CWE-1287
AllowedImproper Validation of Specified Type of Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
259 vulnerabilities reference this CWE, most recent first.
GHSA-HPG8-W633-R6PP
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-25179"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:33Z",
"severity": "HIGH"
},
"details": "Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-hpg8-w633-r6pp",
"modified": "2026-03-10T18:31:20Z",
"published": "2026-03-10T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25179"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25179"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J5VQ-62GR-8V3R
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-20 17:13Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-plugin-calls"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12689"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-20T17:13:53Z",
"nvd_published_at": "2025-12-17T19:16:00Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.0.x \u003c= 11.0.4, 10.12.x \u003c= 10.12.2, 10.11.x \u003c= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.",
"id": "GHSA-j5vq-62gr-8v3r",
"modified": "2025-12-20T17:13:53Z",
"published": "2025-12-17T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12689"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-plugin-calls/commit/f68b41980e1274e05cf91c687e2af1a73c5e36ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in"
}
GHSA-J72P-FV5P-4R63
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.
{
"affected": [],
"aliases": [
"CVE-2026-9753"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T23:17:04Z",
"severity": "HIGH"
},
"details": "The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.",
"id": "GHSA-j72p-fv5p-4r63",
"modified": "2026-06-10T00:31:51Z",
"published": "2026-06-10T00:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9753"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-124959"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J7Q4-4R7G-3JF4
Vulnerability from github – Published: 2024-09-16 14:37 – Updated: 2024-09-16 18:31The MiCard PLUS Ci and MiCard PLUS BLE reader products developed by rf IDEAS and rebranded by NT-ware have a firmware fault that may result in characters randomly being dropped from some ID card reads, which would result in the wrong ID card number being assigned during ID card self-registration and might result in failed login attempts for end-users. Random characters being dropped from ID card numbers compromises the uniqueness of ID cards that can, therefore, result in a security issue if the users are using the ‘ID card self-registration’ function.
{
"affected": [],
"aliases": [
"CVE-2024-1578"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-16T07:15:02Z",
"severity": "MODERATE"
},
"details": "The MiCard PLUS Ci and MiCard PLUS BLE reader products developed by rf IDEAS and rebranded by NT-ware have a firmware fault that may result in characters randomly being dropped from some ID card reads, which would result in the wrong ID card number being assigned during ID card self-registration and might result in failed login attempts for end-users. Random characters being dropped from ID card numbers compromises the uniqueness of ID cards that can, therefore, result in a security issue if the users are using the \u2018ID card self-registration\u2019 function.",
"id": "GHSA-j7q4-4r7g-3jf4",
"modified": "2024-09-16T18:31:21Z",
"published": "2024-09-16T14:37:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1578"
},
{
"type": "WEB",
"url": "https://ntware.atlassian.net/wiki/spaces/SA/pages/11973853216/2024+Security+Advisory+Multiple+MiCard+PLUS+card+reader+dropped+characters"
},
{
"type": "WEB",
"url": "https://www.canon-europe.com/psirt/advisory-information"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JF5H-XFW4-P8GP
Vulnerability from github – Published: 2025-12-17 15:34 – Updated: 2025-12-17 22:49Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0-rc1"
},
{
"fixed": "10.11.7-0.20251106103514-3b05384dd014"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.11.7-0.20251106103514-3b05384dd014"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-alpha.1"
},
{
"fixed": "11.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-plugin-github"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1-0.20250829075715-0deffcfc6bee"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13352"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-17T22:49:46Z",
"nvd_published_at": "2025-12-17T13:15:56Z",
"severity": "LOW"
},
"details": "Mattermost versions 10.11.x \u003c= 10.11.6 and Mattermost GitHub plugin versions \u003c=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts.",
"id": "GHSA-jf5h-xfw4-p8gp",
"modified": "2025-12-17T22:49:46Z",
"published": "2025-12-17T15:34:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13352"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-plugin-github/commit/0deffcfc6bee7eaf01f7c99100e3d12e8d9df68c"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/3b05384dd0146c1be3caa620a42e00e46027055d"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection"
}
GHSA-JJ2C-3M89-73R8
Vulnerability from github – Published: 2025-08-14 18:31 – Updated: 2025-08-14 18:31A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow a remote attacker that is authenticated as a VPN user to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.
This vulnerability is due to incomplete error checking when parsing an HTTP header field value. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted Remote Access SSL VPN service on an affected device. A successful exploit could allow the attacker to cause a DoS condition, which would cause the affected device to reload.
