cases: g/y should flap, control should be stable const cases = [ { name: 'allowedAud with global RegExp /g (expected: flapping)', opts: { allowedAud: /^admin$/g } }, { name: 'allowedAud with sticky RegExp /y (expected: flapping)', opts: { allowedAud: /^admin$/y } }, { name: 'allowedIss with global RegExp /g (expected: flapping)', opts: { allowedIss: /^issuer$/g } }, { name: 'allowedSub with global RegExp /g (expected: flapping)', opts: { allowedSub: /^subject$/g } }, { name: 'allowedJti with global RegExp /g (expected: flapping)', opts: { allowedJti: /^id-123$/g } }, { name: 'allowedNonce with global RegExp /g (expected: flapping)', opts: { allowedNonce: /^nonce-xyz$/g } }, { name: 'CONTROL: allowedAud with non-global RegExp (expected: stable PASS)', opts: { allowedAud: /^admin$/ } } ]

const evidence = { meta, token: { alg: 'HS256 (autodetected by fast-jwt)', signed: true, jwt: token }, cases: [] }

let log = '' for (const c of cases) { const results = runCase(c.name, c.opts, 12) const s = summarize(results)

evidence.cases.push({
  name: c.name,
  opts: c.opts,
  iterations: results.length,
  pass: s.pass,
  fail: s.fail,
  sequence: s.seq,
  results
})

log += printCase(c.name, c.opts, results)

}

fs.writeFileSync(OUT_JSON, JSON.stringify(evidence, null, 2)) fs.writeFileSync(OUT_LOG, log)

console.log(log) console.log([+] Wrote JSON evidence: ${OUT_JSON}) console.log([+] Wrote LOG evidence : ${OUT_LOG}) }

main()

Output: PS C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt> node .\poc_regex_state_evidence.js == allowedAud with global RegExp /g (expected: flapping) opts: {"allowedAud":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedAud with sticky RegExp /y (expected: flapping) opts: {"allowedAud":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedIss with global RegExp /g (expected: flapping) opts: {"allowedIss":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedSub with global RegExp /g (expected: flapping) opts: {"allowedSub":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedJti with global RegExp /g (expected: flapping) opts: {"allowedJti":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == allowedNonce with global RegExp /g (expected: flapping) opts: {"allowedNonce":{}} PASS=6 FAIL=6 sequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL == CONTROL: allowedAud with non-global RegExp (expected: stable PASS) opts: {"allowedAud":{}} PASS=12 FAIL=0 sequence: PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS

[+] Wrote JSON evidence: C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt\evidence-regex-stateful-fastjwt.json [+] Wrote LOG evidence : C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt\evidence-regex-stateful-fastjwt.log PS C:\Users\Franciny Rojas\Desktop\crypto-research\fast-jwt>

