CWE-755
DiscouragedImproper Handling of Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not handle or incorrectly handles an exceptional condition.
685 vulnerabilities reference this CWE, most recent first.
GHSA-H4RM-7MPV-29CJ
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-04-20 15:30A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application to leak system memory, which could cause an affected device to restart unexpectedly. The vulnerability is due to improper error handling when processing inbound SNMP packets. An attacker could exploit this vulnerability by sending multiple crafted SNMP packets to an affected device. A successful exploit could allow the attacker to cause the SNMP application to leak system memory because of an improperly handled error condition during packet processing. Over time, this memory leak could cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.
{
"affected": [],
"aliases": [
"CVE-2019-1858"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-16T02:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application to leak system memory, which could cause an affected device to restart unexpectedly. The vulnerability is due to improper error handling when processing inbound SNMP packets. An attacker could exploit this vulnerability by sending multiple crafted SNMP packets to an affected device. A successful exploit could allow the attacker to cause the SNMP application to leak system memory because of an improperly handled error condition during packet processing. Over time, this memory leak could cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.",
"id": "GHSA-h4rm-7mpv-29cj",
"modified": "2023-04-20T15:30:19Z",
"published": "2022-05-24T16:45:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1858"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-snmp-dos"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H4XH-C6FV-XJV7
Vulnerability from github – Published: 2022-04-14 00:00 – Updated: 2022-04-22 00:01A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. This vulnerability can be exploited to execute arbitrary code
{
"affected": [],
"aliases": [
"CVE-2022-25795"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-13T18:15:00Z",
"severity": "HIGH"
},
"details": "A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. This vulnerability can be exploited to execute arbitrary code",
"id": "GHSA-h4xh-c6fv-xjv7",
"modified": "2022-04-22T00:01:06Z",
"published": "2022-04-14T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25795"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0010;"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5H9-33PX-2RHV
Vulnerability from github – Published: 2023-08-24 21:30 – Updated: 2024-04-04 07:11A lack of exception handling in the Renault Easy Link Multimedia System Software Version 283C35519R allows attackers to cause a Denial of Service (DoS) via supplying crafted WMA files when connecting a device to the vehicle's USB plug and play feature.
{
"affected": [],
"aliases": [
"CVE-2023-39801"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-24T20:15:08Z",
"severity": "MODERATE"
},
"details": "A lack of exception handling in the Renault Easy Link Multimedia System Software Version 283C35519R allows attackers to cause a Denial of Service (DoS) via supplying crafted WMA files when connecting a device to the vehicle\u0027s USB plug and play feature.",
"id": "GHSA-h5h9-33px-2rhv",
"modified": "2024-04-04T07:11:42Z",
"published": "2023-08-24T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39801"
},
{
"type": "WEB",
"url": "https://github.com/zj3t/Automotive-vulnerabilities/blob/main/RENAULT/ZOE_EV_2021/Vuln%232/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HC4F-4MVR-7CV9
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-17 00:00Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
{
"affected": [],
"aliases": [
"CVE-2022-36923"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T20:16:00Z",
"severity": "HIGH"
},
"details": "Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user\u0027s API key, and then access external APIs.",
"id": "GHSA-hc4f-4mvr-7cv9",
"modified": "2022-08-17T00:00:24Z",
"published": "2022-08-11T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36923"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/itom/advisory/cve-2022-36923.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HCQH-HWQP-XM3C
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with no firmware image inside the package using FTP protocol.
{
"affected": [],
"aliases": [
"CVE-2019-6841"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T19:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with no firmware image inside the package using FTP protocol.",
"id": "GHSA-hcqh-hwqp-xm3c",
"modified": "2022-05-24T17:00:05Z",
"published": "2022-05-24T17:00:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6841"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HCW4-X562-RV3J
Vulnerability from github – Published: 2024-03-11 18:31 – Updated: 2024-03-11 18:31An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2024-23612"
],
"database_specific": {
"cwe_ids": [
"CWE-1285",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-11T16:15:08Z",
"severity": "HIGH"
},
"details": "An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.\n\n",
"id": "GHSA-hcw4-x562-rv3j",
"modified": "2024-03-11T18:31:07Z",
"published": "2024-03-11T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23612"
},
{
"type": "WEB",
"url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/improper-error-handling-issues-in-labview.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HFFM-G8V7-WRV7
Vulnerability from github – Published: 2026-02-24 20:22 – Updated: 2026-02-27 19:52Summary
Two swallowed errors in ClientAuthentication.provision() cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary.
