GHSA-45M3-398W-M2M9
Vulnerability from github – Published: 2026-03-02 21:41 – Updated: 2026-03-05 22:49
VLAI?
Summary
OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling
Details
Summary
An unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled.
Details
The OAuth2 handler stores per-login state in a shared map without synchronization:
- service/internal/auth/otoauth2/restapi_auth_oauth2.go:24 registeredStates map[string]*oauth2State
- Unlocked write in login handler: .../restapi_auth_oauth2.go:141
- Unlocked read in callback check: .../restapi_auth_oauth2.go:174
- Unlocked writes in callback flow: .../restapi_auth_oauth2.go:284-285
- Unlocked read in auth chain check: .../restapi_auth_oauth2.go:376
These paths are network reachable via publicly registered routes:
- service/internal/httpservers/frontend.go:71 → /oauth/login
- service/internal/httpservers/frontend.go:72 → /oauth/callback
Because Go HTTP handlers run concurrently, high parallel traffic to /oauth/login causes concurrent map access and runtime panic.
Tested on:
- Container image: ghcr.io/olivetin/olivetin:3000.10.0
- Source also contains same pattern at commit/tag eb42029b5d0c0633551621288180dd4566b913f7 (3000.10.1)
PoC
- Start OliveTin with OAuth2 provider configured (example github), exposing port 1337.
- Confirm baseline:
curl -i http://127.0.0.1:1337/readyz
curl -i "http://127.0.0.1:1337/oauth/login?provider=github"
Expected: 200 for /readyz, 302 for /oauth/login.
- Run concurrency PoC:
python3 /OliveTin/tools/poc_oauth2_state_map_race_dos.py \
--base-url http://127.0.0.1:1337 \
--provider github \
--workers 80 \
--requests 120000 \
--health-failures 3
- Verify crash:
docker inspect olivetin-dos --format 'status={{.State.Status}} exit={{.State.ExitCode}}' docker logs olivetin-dos 2>&1 | grep -E "fatal error: concurrent map|concurrent map writes|restapi_auth_oauth2.go"
Observed result:
- Process exited with code 2
- Logs include:
- fatal error: concurrent map writes
- .../internal/auth/otoauth2/restapi_auth_oauth2.go:141 in HandleOAuthLogin
Impact
- Vulnerability type: Race condition (CWE-362) leading to DoS.
- Attacker requirements: network access only; no authentication required for exploit path.
- Impacted deployments: OliveTin instances with OAuth2 enabled and reachable over network.
- Security impact: remote unauthenticated attacker can repeatedly crash OliveTin, causing availability loss until restart/recovery.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/OliveTin/OliveTin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260301235225-f044d90d5525c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28789"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-400",
"CWE-662"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T21:41:36Z",
"nvd_published_at": "2026-03-05T20:16:16Z",
"severity": "HIGH"
},
"details": "### Summary\nAn unauthenticated denial-of-service vulnerability exists in OliveTin\u2019s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal\n error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled.\n\n\n### Details\nThe OAuth2 handler stores per-login state in a shared map without synchronization:\n\n - service/internal/auth/otoauth2/restapi_auth_oauth2.go:24\n registeredStates map[string]*oauth2State\n - Unlocked write in login handler: .../restapi_auth_oauth2.go:141\n - Unlocked read in callback check: .../restapi_auth_oauth2.go:174\n - Unlocked writes in callback flow: .../restapi_auth_oauth2.go:284-285\n - Unlocked read in auth chain check: .../restapi_auth_oauth2.go:376\n\n These paths are network reachable via publicly registered routes:\n```bash\n - service/internal/httpservers/frontend.go:71 \u2192 /oauth/login\n - service/internal/httpservers/frontend.go:72 \u2192 /oauth/callback\n```\n Because Go HTTP handlers run concurrently, high parallel traffic to /oauth/login causes concurrent map access and runtime panic.\n\n Tested on:\n\n - Container image: ghcr.io/olivetin/olivetin:3000.10.0\n - Source also contains same pattern at commit/tag eb42029b5d0c0633551621288180dd4566b913f7 (3000.10.1)\n\n\n### PoC\n1. Start OliveTin with OAuth2 provider configured (example github), exposing port 1337.\n 2. Confirm baseline:\n```bash\n curl -i http://127.0.0.1:1337/readyz\n curl -i \"http://127.0.0.1:1337/oauth/login?provider=github\"\n```\n Expected: 200 for /readyz, 302 for /oauth/login.\n\n 3. Run concurrency PoC:\n```bash\n python3 /OliveTin/tools/poc_oauth2_state_map_race_dos.py \\\n --base-url http://127.0.0.1:1337 \\\n --provider github \\\n --workers 80 \\\n --requests 120000 \\\n --health-failures 3\n```\n 4. Verify crash:\n\n docker inspect olivetin-dos --format \u0027status={{.State.Status}} exit={{.State.ExitCode}}\u0027\n docker logs olivetin-dos 2\u003e\u00261 | grep -E \"fatal error: concurrent map|concurrent map writes|restapi_auth_oauth2.go\"\n\n Observed result:\n\n - Process exited with code 2\n - Logs include:\n - fatal error: concurrent map writes\n - .../internal/auth/otoauth2/restapi_auth_oauth2.go:141 in HandleOAuthLogin\n\n\n\n### Impact\n- Vulnerability type: Race condition (CWE-362) leading to DoS.\n - Attacker requirements: network access only; no authentication required for exploit path.\n - Impacted deployments: OliveTin instances with OAuth2 enabled and reachable over network.\n - Security impact: remote unauthenticated attacker can repeatedly crash OliveTin, causing availability loss until restart/recovery.\n \n[poc_oauth2_state_map_race_dos.py](https://github.com/user-attachments/files/25577901/poc_oauth2_state_map_race_dos.py)",
"id": "GHSA-45m3-398w-m2m9",
"modified": "2026-03-05T22:49:34Z",
"published": "2026-03-02T21:41:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28789"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"
},
{
"type": "PACKAGE",
"url": "https://github.com/OliveTin/OliveTin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…