Common Weakness Enumeration

CWE-755

Discouraged

Improper Handling of Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not handle or incorrectly handles an exceptional condition.

685 vulnerabilities reference this CWE, most recent first.

GHSA-H4RM-7MPV-29CJ

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-04-20 15:30
VLAI
Details

A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application to leak system memory, which could cause an affected device to restart unexpectedly. The vulnerability is due to improper error handling when processing inbound SNMP packets. An attacker could exploit this vulnerability by sending multiple crafted SNMP packets to an affected device. A successful exploit could allow the attacker to cause the SNMP application to leak system memory because of an improperly handled error condition during packet processing. Over time, this memory leak could cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-16T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause the SNMP application to leak system memory, which could cause an affected device to restart unexpectedly. The vulnerability is due to improper error handling when processing inbound SNMP packets. An attacker could exploit this vulnerability by sending multiple crafted SNMP packets to an affected device. A successful exploit could allow the attacker to cause the SNMP application to leak system memory because of an improperly handled error condition during packet processing. Over time, this memory leak could cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.",
  "id": "GHSA-h4rm-7mpv-29cj",
  "modified": "2023-04-20T15:30:19Z",
  "published": "2022-05-24T16:45:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1858"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-snmp-dos"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H4XH-C6FV-XJV7

Vulnerability from github – Published: 2022-04-14 00:00 – Updated: 2022-04-22 00:01
VLAI
Details

A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. This vulnerability can be exploited to execute arbitrary code

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-13T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. This vulnerability can be exploited to execute arbitrary code",
  "id": "GHSA-h4xh-c6fv-xjv7",
  "modified": "2022-04-22T00:01:06Z",
  "published": "2022-04-14T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25795"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0010;"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H5H9-33PX-2RHV

Vulnerability from github – Published: 2023-08-24 21:30 – Updated: 2024-04-04 07:11
VLAI
Details

A lack of exception handling in the Renault Easy Link Multimedia System Software Version 283C35519R allows attackers to cause a Denial of Service (DoS) via supplying crafted WMA files when connecting a device to the vehicle's USB plug and play feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-24T20:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A lack of exception handling in the Renault Easy Link Multimedia System Software Version 283C35519R allows attackers to cause a Denial of Service (DoS) via supplying crafted WMA files when connecting a device to the vehicle\u0027s USB plug and play feature.",
  "id": "GHSA-h5h9-33px-2rhv",
  "modified": "2024-04-04T07:11:42Z",
  "published": "2023-08-24T21:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zj3t/Automotive-vulnerabilities/blob/main/RENAULT/ZOE_EV_2021/Vuln%232/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HC4F-4MVR-7CV9

Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-17 00:00
VLAI
Details

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-10T20:16:00Z",
    "severity": "HIGH"
  },
  "details": "Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user\u0027s API key, and then access external APIs.",
  "id": "GHSA-hc4f-4mvr-7cv9",
  "modified": "2022-08-17T00:00:24Z",
  "published": "2022-08-11T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36923"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/itom/advisory/cve-2022-36923.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCQH-HWQP-XM3C

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00
VLAI
Details

A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with no firmware image inside the package using FTP protocol.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-29T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions), which could cause a Denial of Service attack on the PLC when upgrading the firmware with no firmware image inside the package using FTP protocol.",
  "id": "GHSA-hcqh-hwqp-xm3c",
  "modified": "2022-05-24T17:00:05Z",
  "published": "2022-05-24T17:00:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6841"
    },
    {
      "type": "WEB",
      "url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-281-02"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2019-281-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HCW4-X562-RV3J

Vulnerability from github – Published: 2024-03-11 18:31 – Updated: 2024-03-11 18:31
VLAI
Details

An improper error handling vulnerability in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. This vulnerability affects LabVIEW 2024 Q1 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1285",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-11T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "An improper error handling vulnerability in LabVIEW may result in remote code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted VI.  This vulnerability affects LabVIEW 2024 Q1 and prior versions.\n\n",
  "id": "GHSA-hcw4-x562-rv3j",
  "modified": "2024-03-11T18:31:07Z",
  "published": "2024-03-11T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23612"
    },
    {
      "type": "WEB",
      "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/improper-error-handling-issues-in-labview.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFFM-G8V7-WRV7

Vulnerability from github – Published: 2026-02-24 20:22 – Updated: 2026-02-27 19:52
VLAI
Summary
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
Details

Summary

Two swallowed errors in ClientAuthentication.provision() cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary.