{
"affected": [],
"aliases": [
"CVE-2025-20244"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T17:15:38Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow a remote attacker that is authenticated as a VPN user to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.\n\nThis vulnerability is due to incomplete error checking when parsing an HTTP header field value. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted Remote Access SSL VPN service on an affected device. A successful exploit could allow the attacker to cause a DoS condition, which would cause the affected device to reload.",
"id": "GHSA-jj2c-3m89-73r8",
"modified": "2025-08-14T18:31:29Z",
"published": "2025-08-14T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20244"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpnwebs-dos-hjBhmBsX"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRM8-XGF3-FWQR
Vulnerability from github – Published: 2025-02-05 21:09 – Updated: 2025-02-26 22:12Partial Denial of Service (DoS)
Product: MobSF Version: v4.2.9 CWE-ID: CWE-1287: Improper Validation of Specified Type of Input CVSS vector v.4.0: 6.9 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) CVSS vector v.3.1: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Description: DoS in the Scans Results and iOS Dynamic Analyzer functionality Impact: Leveraging this vulnerability would make Scans Results and iOS Dynamic Analyzer pages unavailable. Vulnerable component: urls.py https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401 Exploitation conditions: A malicious application was uploaded to the MobSF. Mitigation: Check the uploaded bundle IDs against the regex. Researcher: Oleg Surnin (Positive Technologies)
Research
Researcher discovered zero-day vulnerability Partial Denial of Service (DoS) in MobSF in the Scans Results and iOS Dynamic Analyzer functionality.
According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.).
(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)
However, an attacker can manually modify this value in Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value.
In the urls.py file URL rules are defined.
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401
Listing 3.
bundle_id_regex = r'(?P<bundle_id>([a-zA-Z0-9]{1}[\w.-]{1,255}))$'
# skip code
re_path(fr'^ios/view_report/{bundle_id_regex}',
ios_view_report.ç,
name='ios_view_report'),
When the application parses the wrong characters in the bundle ID, it encounters an error. As a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system.
Vulnerability reproduction
To reproduce the vulnerability, follow the steps described below.
• Unzip the IPA file of any iOS application.
Listing 4. Unzipping the file
unzip test.ipa
• Modify the value of <key>CFBundleIdentifier</key> by adding restricted characters in the Info.plist file.
*Figure 7. Example with ' character`
• Zip the modified IPA file.
Listing 5. Zipping the file
zip -r dos.ipa Payload/
• Upload the modified IPA file to Static Analysis and wait until it finished
• Open the following pages:
http://mobsf/recent_scans/
http://mobsf/ios/dynamic_analysis/
Figure 8. DoS Example
Figure 9. DoS Example
Please, assign all credits to Oleg Surnin (Positive Technologies)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.0"
},
"package": {
"ecosystem": "PyPI",
"name": "mobsf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24804"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-05T21:09:21Z",
"nvd_published_at": "2025-02-05T19:15:46Z",
"severity": "HIGH"
},
"details": "# Partial Denial of Service (DoS)\n\n**Product:** MobSF\n**Version:** v4.2.9\n**CWE-ID:** CWE-1287: Improper Validation of Specified Type of Input\n**CVSS vector v.4.0:** 6.9 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n**Description:** DoS in the Scans Results and iOS Dynamic Analyzer functionality \n**Impact:** Leveraging this vulnerability would make Scans Results and iOS Dynamic Analyzer pages unavailable.\n**Vulnerable component:** urls.py\nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401\n**Exploitation conditions:** A malicious application was uploaded to the MobSF.\n**Mitigation:** Check the uploaded bundle IDs against the regex.\n**Researcher: Oleg Surnin (Positive Technologies)**\n\n## Research\n\nResearcher discovered zero-day vulnerability Partial Denial of Service (DoS) in MobSF in the Scans Results and iOS Dynamic Analyzer functionality.\nAccording to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.).\n(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)\nHowever, an attacker can manually modify this value in `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value.\nIn the `urls.py` file URL rules are defined.\nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401\n\n*Listing 3.*\n```\nbundle_id_regex = r\u0027(?P\u003cbundle_id\u003e([a-zA-Z0-9]{1}[\\w.-]{1,255}))$\u0027\n\n# skip code\nre_path(fr\u0027^ios/view_report/{bundle_id_regex}\u0027,\n ios_view_report.\u00e7,\n name=\u0027ios_view_report\u0027),\n```\n\nWhen the application parses the wrong characters in the bundle ID, it encounters an error.\nAs a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system.