Common Weakness Enumeration

CWE-670

Allowed-with-Review

Always-Incorrect Control Flow Implementation

Abstraction: Class · Status: Draft

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

203 vulnerabilities reference this CWE, most recent first.

GHSA-327C-QX3V-H673

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-06-27 17:05
VLAI
Summary
Always-Incorrect Control Flow Implementation in Facebook Hermes
Details

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "hermes-engine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1119",
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T01:23:21Z",
    "nvd_published_at": "2020-10-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or theoretically execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.",
  "id": "GHSA-327c-qx3v-h673",
  "modified": "2022-06-27T17:05:26Z",
  "published": "2022-05-24T17:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1914"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hermes/issues/373"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hermes/commit/b2021df620824627f5a8c96615edbd1eb7fdddfc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/facebook/hermes"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2020-1914"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Always-Incorrect Control Flow Implementation in Facebook Hermes"
}

GHSA-3288-5P9J-WPHM

Vulnerability from github – Published: 2023-04-13 09:30 – Updated: 2024-04-04 03:26
VLAI
Details

Memory corruption in modem due to improper input validation while handling the incoming CoAP message

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-13T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Memory corruption in modem due to improper input validation while handling the incoming CoAP message",
  "id": "GHSA-3288-5p9j-wphm",
  "modified": "2024-04-04T03:26:50Z",
  "published": "2023-04-13T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25745"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/april-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-34R7-Q49F-H37C

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2021-10-29 14:15
VLAI
Summary
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Details

Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.

Recommendation

Upgrade UglifyJS to version >= 2.4.24.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uglify-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uglifier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-8857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1254",
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:54:00Z",
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.\n\n## Recommendation\n\nUpgrade UglifyJS to version \u003e= 2.4.24.",
  "id": "GHSA-34r7-q49f-h37c",
  "modified": "2021-10-29T14:15:03Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8857"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mishoo/UglifyJS2/issues/751"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mishoo/UglifyJS2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410"
    },
    {
      "type": "WEB",
      "url": "https://zyan.scripts.mit.edu/blog/backdooring-js"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js"
}

GHSA-39CP-8QFJ-8CJM

Vulnerability from github – Published: 2024-05-01 21:30 – Updated: 2024-07-03 18:38
VLAI
Details

An issue in phiola/src/afilter/conv.c:115 of phiola v2.0-rc22 allows a remote attacker to cause a denial of service via a crafted .wav file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T19:15:27Z",
    "severity": "MODERATE"
  },
  "details": "An issue in phiola/src/afilter/conv.c:115 of phiola v2.0-rc22 allows a remote attacker to cause a denial of service via a crafted .wav file.",
  "id": "GHSA-39cp-8qfj-8cjm",
  "modified": "2024-07-03T18:38:27Z",
  "published": "2024-05-01T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33431"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stsaz/phiola/issues/27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/flowPointException-1/flowPointException-1.assets/image-20240420004701828.png"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/flowPointException-1/flowPointException-1.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/flowPointException-1/poc/I0I72U~G"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/tree/master/phiola/flowPointException-1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/tree/master/phiola/flowPointException-1/poc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stsaz/phiola"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PWM-R3R4-XPVF

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-25 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: config: fix iteration issue in 'usb_get_bos_descriptor()'

The BOS descriptor defines a root descriptor and is the base descriptor for accessing a family of related descriptors.

Function 'usb_get_bos_descriptor()' encounters an iteration issue when skipping the 'USB_DT_DEVICE_CAPABILITY' descriptor type. This results in the same descriptor being read repeatedly.

To address this issue, a 'goto' statement is introduced to ensure that the pointer and the amount read is updated correctly. This ensures that the function iterates to the next descriptor instead of reading the same descriptor repeatedly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:17Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: config: fix iteration issue in \u0027usb_get_bos_descriptor()\u0027\n\nThe BOS descriptor defines a root descriptor and is the base descriptor for\naccessing a family of related descriptors.\n\nFunction \u0027usb_get_bos_descriptor()\u0027 encounters an iteration issue when\nskipping the \u0027USB_DT_DEVICE_CAPABILITY\u0027 descriptor type. This results in\nthe same descriptor being read repeatedly.\n\nTo address this issue, a \u0027goto\u0027 statement is introduced to ensure that the\npointer and the amount read is updated correctly. This ensures that the\nfunction iterates to the next descriptor instead of reading the same\ndescriptor repeatedly.",
  "id": "GHSA-3pwm-r3r4-xpvf",
  "modified": "2025-09-25T18:30:28Z",
  "published": "2024-05-21T18:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52781"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64c27b7b2357ddb38b6afebaf46d5bff4d250702"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c0244cc311a4038505b73682b7c8ceaa5c7a8c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/974bba5c118f4c2baf00de0356e3e4f7928b4cbc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ef94ec8e52eaf7b9abc5b5f8f5b911751112223"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f89fef7710b2ba0f7a1e46594e530dcf2f77be91"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q5P-3558-364F

Vulnerability from github – Published: 2023-09-08 13:27 – Updated: 2023-09-11 14:39
VLAI
Summary
Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`
Details

Impact

This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the ctx.IsFromLocal() method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.