Details

In modules/caddytls/connpolicy.go, the provision() method has two return nil statements that should be return err:

Bug #1 — line 787:

ders, err := convertPEMFilesToDER(fpath)
if err != nil {
    return nil  // BUG: should be "return err"
}

Bug #2 — line 800:

err := caPool.Provision(ctx)
if err != nil {
    return nil  // BUG: should be "return err"
}

Compare with line 811 which correctly returns the error:

caRaw, err := ctx.LoadModule(clientauth, "CARaw")
if err != nil {
    return err  // CORRECT
}

When the error is swallowed on line 787, the chain is:

  1. TrustedCACerts remains empty (no DER data appended from the file)
  2. The len(clientauth.TrustedCACerts) > 0 guard on line 794 is false — skipped
  3. clientauth.CARaw is nil — line 806 returns nil
  4. clientauth.ca remains nil — no CA pool was created
  5. provision() returns nil — caller thinks provisioning succeeded

Then in ConfigureTLSConfig():

  1. Active() returns true because TrustedCACertPEMFiles is non-empty
  2. Default mode is set to RequireAndVerifyClientCert (line 860)
  3. But clientauth.ca is nil, so cfg.ClientCAs is never set (line 867 skipped)
  4. Go's crypto/tls with RequireAndVerifyClientCert + nil ClientCAs verifies client certs against the system root pool instead of the intended CA

The fix is changing return nil to return err on lines 787 and 800.

PoC

  1. Configure Caddy with mTLS pointing to a nonexistent CA file:
{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [":443"],
                    "tls_connection_policies": [{
                        "client_authentication": {
                            "trusted_ca_certs_pem_files": ["/nonexistent/ca.pem"]
                        }
                    }]
                }
            }
        }
    }
}
  1. Start Caddy — it starts without any error or warning.

  2. Connect with any client certificate (even self-signed):

openssl s_client -connect localhost:443 -cert client.pem -key client-key.pem
  1. The TLS handshake succeeds despite the certificate not being signed by the intended CA.

A full Go test that proves the bug end-to-end (including a successful TLS handshake with a random self-signed client cert) is here: https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48

Test output:

=== RUN   TestSwallowedErrorMTLSFailOpen
    BUG CONFIRMED: provision() swallowed the error from a nonexistent CA file.
    tls.Config has RequireAndVerifyClientCert but ClientCAs is nil.
    CRITICAL: TLS handshake succeeded with a self-signed client cert!
    The server accepted a client certificate NOT signed by the intended CA.
--- PASS: TestSwallowedErrorMTLSFailOpen (0.03s)

Impact

Any deployment using trusted_ca_cert_file or trusted_ca_certs_pem_files for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/caddyserver/caddy/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-24T20:22:53Z",
    "nvd_published_at": "2026-02-24T17:29:03Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nTwo swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary.\n\n### Details\n\nIn `modules/caddytls/connpolicy.go`, the `provision()` method has two `return nil` statements that should be `return err`:\n\n**Bug #1 \u2014 line 787:**\n```go\nders, err := convertPEMFilesToDER(fpath)\nif err != nil {\n    return nil  // BUG: should be \"return err\"\n}\n```\n\n**Bug #2 \u2014 line 800:**\n```go\nerr := caPool.Provision(ctx)\nif err != nil {\n    return nil  // BUG: should be \"return err\"\n}\n```\n\nCompare with line 811 which correctly returns the error:\n```go\ncaRaw, err := ctx.LoadModule(clientauth, \"CARaw\")\nif err != nil {\n    return err  // CORRECT\n}\n```\n\nWhen the error is swallowed on line 787, the chain is:\n\n1. `TrustedCACerts` remains empty (no DER data appended from the file)\n2. The `len(clientauth.TrustedCACerts) \u003e 0` guard on line 794 is false \u2014 skipped\n3. `clientauth.CARaw` is nil \u2014 line 806 returns nil\n4. `clientauth.ca` remains nil \u2014 no CA pool was created\n5. `provision()` returns nil \u2014 caller thinks provisioning succeeded\n\nThen in `ConfigureTLSConfig()`:\n\n6. `Active()` returns true because `TrustedCACertPEMFiles` is non-empty\n7. Default mode is set to `RequireAndVerifyClientCert` (line 860)\n8. But `clientauth.ca` is nil, so `cfg.ClientCAs` is never set (line 867 skipped)\n9. Go\u0027s `crypto/tls` with `RequireAndVerifyClientCert` + nil `ClientCAs` verifies client certs against the **system root pool** instead of the intended CA\n\nThe fix is changing `return nil` to `return err` on lines 787 and 800.\n\n### PoC\n\n1. Configure Caddy with mTLS pointing to a nonexistent CA file:\n\n```\n{\n    \"apps\": {\n        \"http\": {\n            \"servers\": {\n                \"srv0\": {\n                    \"listen\": [\":443\"],\n                    \"tls_connection_policies\": [{\n                        \"client_authentication\": {\n                            \"trusted_ca_certs_pem_files\": [\"/nonexistent/ca.pem\"]\n                        }\n                    }]\n                }\n            }\n        }\n    }\n}\n```\n\n2. Start Caddy \u2014 it starts without any error or warning.\n\n3. Connect with any client certificate (even self-signed):\n```bash\nopenssl s_client -connect localhost:443 -cert client.pem -key client-key.pem\n```\n\n4. The TLS handshake succeeds despite the certificate not being signed by the intended CA.\n\nA full Go test that proves the bug end-to-end (including a successful TLS handshake with a random self-signed client cert) is here: https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48\n\nTest output:\n```\n=== RUN   TestSwallowedErrorMTLSFailOpen\n    BUG CONFIRMED: provision() swallowed the error from a nonexistent CA file.\n    tls.Config has RequireAndVerifyClientCert but ClientCAs is nil.\n    CRITICAL: TLS handshake succeeded with a self-signed client cert!\n    The server accepted a client certificate NOT signed by the intended CA.\n--- PASS: TestSwallowedErrorMTLSFailOpen (0.03s)\n```\n\n### Impact\n\nAny deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured.",
  "id": "GHSA-hffm-g8v7-wrv7",
  "modified": "2026-02-27T19:52:41Z",
  "published": "2026-02-24T20:22:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caddyserver/caddy/commit/d42d39b4bc237c628f9a95363b28044cb7a7fe72"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/caddyserver/caddy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4539"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed"
}