\n\n## Vulnerability reproduction\n\nTo reproduce the vulnerability, follow the steps described below.\n\n\u2022\tUnzip the IPA file of any iOS application.\n\n*Listing 4. Unzipping the file*\n```\nunzip test.ipa\n```\n\n\u2022\tModify the value of `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` by adding restricted characters in the `Info.plist` file.\n\n\u003cimg width=\"364\" alt=\"image-6\" src=\"https://github.com/user-attachments/assets/97dce68a-a5e2-4048-b5c8-3090146a9635\" /\u003e\n\n*Figure 7. Example with `\u0027` character`\n\n\n\u2022\tZip the modified IPA file.\n\n*Listing 5. Zipping the file*\n```\nzip -r dos.ipa Payload/\n```\n\n\u2022\tUpload the modified IPA file to Static Analysis and wait until it finished\n\u2022\tOpen the following pages:\n`http://mobsf/recent_scans/`\n`http://mobsf/ios/dynamic_analysis/`\n\n\u003cimg width=\"1119\" alt=\"image-7\" src=\"https://github.com/user-attachments/assets/a7a9ae2e-cd84-4ec8-8132-25140a209ca0\" /\u003e\n\n*Figure 8. DoS Example*\n\n\u003cimg width=\"1141\" alt=\"image-8\" src=\"https://github.com/user-attachments/assets/a76e03ae-b4c6-4003-a145-c1fa4c88a7a5\" /\u003e\n \n*Figure 9. DoS Example*\n\n\n_________________\n\n### Please, assign all credits to Oleg Surnin (Positive Technologies)",
"id": "GHSA-jrm8-xgf3-fwqr",
"modified": "2025-02-26T22:12:22Z",
"published": "2025-02-05T21:09:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-jrm8-xgf3-fwqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24804"
},
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
},
{
"type": "WEB",
"url": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier"
},
{
"type": "PACKAGE",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
},
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MobSF Partial Denial of Service (DoS)"
}
GHSA-JRR2-X33P-6HVC
Vulnerability from github – Published: 2025-04-29 16:39 – Updated: 2025-05-05 21:59Summary
Due to a missing error propagation in function GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go it may happen that policy rules using namespace selector(s) in their match statements are mistakenly not applied during admission review request processing. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations.
Details
As a policy engine Kyverno is a critical component ensuring the security of Kubernetes clusters by apply security-relevant policy rules in the Kubernetes admission control process.
We encountered a case where Kyverno did not apply policy rules which should have been applied. This happened in both the mutation and the validation phase of admission control. Effectively Kyverno handled the admission review requests as if those policy rules did not exist. Consequently, the Kube API request was accepted without applying security-relevant patches and validations.
As the root cause we identified a missing error propagation in function GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go (src).
All affected policy rules use a namespace selector in their match resource filters like this:
match:
all:
- resources:
namespaceSelector:
matchExpressions:
- key: label1
operator: Exists
Such specification intents to apply rules only to resource objects which reside in a namespace whose labels match the given label expressions.
When Kyverno handles an admission webhook, function GetNamespaceSelectorsFromNamespaceLister in package
github.com/kyverno/kyverno/pkg/utils/engine (src) is called to retrieve the labels of the request object's namespace. This function gets the namespace object from a "k8s.io/client-go/listers/core/v1".NamespaceLister. In case the
namespace lister returns an error, GetNamespaceSelectorsFromNamespaceLister does NOT propagate this error to its caller, but returns an empty label map, which is equivalent to a namespace without any labels.
The returned label map is later used to select matching policy rules. If a rule has a resource filter with namespace selector, it will be mistakenly excluded or included.
The namespace lister fails to return the namespace object if the underlying SharedIndexInformer has not (yet) updated its cache. Those updates happen based on watch events from the Kube API Server, which does not guarantee any maximum delivery time. If the Kube API Server handling the watch is under high load or otherwise impaired (e.g. requests to etcd take longer due to pending leader election in HA setup) then informer cache updates can be delayed significantly. However, we did not find a way to reliably reproduce such condition.
To bypass Kyverno policies, an attacker may try to exploit the described misbehavior by:
-
putting the Kube API Server under load before sending requests that Kyverno policies should be bypassed for.
-
sending many request with a high rate to Kube API Server.
We did not try any of such attack vectors and therefore cannot prove their effectiveness.
In our scenario the Kyverno policies apply to pods in "sandbox" namespaces identified as such by certain labels. Those single-use namespaces and the pods therein are frequently created (and removed) by other controllers. Therefore, Kyverno often receives admission webhooks for objects whose namespace has been created shortly before.
