CWE-1284
AllowedImproper Validation of Specified Quantity in Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
494 vulnerabilities reference this CWE, most recent first.
GHSA-CFGG-734H-MQGC
Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash.
{
"affected": [],
"aliases": [
"CVE-2021-47827"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T19:16:07Z",
"severity": "MODERATE"
},
"details": "WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated \u0027A\u0027 characters into the mashREPL input field, causing the application to crash.",
"id": "GHSA-cfgg-734h-mqgc",
"modified": "2026-01-16T21:30:36Z",
"published": "2026-01-16T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47827"
},
{
"type": "WEB",
"url": "https://apps.apple.com/mx/app/webssh-ssh-client/id497714887"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49883"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/webssh-for-ios-mashrepl-denial-of-service"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CHWF-7MW9-8249
Vulnerability from github – Published: 2026-04-23 00:31 – Updated: 2026-04-23 00:31IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic.
{
"affected": [],
"aliases": [
"CVE-2026-1352"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T00:16:44Z",
"severity": "MODERATE"
},
"details": "IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an\u00a0authenticated user to cause a denial of service due to improper neutralization of special\u00a0elements in data query logic.",
"id": "GHSA-chwf-7mw9-8249",
"modified": "2026-04-23T00:31:19Z",
"published": "2026-04-23T00:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1352"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7269433"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CMCG-W67X-52F7
Vulnerability from github – Published: 2025-04-04 18:30 – Updated: 2025-04-15 15:30Software installed and run as a non-privileged user may conduct improper GPU system calls to cause kernel system memory corruption.
{
"affected": [],
"aliases": [
"CVE-2025-25178"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T16:15:18Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to cause kernel system memory corruption.",
"id": "GHSA-cmcg-w67x-52f7",
"modified": "2025-04-15T15:30:52Z",
"published": "2025-04-04T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25178"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CP3W-QHJM-4333
Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.
{
"affected": [],
"aliases": [
"CVE-2026-49110"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T21:17:20Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce \u003c= 3.1.4 versions.",
"id": "GHSA-cp3w-qhjm-4333",
"modified": "2026-06-15T21:30:49Z",
"published": "2026-06-15T21:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49110"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/upsell-order-bump-offer-for-woocommerce/vulnerability/wordpress-upsell-order-bump-offer-for-woocommerce-plugin-3-1-4-price-manipulation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CPGG-RJVM-32FX
Vulnerability from github – Published: 2023-05-08 21:31 – Updated: 2024-04-04 03:52Multiple validation issues were addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.3, macOS Big Sur 11.7.5, macOS Monterey 12.6.4, watchOS 9.4, iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. Importing a maliciously crafted calendar invitation may exfiltrate user information
{
"affected": [],
"aliases": [
"CVE-2023-27961"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-08T20:15:18Z",
"severity": "MODERATE"
},
"details": "Multiple validation issues were addressed with improved input sanitization. This issue is fixed in macOS Ventura 13.3, macOS Big Sur 11.7.5, macOS Monterey 12.6.4, watchOS 9.4, iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. Importing a maliciously crafted calendar invitation may exfiltrate user information",
"id": "GHSA-cpgg-rjvm-32fx",
"modified": "2024-04-04T03:52:10Z",
"published": "2023-05-08T21:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27961"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213670"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213673"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213675"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213676"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213677"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213678"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/May/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQX4-9VQF-Q3M8
Vulnerability from github – Published: 2025-05-28 17:38 – Updated: 2025-05-28 20:08Summary
This advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information.
Unauthorized Access to Unpublished Page Previews: The page preview functionality for unpublished content, accessible via predictable URLs (e.g., /page/preview/1, /page/preview/2), lacked proper authorization checks. This allowed any unauthenticated user to view content that was not yet intended for public release, and allowed search engines to index these private preview URLs, making the content publicly discoverable.
Mitigation
Mautic has patched this vulnerability by enforcing proper permission checks on preview pages. Users should upgrade to the patched version of Mautic or later.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.4.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-alpha"
},
{
"fixed": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-alpha"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5257"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T17:38:13Z",
"nvd_published_at": "2025-05-28T17:15:25Z",
"severity": "MODERATE"
},
"details": "### Summary\nThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information.\n\nUnauthorized Access to Unpublished Page Previews: The page preview functionality for unpublished content, accessible via predictable URLs (e.g., `/page/preview/1`, `/page/preview/2`), lacked proper authorization checks. This allowed any unauthenticated user to view content that was not yet intended for public release, and allowed search engines to index these private preview URLs, making the content publicly discoverable.\n\n### Mitigation\nMautic has patched this vulnerability by enforcing proper permission checks on preview pages. Users should upgrade to the patched version of Mautic or later.",
"id": "GHSA-cqx4-9vqf-q3m8",
"modified": "2025-05-28T20:08:01Z",
"published": "2025-05-28T17:38:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-cqx4-9vqf-q3m8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5257"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mautic\u0027s Predictable Page Indexing Might Lead to Sensitive Data Exposure"
}
GHSA-CWPM-F78V-7M5C
Vulnerability from github – Published: 2022-05-24 22:10 – Updated: 2022-05-24 22:10Impact
The implementation of tf.ragged.constant does not fully validate the input arguments. This results in a denial of service by consuming all available memory:
import tensorflow as tf
tf.ragged.constant(pylist=[],ragged_rank=8968073515812833920)
Patches
We have patched the issue in GitHub commit bd4d5583ff9c8df26d47a23e508208844297310e.
The fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported externally via a GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29202"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T22:10:51Z",
"nvd_published_at": "2022-05-20T23:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe implementation of [`tf.ragged.constant`](https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/ops/ragged/ragged_factory_ops.py#L146-L239) does not fully validate the input arguments. This results in a denial of service by consuming all available memory:\n\n```python\nimport tensorflow as tf\ntf.ragged.constant(pylist=[],ragged_rank=8968073515812833920)\n```\n \n### Patches\nWe have patched the issue in GitHub commit [bd4d5583ff9c8df26d47a23e508208844297310e](https://github.com/tensorflow/tensorflow/commit/bd4d5583ff9c8df26d47a23e508208844297310e).\n\nThe fix will be included in TensorFlow 2.9.0. We will also cherrypick this commit on TensorFlow 2.8.1, TensorFlow 2.7.2, and TensorFlow 2.6.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported externally via a [GitHub issue](https://github.com/tensorflow/tensorflow/issues/55199).\n",
"id": "GHSA-cwpm-f78v-7m5c",
"modified": "2022-05-24T22:10:51Z",
"published": "2022-05-24T22:10:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-cwpm-f78v-7m5c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29202"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/issues/55199"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/bd4d5583ff9c8df26d47a23e508208844297310e"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/ops/ragged/ragged_factory_ops.py#L146-L239"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.6.4"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.7.2"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.8.1"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service in `tf.ragged.constant` due to lack of validation"
}
GHSA-CWRR-XMM2-F4JR
Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2025-12-15 00:30openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p->rem and p->len is not checked.
{
"affected": [],
"aliases": [
"CVE-2025-67901"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-15T00:15:40Z",
"severity": "MODERATE"
},
"details": "openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p-\u003erem and p-\u003elen is not checked.",
"id": "GHSA-cwrr-xmm2-f4jr",
"modified": "2025-12-15T00:30:26Z",
"published": "2025-12-15T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67901"
},
{
"type": "WEB",
"url": "https://github.com/kristapsdz/openrsync/issues/34"
},
{
"type": "WEB",
"url": "https://github.com/openbsd/src/blob/60b9c3dff1abf933e85e3c4d96b54201ee947513/usr.bin/rsync/blocks.c#L480-L481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXVP-82CQ-57H2
Vulnerability from github – Published: 2023-09-21 17:10 – Updated: 2023-09-21 17:10Impact
The blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.
In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include: - UTF-8 compliant strings containing multi-byte UTF-8 characters
Patches
The patches will be released under version 0.2.0, which requires user intervention because of slight API churn.
Workarounds
n.a.
References
n.a.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "blurhash"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.1"
},
{
"fixed": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.1"
]
}
],
"aliases": [
"CVE-2023-42447"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-392"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-21T17:10:22Z",
"nvd_published_at": "2023-09-19T15:15:57Z",
"severity": "HIGH"
},
"details": "### Impact\nThe blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.\n\nIn a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include:\n- UTF-8 compliant strings containing multi-byte UTF-8 characters\n\n### Patches\nThe patches will be released under version 0.2.0, which requires user intervention because of slight API churn.\n\n### Workarounds\nn.a.\n\n### References\nn.a.\n",
"id": "GHSA-cxvp-82cq-57h2",
"modified": "2023-09-21T17:10:22Z",
"published": "2023-09-21T17:10:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/whisperfish/blurhash-rs/security/advisories/GHSA-cxvp-82cq-57h2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42447"
},
{
"type": "PACKAGE",
"url": "https://github.com/whisperfish/blurhash-rs"
},
{
"type": "WEB",
"url": "https://github.com/whisperfish/blurhash-rs/releases/tag/v0.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "blurhash panics on parsing crafted inputs"
}
GHSA-F269-VFMQ-VJVJ
Vulnerability from github – Published: 2026-03-13 20:07 – Updated: 2026-03-13 20:07Impact
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
There are no workarounds.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.24.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1528"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:07:26Z",
"nvd_published_at": "2026-03-12T21:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\nA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici\u0027s ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. \n\n### Patches\n\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nThere are no workarounds.",
"id": "GHSA-f269-vfmq-vjvj",
"modified": "2026-03-13T20:07:26Z",
"published": "2026-03-13T20:07:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3537648"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.