Details
In modules/caddytls/connpolicy.go, the provision() method has two return nil statements that should be return err:
Bug #1 — line 787:
ders, err := convertPEMFilesToDER(fpath)
if err != nil {
return nil // BUG: should be "return err"
}
Bug #2 — line 800:
err := caPool.Provision(ctx)
if err != nil {
return nil // BUG: should be "return err"
}
Compare with line 811 which correctly returns the error:
caRaw, err := ctx.LoadModule(clientauth, "CARaw")
if err != nil {
return err // CORRECT
}
When the error is swallowed on line 787, the chain is:
TrustedCACertsremains empty (no DER data appended from the file)- The
len(clientauth.TrustedCACerts) > 0guard on line 794 is false — skipped clientauth.CARawis nil — line 806 returns nilclientauth.caremains nil — no CA pool was createdprovision()returns nil — caller thinks provisioning succeeded
Then in ConfigureTLSConfig():
Active()returns true becauseTrustedCACertPEMFilesis non-empty- Default mode is set to
RequireAndVerifyClientCert(line 860) - But
clientauth.cais nil, socfg.ClientCAsis never set (line 867 skipped) - Go's
crypto/tlswithRequireAndVerifyClientCert+ nilClientCAsverifies client certs against the system root pool instead of the intended CA
The fix is changing return nil to return err on lines 787 and 800.
PoC
- Configure Caddy with mTLS pointing to a nonexistent CA file:
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [":443"],
"tls_connection_policies": [{
"client_authentication": {
"trusted_ca_certs_pem_files": ["/nonexistent/ca.pem"]
}
}]
}
}
}
}
}
-
Start Caddy — it starts without any error or warning.
-
Connect with any client certificate (even self-signed):
openssl s_client -connect localhost:443 -cert client.pem -key client-key.pem
- The TLS handshake succeeds despite the certificate not being signed by the intended CA.
A full Go test that proves the bug end-to-end (including a successful TLS handshake with a random self-signed client cert) is here: https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48
Test output:
=== RUN TestSwallowedErrorMTLSFailOpen
BUG CONFIRMED: provision() swallowed the error from a nonexistent CA file.
tls.Config has RequireAndVerifyClientCert but ClientCAs is nil.
CRITICAL: TLS handshake succeeded with a self-signed client cert!
The server accepted a client certificate NOT signed by the intended CA.
--- PASS: TestSwallowedErrorMTLSFailOpen (0.03s)
Impact
Any deployment using trusted_ca_cert_file or trusted_ca_certs_pem_files for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27586"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T20:22:53Z",
"nvd_published_at": "2026-02-24T17:29:03Z",
"severity": "HIGH"
},
"details": "### Summary\n\nTwo swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary.\n\n### Details\n\nIn `modules/caddytls/connpolicy.go`, the `provision()` method has two `return nil` statements that should be `return err`:\n\n**Bug #1 \u2014 line 787:**\n```go\nders, err := convertPEMFilesToDER(fpath)\nif err != nil {\n return nil // BUG: should be \"return err\"\n}\n```\n\n**Bug #2 \u2014 line 800:**\n```go\nerr := caPool.Provision(ctx)\nif err != nil {\n return nil // BUG: should be \"return err\"\n}\n```\n\nCompare with line 811 which correctly returns the error:\n```go\ncaRaw, err := ctx.LoadModule(clientauth, \"CARaw\")\nif err != nil {\n return err // CORRECT\n}\n```\n\nWhen the error is swallowed on line 787, the chain is:\n\n1. `TrustedCACerts` remains empty (no DER data appended from the file)\n2. The `len(clientauth.TrustedCACerts) \u003e 0` guard on line 794 is false \u2014 skipped\n3. `clientauth.CARaw` is nil \u2014 line 806 returns nil\n4. `clientauth.ca` remains nil \u2014 no CA pool was created\n5. `provision()` returns nil \u2014 caller thinks provisioning succeeded\n\nThen in `ConfigureTLSConfig()`:\n\n6. `Active()` returns true because `TrustedCACertPEMFiles` is non-empty\n7. Default mode is set to `RequireAndVerifyClientCert` (line 860)\n8. But `clientauth.ca` is nil, so `cfg.ClientCAs` is never set (line 867 skipped)\n9. Go\u0027s `crypto/tls` with `RequireAndVerifyClientCert` + nil `ClientCAs` verifies client certs against the **system root pool** instead of the intended CA\n\nThe fix is changing `return nil` to `return err` on lines 787 and 800.\n\n### PoC\n\n1. Configure Caddy with mTLS pointing to a nonexistent CA file:\n\n```\n{\n \"apps\": {\n \"http\": {\n \"servers\": {\n \"srv0\": {\n \"listen\": [\":443\"],\n \"tls_connection_policies\": [{\n \"client_authentication\": {\n \"trusted_ca_certs_pem_files\": [\"/nonexistent/ca.pem\"]\n }\n }]\n }\n }\n }\n }\n}\n```\n\n2. Start Caddy \u2014 it starts without any error or warning.\n\n3. Connect with any client certificate (even self-signed):\n```bash\nopenssl s_client -connect localhost:443 -cert client.pem -key client-key.pem\n```\n\n4. The TLS handshake succeeds despite the certificate not being signed by the intended CA.\n\nA full Go test that proves the bug end-to-end (including a successful TLS handshake with a random self-signed client cert) is here: https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48\n\nTest output:\n```\n=== RUN TestSwallowedErrorMTLSFailOpen\n BUG CONFIRMED: provision() swallowed the error from a nonexistent CA file.\n tls.Config has RequireAndVerifyClientCert but ClientCAs is nil.\n CRITICAL: TLS handshake succeeded with a self-signed client cert!\n The server accepted a client certificate NOT signed by the intended CA.\n--- PASS: TestSwallowedErrorMTLSFailOpen (0.03s)\n```\n\n### Impact\n\nAny deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured.",