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35040"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T16:41:20Z",
    "nvd_published_at": "2026-04-09T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nUsing certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided.\n\nSuch modifiers are:\n- /g : Global matching\n- /y : Sticky matching\n\nThis does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes **50% of valid authentication requests to fail** in an alternating pattern, leading to:\n  - Intermittent user authentication failures\n  - Potential retry storms in applications\n  - Operational monitoring alerts\n\n## Affected Configurations\n\n### This vulnerability ONLY affects applications that:\n\n- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options\n- Use stateful RegExp modifiers such a /g or /y\n\nExample: allowedAud: /abc/g \u2190 IMPACTED\nExample: allowedAud: \"/abc/\" \u2190 SAFE\n\n### Not Affected\n\n- Applications using string patterns for audience validation (most common)\n- Applications using RegExp patterns without stateful modifiers\n\n### Assessment Guide\nTo determine if you\u0027re affected:\n\nCheck if  allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options use RegExp objects (/pattern/ or new RegExp())\nIf yes, review the pattern for stateful modifiers like /g, /y\nIf no RegExp usage or no stateful modifiers, you are NOT affected\n\n## Mitigation Options\nWhile a fix will be coming in the next version of the package you can take steps to mitigate the issue immediately by removing any such modifiers (/g, /y) from the regex.\n\n---\n\nSummary\n\nfast-jwt accepts RegExp for allowedAud, allowedIss, allowedSub, allowedJti, and allowedNonce.\n\nIf the provided regular expression uses the g (global) or y (sticky) flag, verification becomes non-deterministic: the same valid token alternates between acceptance and rejection across successive calls.\n\nThis occurs because RegExp.prototype.test() is stateful when g/y is set (it mutates lastIndex), and fast-jwt reuses the same RegExp object without resetting lastIndex.\n\n\nAffected component\n\nsrc/verifier.js\n\nensureStringClaimMatcher() returns the RegExp object directly.\n\nvalidateClaimValues() performs repeated a.test(v) calls without resetting lastIndex.\n\n\nImpact\n\nLogical denial-of-service / authentication flapping.\n\nA valid signed JWT can be intermittently rejected.\n\nCauses unpredictable authentication outcomes across repeated verification calls.\n\nCan trigger retry storms and cascading failures in API gateways and authentication middleware.\n\nAffects any deployment that configures allowed* using RegExp and includes g or y flags.\n\n\nRoot cause\n\nvalidateClaimValues() uses: allowed.some(a =\u003e a.test(v))\n\n\nWhen `a` is a RegExp with g or y, `a.test()` mutates `a.lastIndex`.\n\nSubsequent calls against the same input can return different results.\n\n\nProof of concept\n\nEnvironment\n\n- fast-jwt: 6.1.0 (repo HEAD)\n- Node.js: v24.13.1\n\nPoC\nconst { createSigner, createVerifier } = require(\u0027fast-jwt\u0027)\n\nconst sign = createSigner({ key: \u0027secret\u0027 })\nconst token = sign({ aud: \u0027admin\u0027, iss: \u0027issuer\u0027 })\n\nfunction run(name, opts) {\nconst verify = createVerifier({ key: \u0027secret\u0027, ...opts })\nconsole.log(\u0027\\n==\u0027, name)\nfor (let i = 0; i \u003c 8; i++) {\ntry { verify(token); console.log(i, \u0027PASS\u0027) }\ncatch (e) { console.log(i, \u0027FAIL\u0027, e.code || e.message) }\n}\n}\n\nrun(\u0027allowedAud global regex\u0027, { allowedAud: /^admin$/g })\nrun(\u0027allowedIss global regex\u0027, { allowedIss: /^issuer$/g })\nrun(\u0027control (non-global regex)\u0027, { allowedAud: /^admin$/ })\n\n\n\nObserved behavior\n\n- allowedAud with `/g` alternates PASS/FAIL across calls\n- allowedIss with `/g` alternates PASS/FAIL across calls\n- control regex (no g/y) is deterministic and always PASS\n\n\nExpected behavior\n\nValidation must be deterministic.\n\nThe same token under the same verifier configuration must always yield the same decision.\n\n\nSuggested fix (minimal and safe)\n\nWrap RegExp matchers inside ensureStringClaimMatcher() to reset lastIndex before calling test():\nif (r instanceof RegExp) {\nreturn { test: v =\u003e { r.lastIndex = 0; return r.test(v) } }\n}\n\n\nThis preserves semantics for non-global regexes, makes g/y deterministic, and avoids changes in the rest of the verifier logic.\n\n\nSecurity classification\n\nLogical DoS / authentication reliability failure.\n\nThis can be weaponized to produce production outages via retry storms and auth instability.\n\n\nWhy this is not \u201cmisuse\u201d\n\n- The library explicitly accepts RegExp for allowed* claim validation.\n- The behavior difference is caused by internal state mutation of RegExp.test().\n- The same token, same verifier config, same runtime yields different outcomes.\n- Security decisions must be deterministic; non-determinism at the verification layer is a correctness flaw.\n- Consumers cannot reliably defend against this unless the library normalizes matcher state.\n\n\nNotes\n\n- Affects allowedAud, allowedIss, allowedSub, allowedJti, allowedNonce equally (shared matcher logic).\n- Independent from the previously reported ReDoS; this is a determinism and correctness failure that can still produce production DoS effects.\n\n\nPoC Code:\n\u0027use strict\u0027\n\n/**\n * PoC: Stateful RegExp flags (g/y) cause non-deterministic allowed-claim validation\n * fast-jwt reuses the same RegExp object; RegExp.test() mutates lastIndex when g/y is set.