In it's implementation it uses c.IPs():

// IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header.
// When IP validation is enabled, only valid IPs are returned.
func (c *Ctx) IPs() []string {
    return c.extractIPsFromHeader(HeaderXForwardedFor)
}

Thereby, setting X-Forwarded-For: 127.0.0.1 in a request from a foreign host, will result in true for ctx.IsFromLocal()

Patches

This issue has been patched in v2.49.2 with commit b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc

Workarounds

Currently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released.

References

For further information and context regarding this security issue, please refer to the following resources:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.14.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.49.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-08T13:27:21Z",
    "nvd_published_at": "2023-09-08T19:15:43Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.\n\nIn it\u0027s implementation it uses c.IPs():\n\n```go\n// IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header.\n// When IP validation is enabled, only valid IPs are returned.\nfunc (c *Ctx) IPs() []string {\n    return c.extractIPsFromHeader(HeaderXForwardedFor)\n}\n```\n\nThereby, setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) \n\n### Patches\nThis issue has been patched in `v2.49.2` with commit [b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc](https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc)\n\n### Workarounds\nCurrently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released.\n\n### References\nFor further information and context regarding this security issue, please refer to the following resources:\n\n- [Mozilla Developer Network - X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)\n\n",
  "id": "GHSA-3q5p-3558-364f",
  "modified": "2023-09-11T14:39:57Z",
  "published": "2023-09-08T13:27:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"
    },
    {
      "type": "WEB",
      "url": "https://docs.gofiber.io/api/ctx#isfromlocal"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/fiber"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`"
}

GHSA-49M5-2838-Q2RV

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-09-06 19:52
VLAI
Summary
Ansible unsafe evaluation of some strings
Details

Ansible prior to 1.5.4 mishandles the evaluation of some strings.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-2686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-07T20:34:37Z",
    "nvd_published_at": "2020-01-09T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Ansible prior to 1.5.4 mishandles the evaluation of some strings.",
  "id": "GHSA-49m5-2838-q2rv",
  "modified": "2024-09-06T19:52:27Z",
  "published": "2022-05-17T19:57:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-198.yaml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!searchin/ansible-project/1.5.4/ansible-project/MUQxiKwSQDc/id6aVaawVboJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ansible unsafe evaluation of some strings"
}

GHSA-4CHV-4C6W-W254

Vulnerability from github – Published: 2026-02-17 21:29 – Updated: 2026-02-19 21:56
VLAI
Summary
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
Details

Impact

The #[contractimpl] macro contains a bug in how it wires up function calls.

In Rust, you can define functions on a type in two ways: - Directly on the type as an inherent function: rust impl MyContract { fn value() { ... } } - Through a trait rust impl Trait for MyContract { fn value() { ... } }

These are two separate functions that happen to share the same name. Rust has rules for which one gets called. When you write MyContract::value(), Rust always picks the one defined directly on the type, not the trait version.

The bug is that #[contractimpl] generates code that uses MyContract::value() style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function.

This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously: 1. A impl Trait for MyContract block is defined with one or more functions, with #[contractimpl] applied. 2. A impl MyContract block is defined with one or more identically named functions, without #[contractimpl] applied.

If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function.

For example:

#[contract]
pub struct Contract;

impl Contract {
    /// Inherent function — returns 1.
    /// Bug: The macro-generated WASM export is wired up to call this function.
    pub fn value() -> u32 {
        1
    }
}

pub trait Trait {
    fn value(env: Env) -> u32;
}

#[contractimpl]
impl Trait for MyContract {
    /// Trait implementation — returns 2.
    /// Fix: The macro-generated WASM export should call this function.
    fn value() -> u32 {
        2
    }
}

Patches

The problem is patched in soroban-sdk-macros version 25.1.1. The fix changes the generated call from <Type>::func() to <Type as Trait>::func() when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists.

Users should upgrade to soroban-sdk-macros >= 25.1.1 and recompile their contracts.