"id": "GHSA-hffm-g8v7-wrv7",
"modified": "2026-02-27T19:52:41Z",
"published": "2026-02-24T20:22:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27586"
},
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/commit/d42d39b4bc237c628f9a95363b28044cb7a7fe72"
},
{
"type": "WEB",
"url": "https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48"
},
{
"type": "PACKAGE",
"url": "https://github.com/caddyserver/caddy"
},
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4539"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed"
}
GHSA-HFWH-88HG-R4MC
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:39Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2019-0143"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-14T19:15:00Z",
"severity": "MODERATE"
},
"details": "Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.",
"id": "GHSA-hfwh-88hg-r4mc",
"modified": "2024-04-04T02:39:11Z",
"published": "2022-05-24T17:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0143"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGJW-M9C6-R5G4
Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2022-06-17 00:01A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, which can lead to memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.
{
"affected": [],
"aliases": [
"CVE-2022-22150"
],
"database_specific": {
"cwe_ids": [
"CWE-755",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "A memory corruption vulnerability exists in the JavaScript engine of Foxit Software\u2019s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, which can lead to memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.",
"id": "GHSA-hgjw-m9c6-r5g4",
"modified": "2022-06-17T00:01:27Z",
"published": "2022-02-11T00:01:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22150"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1439"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGXW-5XG3-69JX
Vulnerability from github – Published: 2024-04-19 19:48 – Updated: 2024-04-19 21:44Impact
The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.
For example, if you have a simple application:
import { serve } from '@hono/node-server'
import { Hono } from 'hono'
const app = new Hono()
app.get('/', (c) => c.text('Hello'))
serve(app)
Sending a request with a Host header with an empty value to it:
curl localhost:3000/ -H "Host: "
The results:
node:internal/url:775
this.#updateContext(bindingUrl.parse(input, base));
^
TypeError: Invalid URL
at new URL (node:internal/url:775:36)
at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
at Server.emit (node:events:514:28)
at Server.emit (node:domain:488:12)
at parserOnIncoming (node:_http_server:1143:12)
at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
code: 'ERR_INVALID_URL',
input: 'http:///'
}
Patches
The version 1.10.1 includes the fix for this issue. But, you should use 1.11.0, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161
Workarounds
Nothing. Upgrade your @hono/node-server.
References
https://github.com/honojs/node-server/issues/159
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@hono/node-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32652"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-19T19:48:40Z",
"nvd_published_at": "2024-04-19T19:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings.\n\nFor example, if you have a simple application:\n\n```ts\nimport { serve } from \u0027@hono/node-server\u0027\nimport { Hono } from \u0027hono\u0027\n\nconst app = new Hono()\n\napp.get(\u0027/\u0027, (c) =\u003e c.text(\u0027Hello\u0027))\n\nserve(app)\n```\n\nSending a request with a Host header with an empty value to it:\n\n```\ncurl localhost:3000/ -H \"Host: \"\n```\n\nThe results:\n\n```\nnode:internal/url:775\n this.#updateContext(bindingUrl.parse(input, base));\n ^\n\nTypeError: Invalid URL\n at new URL (node:internal/url:775:36)\n at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)\n at Server.\u003canonymous\u003e (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)\n at Server.emit (node:events:514:28)\n at Server.emit (node:domain:488:12)\n at parserOnIncoming (node:_http_server:1143:12)\n at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {\n code: \u0027ERR_INVALID_URL\u0027,\n input: \u0027http:///\u0027\n}\n```\n\n### Patches\n\nThe version `1.10.1` includes the fix for this issue. But, you should use `1.11.0`, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161\n\n### Workarounds\n\nNothing. Upgrade your `@hono/node-server`.\n\n### References\n\nhttps://github.com/honojs/node-server/issues/159\n",
"id": "GHSA-hgxw-5xg3-69jx",
"modified": "2024-04-19T21:44:10Z",
"published": "2024-04-19T19:48:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32652"
},
{
"type": "WEB",
"url": "https://github.com/honojs/node-server/issues/159"
},
{
"type": "WEB",
"url": "https://github.com/honojs/node-server/issues/161"
},
{
"type": "WEB",
"url": "https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af"
},
{
"type": "WEB",
"url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/node-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.