\n *\n * This script prints a human-readable log AND writes evidence to JSON.\n *\n * Usage:\n *   node poc_regex_state_evidence.js\n */\n\nconst fs = require(\u0027node:fs\u0027)\nconst path = require(\u0027node:path\u0027)\nconst { createSigner, createVerifier } = require(\u0027fast-jwt\u0027)\n\nconst OUT_JSON = path.join(process.cwd(), \u0027evidence-regex-stateful-fastjwt.json\u0027)\nconst OUT_LOG  = path.join(process.cwd(), \u0027evidence-regex-stateful-fastjwt.log\u0027)\n\n// Make a stable, valid token\nconst sign = createSigner({ key: \u0027secret\u0027 })\nconst token = sign({\n  aud: \u0027admin\u0027,\n  iss: \u0027issuer\u0027,\n  sub: \u0027subject\u0027,\n  jti: \u0027id-123\u0027,\n  nonce: \u0027nonce-xyz\u0027\n})\n\nfunction runCase(name, verifierOpts, iterations = 12) {\n  const verify = createVerifier({ key: \u0027secret\u0027, ...verifierOpts })\n\n  const results = []\n  for (let i = 0; i \u003c iterations; i++) {\n    try {\n      verify(token)\n      results.push({ i, ok: true })\n    } catch (e) {\n      results.push({ i, ok: false, code: e.code || null, message: e.message || String(e) })\n    }\n  }\n\n  return results\n}\n\nfunction summarize(results) {\n  const seq = results.map(r =\u003e (r.ok ? \u0027PASS\u0027 : \u0027FAIL\u0027)).join(\u0027 \u0027)\n  const pass = results.filter(r =\u003e r.ok).length\n  const fail = results.length - pass\n  return { pass, fail, seq }\n}\n\nfunction printCase(name, opts, results) {\n  const s = summarize(results)\n  const lines = []\n  lines.push(`== ${name}`)\n  lines.push(`opts: ${JSON.stringify(opts)}`)\n  lines.push(`PASS=${s.pass} FAIL=${s.fail}`)\n  lines.push(`sequence: ${s.seq}`)\n  lines.push(\u0027\u0027)\n  return lines.join(\u0027\\n\u0027)\n}\n\nfunction main() {\n  const meta = {\n    poc: \u0027stateful-regexp-allowed-claims\u0027,\n    package: \u0027fast-jwt\u0027,\n    node: process.version,\n    timestamp: new Date().toISOString(),\n    note: \u0027RegExp.test is stateful when g/y flags are set; lastIndex mutation causes alternating PASS/FAIL.\u0027\n  }\n\n  // Cases: g/y should flap, control should be stable\n  const cases = [\n    {\n      name: \u0027allowedAud with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedAud: /^admin$/g }\n    },\n    {\n      name: \u0027allowedAud with sticky RegExp /y (expected: flapping)\u0027,\n      opts: { allowedAud: /^admin$/y }\n    },\n    {\n      name: \u0027allowedIss with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedIss: /^issuer$/g }\n    },\n    {\n      name: \u0027allowedSub with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedSub: /^subject$/g }\n    },\n    {\n      name: \u0027allowedJti with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedJti: /^id-123$/g }\n    },\n    {\n      name: \u0027allowedNonce with global RegExp /g (expected: flapping)\u0027,\n      opts: { allowedNonce: /^nonce-xyz$/g }\n    },\n    {\n      name: \u0027CONTROL: allowedAud with non-global RegExp (expected: stable PASS)\u0027,\n      opts: { allowedAud: /^admin$/ }\n    }\n  ]\n\n  const evidence = {\n    meta,\n    token: {\n      alg: \u0027HS256 (autodetected by fast-jwt)\u0027,\n      signed: true,\n      jwt: token\n    },\n    cases: []\n  }\n\n  let log = \u0027\u0027\n  for (const c of cases) {\n    const results = runCase(c.name, c.opts, 12)\n    const s = summarize(results)\n\n    evidence.cases.push({\n      name: c.name,\n      opts: c.opts,\n      iterations: results.length,\n      pass: s.pass,\n      fail: s.fail,\n      sequence: s.seq,\n      results\n    })\n\n    log += printCase(c.name, c.opts, results)\n  }\n\n  fs.writeFileSync(OUT_JSON, JSON.stringify(evidence, null, 2))\n  fs.writeFileSync(OUT_LOG, log)\n\n  console.log(log)\n  console.log(`[+] Wrote JSON evidence: ${OUT_JSON}`)\n  console.log(`[+] Wrote LOG evidence : ${OUT_LOG}`)\n}\n\nmain()\n\n\nOutput:\nPS C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\u003e node .\\poc_regex_state_evidence.js\n== allowedAud with global RegExp /g (expected: flapping)\nopts: {\"allowedAud\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedAud with sticky RegExp /y (expected: flapping)\nopts: {\"allowedAud\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedIss with global RegExp /g (expected: flapping)\nopts: {\"allowedIss\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedSub with global RegExp /g (expected: flapping)\nopts: {\"allowedSub\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedJti with global RegExp /g (expected: flapping)\nopts: {\"allowedJti\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== allowedNonce with global RegExp /g (expected: flapping)\nopts: {\"allowedNonce\":{}}\nPASS=6 FAIL=6\nsequence: PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL\n== CONTROL: allowedAud with non-global RegExp (expected: stable PASS)\nopts: {\"allowedAud\":{}}\nPASS=12 FAIL=0\nsequence: PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS PASS\n\n[+] Wrote JSON evidence: C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\\evidence-regex-stateful-fastjwt.json\n[+] Wrote LOG evidence : C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\\evidence-regex-stateful-fastjwt.log\nPS C:\\Users\\Franciny Rojas\\Desktop\\crypto-research\\fast-jwt\u003e",
  "id": "GHSA-3j8v-cgw4-2g6q",
  "modified": "2026-04-09T19:05:11Z",
  "published": "2026-04-09T16:41:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35040"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/pull/593"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nearform/fast-jwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)"
}