GHSA-HFWH-88HG-R4MC

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:39
VLAI
Details

Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-14T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.",
  "id": "GHSA-hfwh-88hg-r4mc",
  "modified": "2024-04-04T02:39:11Z",
  "published": "2022-05-24T17:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0143"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HGJW-M9C6-R5G4

Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2022-06-17 00:01
VLAI
Details

A memory corruption vulnerability exists in the JavaScript engine of Foxit Software’s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, which can lead to memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "A memory corruption vulnerability exists in the JavaScript engine of Foxit Software\u2019s PDF Reader, version 11.1.0.52543. A specially-crafted PDF document can trigger an exception which is improperly handled, leaving the engine in an invalid state, which can lead to memory corruption and arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted, malicious site if the browser plugin extension is enabled.",
  "id": "GHSA-hgjw-m9c6-r5g4",
  "modified": "2022-06-17T00:01:27Z",
  "published": "2022-02-11T00:01:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22150"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1439"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HGXW-5XG3-69JX

Vulnerability from github – Published: 2024-04-19 19:48 – Updated: 2024-04-19 21:44
VLAI
Summary
@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
Details

Impact

The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings.

For example, if you have a simple application:

import { serve } from '@hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)

Sending a request with a Host header with an empty value to it:

curl localhost:3000/ -H "Host: "

The results:

node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}

Patches

The version 1.10.1 includes the fix for this issue. But, you should use 1.11.0, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161

Workarounds

Nothing. Upgrade your @hono/node-server.

References

https://github.com/honojs/node-server/issues/159

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hono/node-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-19T19:48:40Z",
    "nvd_published_at": "2024-04-19T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe application hangs when receiving a Host header with a value that `@hono/node-server` can\u0027t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings.\n\nFor example, if you have a simple application:\n\n```ts\nimport { serve } from \u0027@hono/node-server\u0027\nimport { Hono } from \u0027hono\u0027\n\nconst app = new Hono()\n\napp.get(\u0027/\u0027, (c) =\u003e c.text(\u0027Hello\u0027))\n\nserve(app)\n```\n\nSending a request with a Host header with an empty value to it:\n\n```\ncurl localhost:3000/ -H \"Host: \"\n```\n\nThe results:\n\n```\nnode:internal/url:775\n    this.#updateContext(bindingUrl.parse(input, base));\n                                   ^\n\nTypeError: Invalid URL\n    at new URL (node:internal/url:775:36)\n    at newRequest (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:137:17)\n    at Server.\u003canonymous\u003e (/Users/yusuke/work/h/159/node_modules/@hono/node-server/dist/index.js:399:17)\n    at Server.emit (node:events:514:28)\n    at Server.emit (node:domain:488:12)\n    at parserOnIncoming (node:_http_server:1143:12)\n    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {\n  code: \u0027ERR_INVALID_URL\u0027,\n  input: \u0027http:///\u0027\n}\n```\n\n### Patches\n\nThe version `1.10.1` includes the fix for this issue. But, you should use `1.11.0`, which has other fixes related to this issue. https://github.com/honojs/node-server/issues/160 https://github.com/honojs/node-server/issues/161\n\n### Workarounds\n\nNothing. Upgrade your `@hono/node-server`.\n\n### References\n\nhttps://github.com/honojs/node-server/issues/159\n",
  "id": "GHSA-hgxw-5xg3-69jx",
  "modified": "2024-04-19T21:44:10Z",
  "published": "2024-04-19T19:48:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/issues/159"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/issues/161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/commit/306d98f02a8671a0a1fb91ac8fe7e281690c05af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/node-server/commit/d847e60249fd8183ba0998bc379ba20505643204"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/node-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.