CWE-115
AllowedMisinterpretation of Input
Abstraction: Base · Status: Incomplete
The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.
48 vulnerabilities reference this CWE, most recent first.
GHSA-F6M9-HPFW-XJW4
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2024-12-13 15:30Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.
{
"affected": [],
"aliases": [
"CVE-2018-12123"
],
"database_specific": {
"cwe_ids": [
"CWE-115",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-28T17:29:00Z",
"severity": "MODERATE"
},
"details": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case \"javascript:\" (e.g. \"javAscript:\") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.",
"id": "GHSA-f6m9-hpfw-xjw4",
"modified": "2024-12-13T15:30:38Z",
"published": "2022-05-13T01:27:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12123"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241213-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F9C6-4J9H-6C5R
Vulnerability from github – Published: 2023-02-17 03:30 – Updated: 2023-02-28 14:36Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0880"
],
"database_specific": {
"cwe_ids": [
"CWE-115"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-17T20:55:07Z",
"nvd_published_at": "2023-02-17T03:15:00Z",
"severity": "MODERATE"
},
"details": "Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.",
"id": "GHSA-f9c6-4j9h-6c5r",
"modified": "2023-02-28T14:36:54Z",
"published": "2023-02-17T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0880"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpmyfaq/commit/a67dca41576834a1ddfee61b9e799b686b75d4fa"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/14fc4841-0f5d-4e12-bf9e-1b60d2ac6a6c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Misinterpretation of Input in thorsten/phpmyfaq"
}
GHSA-FP9P-7HX8-XFP3
Vulnerability from github – Published: 2025-02-07 15:32 – Updated: 2025-02-14 00:30A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.
Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF.
It is similiar to CVE-2016-10517 in Redis.
This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.
Users are recommended to upgrade to version 2.11.1, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2025-25069"
],
"database_specific": {
"cwe_ids": [
"CWE-115"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-07T13:15:32Z",
"severity": "MODERATE"
},
"details": "A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.\n\nSince Kvrocks didn\u0027t detect if \"Host:\" or \"POST\" appears in RESP requests,\na valid HTTP request can also be sent to Kvrocks as a valid RESP request \nand trigger some database operations, which can be\u00a0dangerous when \nit is chained with SSRF.\n\nIt is similiar to\u00a0CVE-2016-10517 in Redis.\n\nThis issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.\n\nUsers are recommended to upgrade to version 2.11.1, which fixes the issue.",
"id": "GHSA-fp9p-7hx8-xfp3",
"modified": "2025-02-14T00:30:44Z",
"published": "2025-02-07T15:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25069"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/gbxv9gpsskmdzg6z48zm3tvo8cyo9v3t"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10517"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G694-M8VQ-GV9H
Vulnerability from github – Published: 2022-04-05 00:00 – Updated: 2022-04-15 02:53Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "urijs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1233"
],
"database_specific": {
"cwe_ids": [
"CWE-115",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-05T18:34:38Z",
"nvd_published_at": "2022-04-04T20:15:00Z",
"severity": "MODERATE"
},
"details": "Medialize is a Javascript URL mutation library. When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com. Such behaviour is different from that exhibited by browsers, which will parse ///www.example.com as http://www.example.com instead. For example, the following will cause a redirect to http://www.example.com: A fix was released in version 1.19.11.",
"id": "GHSA-g694-m8vq-gv9h",
"modified": "2022-04-15T02:53:33Z",
"published": "2022-04-05T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1233"
},
{
"type": "WEB",
"url": "https://github.com/medialize/uri.js/commit/88805fd3da03bd7a5e60947adb49d182011f1277"
},
{
"type": "PACKAGE",
"url": "https://github.com/medialize/uri.js"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/228d5548-1109-49f8-8aee-91038e88371c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "URL Confusion When Scheme Not Supplied in medialize/uri.js"
}
GHSA-G7V2-7V9M-Q9J4
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2023-07-27 15:30The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
{
"affected": [],
"aliases": [
"CVE-2020-29511"
],
"database_specific": {
"cwe_ids": [
"CWE-115"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-14T20:15:00Z",
"severity": "CRITICAL"
},
"details": "The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.",
"id": "GHSA-g7v2-7v9m-q9j4",
"modified": "2023-07-27T15:30:33Z",
"published": "2022-05-24T17:36:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29511"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210129-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GMQG-7635-V6CJ
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially crafted request, causing the server to crash. The vulnerability is fixed in version 0.7.6.