GHSA-3R76-7GPF-JQ4W

Vulnerability from github – Published: 2024-07-18 21:30 – Updated: 2024-07-18 21:30
VLAI
Details

Failure to properly synchronize user's permissions in UAA in Cloud Foundry Foundation v40.17.0 https://github.com/cloudfoundry/cf-deployment/releases/tag/v40.17.0 , potentially resulting in users retaining access rights they should not have. This can allow them to perform operations beyond their intended permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-18T19:15:12Z",
    "severity": "LOW"
  },
  "details": "Failure to properly synchronize user\u0027s permissions in UAA in Cloud Foundry Foundation  v40.17.0 https://github.com/cloudfoundry/cf-deployment/releases/tag/v40.17.0 ,\n potentially resulting in users retaining access rights they should not \nhave.  This can allow them to perform operations beyond their intended \npermissions.",
  "id": "GHSA-3r76-7gpf-jq4w",
  "modified": "2024-07-18T21:30:37Z",
  "published": "2024-07-18T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38806"
    },
    {
      "type": "WEB",
      "url": "https://www.cloudfoundry.org/blog/cve-2024-38806-uaa-failure-to-remove-shadow-users-access"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-53WR-CX66-4578

Vulnerability from github – Published: 2023-09-08 12:30 – Updated: 2024-04-04 07:34
VLAI
Details

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.

Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions.

The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap:

OPENSSL_ia32cap=:~0x200000

The FIPS provider is not affected by this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-08T12:15:08Z",
    "severity": "HIGH"
  },
  "details": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n   OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.",
  "id": "GHSA-53wr-cx66-4578",
  "modified": "2024-04-04T07:34:05Z",
  "published": "2023-09-08T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230921-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.openssl.org/news/secadv/20230908.txt"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/174593/OpenSSL-Security-Advisory-20230908.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-54R2-W853-7RGW

Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2024-10-03 03:31
VLAI
Details

A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows administrator privileges to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T17:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A problem with a detection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices enables a user with Windows administrator privileges to disable the agent. This issue may be leveraged by malware to disable the Cortex XDR agent and then to perform malicious activity.",
  "id": "GHSA-54r2-w853-7rgw",
  "modified": "2024-10-03T03:31:10Z",
  "published": "2024-09-11T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8690"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2024-8690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5HQ9-5R78-2GJH

Vulnerability from github – Published: 2025-07-10 15:31 – Updated: 2025-07-10 18:45
VLAI
Summary
LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class
Details

A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to but excluding version 0.12.41, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index-readers-docugami"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-10T18:45:04Z",
    "nvd_published_at": "2025-07-10T13:15:23Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to but excluding version 0.12.41, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.",
  "id": "GHSA-5hq9-5r78-2gjh",
  "modified": "2025-07-10T18:45:04Z",
  "published": "2025-07-10T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class "
}

GHSA-648W-89VF-3PFC

Vulnerability from github – Published: 2026-03-03 15:31 – Updated: 2026-03-04 21:32
VLAI
Details

A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.This issue affects Fireware OS 12.0 up to and including 12.11.7, 12.5.9 up to and including 12.5.16, and 2025.1 up to and including 2026.1.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3344"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T14:15:57Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.This issue affects Fireware OS 12.0 up to and including 12.11.7, 12.5.9 up to and including 12.5.16, and 2025.1 up to and including 2026.1.1.",
  "id": "GHSA-648w-89vf-3pfc",
  "modified": "2026-03-04T21:32:42Z",
  "published": "2026-03-03T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3344"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00005"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6626-64RF-2CVV

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-04-04 02:43
VLAI
Details

An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby Aps of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-287",
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-12T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby Aps of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets to trigger this vulnerability.",
  "id": "GHSA-6626-64rf-2cvv",
  "modified": "2024-04-04T02:43:10Z",
  "published": "2022-05-24T17:03:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5061"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0849"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.