Workarounds

If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 25.1.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "soroban-sdk-macros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "25.0.0"
            },
            {
              "fixed": "25.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 23.5.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "soroban-sdk-macros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.0.0"
            },
            {
              "fixed": "23.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 22.0.9"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "soroban-sdk-macros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:29:05Z",
    "nvd_published_at": "2026-02-19T20:25:43Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe `#[contractimpl]` macro contains a bug in how it wires up function calls.\n\nIn Rust, you can define functions on a type in two ways:\n- Directly on the type as an inherent function:\n  ```rust\n  impl MyContract {\n      fn value() { ... }\n  }\n  ```\n- Through a trait\n  ```rust\n  impl Trait for MyContract {\n      fn value() { ... }\n  }\n  ```\n\nThese are two separate functions that happen to share the same name. Rust has rules for which one gets called. When you write `MyContract::value()`, Rust always picks the one defined directly on the type, not the trait version.\n\nThe bug is that `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it\u0027s processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function.\n\nThis means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously:\n1. A `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied.\n2. A `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied.\n\nIf the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function.\n\nFor example:\n\n```rust\n#[contract]\npub struct Contract;\n\nimpl Contract {\n    /// Inherent function \u2014 returns 1.\n    /// Bug: The macro-generated WASM export is wired up to call this function.\n    pub fn value() -\u003e u32 {\n        1\n    }\n}\n\npub trait Trait {\n    fn value(env: Env) -\u003e u32;\n}\n\n#[contractimpl]\nimpl Trait for MyContract {\n    /// Trait implementation \u2014 returns 2.\n    /// Fix: The macro-generated WASM export should call this function.\n    fn value() -\u003e u32 {\n        2\n    }\n}\n```\n\n### Patches\n\nThe problem is patched in `soroban-sdk-macros` version **25.1.1**. The fix changes the generated call from `\u003cType\u003e::func()` to `\u003cType as Trait\u003e::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists.\n\nUsers should upgrade to `soroban-sdk-macros` **\u003e= 25.1.1** and recompile their contracts.\n\n### Workarounds\n\nIf upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.",
  "id": "GHSA-4chv-4c6w-w254",
  "modified": "2026-02-19T21:56:47Z",
  "published": "2026-02-17T21:29:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-4chv-4c6w-w254"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-soroban-sdk/pull/1729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-soroban-sdk/pull/1730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-soroban-sdk/pull/1731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-soroban-sdk/commit/e92a3933e5f92dc09da3c740cf6a360d55709a2b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stellar/rs-soroban-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide"
}

GHSA-4G58-P6WM-2VF3

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

In updateCapabilities of ConnectivityService.java, there is a possible incorrect network state determination due to a logic error in the code. This could lead to biasing of networking tasks to occur on non-VPN networks, which could lead to remote information disclosure, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179053823

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-21T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "In updateCapabilities of ConnectivityService.java, there is a possible incorrect network state determination due to a logic error in the code. This could lead to biasing of networking tasks to occur on non-VPN networks, which could lead to remote information disclosure, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179053823",
  "id": "GHSA-4g58-p6wm-2vf3",
  "modified": "2022-05-24T19:05:44Z",
  "published": "2022-05-24T19:05:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0517"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4HG4-9MF5-WXXQ

Vulnerability from github – Published: 2023-09-04 16:39 – Updated: 2024-11-19 17:22
VLAI
Summary
incorrect order of evaluation of side effects for some builtins
Details

Impact

The order of evaluation of the arguments of the builtin functions uint256_addmod, uint256_mulmod, ecadd and ecmul does not follow source order. • For uint256_addmod(a,b,c) and uint256_mulmod(a,b,c), the order is c,a,b. • For ecadd(a,b) and ecmul(a,b), the order is b,a.

Note that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on.

Patches

https://github.com/vyperlang/vyper/pull/3583

Workarounds

When using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.9"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "vyper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.10rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-670"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-04T16:39:49Z",
    "nvd_published_at": "2023-09-04T18:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follow source order.\n\u2022 For `uint256_addmod(a,b,c)` and `uint256_mulmod(a,b,c)`, the order is `c,a,b`.\n\u2022 For `ecadd(a,b)` and `ecmul(a,b)`, the order is `b,a`.\n\nNote that this behaviour is problematic when the evaluation of one of the arguments produces side effects that other arguments depend on. \n\n### Patches\nhttps://github.com/vyperlang/vyper/pull/3583\n\n### Workarounds\nWhen using builtins from the list above, make sure that the arguments of the expression do not produce side effects or, if one does, that no other argument is dependent on those side effects.\n\n### References\n_Are there any links users can visit to find out more?_\n",
  "id": "GHSA-4hg4-9mf5-wxxq",
  "modified": "2024-11-19T17:22:23Z",
  "published": "2023-09-04T16:39:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/security/advisories/GHSA-4hg4-9mf5-wxxq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vyperlang/vyper/pull/3583"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2023-168.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vyperlang/vyper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "incorrect order of evaluation of side effects for some builtins"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.