{
"affected": [],
"aliases": [
"CVE-2024-11169"
],
"database_specific": {
"cwe_ids": [
"CWE-115"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:24Z",
"severity": "HIGH"
},
"details": "An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially crafted request, causing the server to crash. The vulnerability is fixed in version 0.7.6.",
"id": "GHSA-gmqg-7635-v6cj",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11169"
},
{
"type": "WEB",
"url": "https://github.com/danny-avila/librechat/commit/629be5c0ca2b332178524b4e3f6fac715aea8cc4"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/754e1649-5612-4ba9-a533-06b46de5c4b5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6Q6-9HQW-RWFV
Vulnerability from github – Published: 2021-03-12 22:39 – Updated: 2023-01-02 21:51Impact
xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.
This may lead to unexpected syntactic changes during XML processing in some downstream applications.
Patches
Update to 0.5.0 (once it is released)
Workarounds
Downstream applications can validate the input and reject the maliciously crafted documents.
References
Similar to this one reported on the Go standard library:
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
For more information
If you have any questions or comments about this advisory:
- Open an issue in
xmldom/xmldom - Email us: send an email to all addresses that are shown by
npm owner ls xmldom
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "xmldom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21366"
],
"database_specific": {
"cwe_ids": [
"CWE-115",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-12T16:21:24Z",
"nvd_published_at": "2021-03-12T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nxmldom versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.\n\nThis may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Patches\n\nUpdate to 0.5.0 (once it is released)\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.\n\n### References\n\nSimilar to this one reported on the Go standard library:\n\n- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)\n* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`",
"id": "GHSA-h6q6-9hqw-rwfv",
"modified": "2023-01-02T21:51:19Z",
"published": "2021-03-12T22:39:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21366"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
},
{
"type": "PACKAGE",
"url": "https://github.com/xmldom/xmldom"
},
{
"type": "WEB",
"url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/xmldom"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Misinterpretation of malicious XML input"
}
GHSA-PQW5-JMP5-PX4V
Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-19 20:25parse-url prior to 8.1.0 is vulnerable to Misinterpretation of Input. parse-url parses certain http or https URLs incorrectly, identifying the URL's protocol as ssh. It may also parse the host name incorrectly.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-url"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3224"
],
"database_specific": {
"cwe_ids": [
"CWE-115"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T21:21:19Z",
"nvd_published_at": "2022-09-15T12:15:00Z",
"severity": "MODERATE"
},
"details": "parse-url prior to 8.1.0 is vulnerable to Misinterpretation of Input. parse-url parses certain http or https URLs incorrectly, identifying the URL\u0027s protocol as ssh. It may also parse the host name incorrectly.",
"id": "GHSA-pqw5-jmp5-px4v",
"modified": "2022-09-19T20:25:17Z",
"published": "2022-09-16T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3224"
},
{
"type": "WEB",
"url": "https://github.com/ionicabizau/parse-url/commit/9cacf38de02db0fb1358bd6ec04543e523cd6a8e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ionicabizau/parse-url"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3587a567-7fcd-4702-b7c9-d9ca565e3c62"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing"
}
GHSA-Q4QQ-C3QM-82JJ
Vulnerability from github – Published: 2026-06-25 15:31 – Updated: 2026-06-25 15:31An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
{
"affected": [],
"aliases": [
"CVE-2026-42004"
],
"database_specific": {
"cwe_ids": [
"CWE-115"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T13:16:40Z",
"severity": "LOW"
},
"details": "An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist\u2019s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.",
"id": "GHSA-q4qq-c3qm-82jj",
"modified": "2026-06-25T15:31:59Z",
"published": "2026-06-25T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42004"
},
{
"type": "WEB",
"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QXP5-GWG8-XV66
Vulnerability from github – Published: 2025-03-12 22:06 – Updated: 2026-04-24 20:36Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.36.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22870"
],
"database_specific": {
"cwe_ids": [
"CWE-115",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-12T22:06:40Z",
"nvd_published_at": "2025-03-12T19:15:38Z",
"severity": "MODERATE"
},
"details": "Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to \"*.example.com\", a request to \"[::1%25.example.com]:80` will incorrectly match and not be proxied.",
"id": "GHSA-qxp5-gwg8-xv66",
"modified": "2026-04-24T20:36:12Z",
"published": "2025-03-12T22:06:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22870"
},
{
"type": "PACKAGE",
"url": "https://go-review.googlesource.com/q/project:net"
},
{
"type": "WEB",
"url": "https://go.dev/cl/654697"
},
{
"type": "WEB",
"url": "https://go.dev/issue/71984"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/4t3lzH3I0eI/m/b42ImqrBAQAJ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3503"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250509-0007"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/03/07/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.