Correction Proposal
Function GetNamespaceSelectorsFromNamespaceLister in package github.com/kyverno/kyverno/pkg/utils/engine (src) should return an error instead of an empty label map in case it could not get the namespace object from the namespace lister. This error will then cause admission webhook processing to fail, which lets Kubernetes fail the Kube API request if the policy's failure policy is Fail (a must for security-relevant policies).
In addition, function GetNamespaceSelectorsFromNamespaceLister could retry (with deadline) to get the namespace object from the namespace lister in case of a NotFound error. But as admission webhook processing time should be kept as short as possible, this might not be a good idea.
Another option would be to perform a GET request for the namespace as a fallback in case the namespace lister returns a NotFound error.
PoC
We did not find a way to reliably reproduce such case.
Impact
Administrators attempting to enforce cluster security through Kyverno policies, but that allow less privileged users or service accounts to create/update/delete resources.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kyverno/kyverno"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/kyverno/kyverno"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0-alpha.1"
},
{
"fixed": "1.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46342"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T16:39:33Z",
"nvd_published_at": "2025-04-30T15:16:02Z",
"severity": "HIGH"
},
"details": "### Summary\n\nDue to a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go` it may happen that policy rules using namespace selector(s) in their `match` statements are mistakenly not applied during admission review request processing. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with K8s API access to perform malicious operations.\n\n### Details\n\nAs a policy engine Kyverno is a critical component ensuring the security of Kubernetes clusters by apply security-relevant policy rules in the Kubernetes admission control process.\n\nWe encountered a case where Kyverno did not apply policy rules which should have been applied. This happened in both the mutation and the validation phase of admission control. Effectively Kyverno handled the admission review requests as\nif those policy rules did not exist. Consequently, the Kube API request was accepted without applying security-relevant patches and validations.\n\nAs the root cause we identified a missing error propagation in function `GetNamespaceSelectorsFromNamespaceLister` in `pkg/utils/engine/labels.go` ([src][1]).\n\nAll affected policy rules use a namespace selector in their match resource filters like this:\n\n```yaml\nmatch:\n all:\n - resources:\n namespaceSelector:\n matchExpressions:\n - key: label1\n operator: Exists\n```\n\nSuch specification intents to apply rules only to resource objects which reside in a namespace whose labels match the given label expressions.\n\nWhen Kyverno handles an admission webhook, function `GetNamespaceSelectorsFromNamespaceLister` in package\n`github.com/kyverno/kyverno/pkg/utils/engine` ([src][1]) is called to retrieve the labels of the request object\u0027s namespace. This function gets the namespace object from a `\"k8s.io/client-go/listers/core/v1\".NamespaceLister`. In case the\nnamespace lister returns an error, `GetNamespaceSelectorsFromNamespaceLister` does NOT propagate this error to its caller, but returns an empty label map, which is equivalent to a namespace without any labels.\n\nThe returned label map is later used to select matching policy rules. If a rule has a resource filter with namespace selector, it will be mistakenly excluded or included.\n\nThe namespace lister fails to return the namespace object if the underlying `SharedIndexInformer` has not (yet) updated its cache. Those updates happen based on watch events from the Kube API Server, which does not guarantee any maximum delivery time. If the Kube API Server handling the watch is under high load or otherwise impaired (e.g. requests to etcd take longer due to pending leader election in HA setup) then informer cache updates can be delayed significantly. However, we did not find a way to reliably reproduce such condition.\n\nTo bypass Kyverno policies, an attacker may try to exploit the described misbehavior by:\n\n- putting the Kube API Server under load before sending requests that Kyverno policies should be bypassed for.\n\n- sending many request with a high rate to Kube API Server.\n\nWe did not try any of such attack vectors and therefore cannot prove their effectiveness.\n\nIn our scenario the Kyverno policies apply to pods in \"sandbox\" namespaces identified as such by certain labels. Those single-use namespaces and the pods therein are frequently created (and removed) by other controllers. Therefore, Kyverno often receives admission webhooks for objects whose namespace has been created shortly before.\n\n#### Correction Proposal\n\nFunction `GetNamespaceSelectorsFromNamespaceLister` in package `github.com/kyverno/kyverno/pkg/utils/engine` ([src][1]) should return an error instead of an empty label map in case it could not get the namespace object from the namespace lister. This error will then cause admission webhook processing to fail, which lets Kubernetes fail the Kube API request if the policy\u0027s failure policy is `Fail` (a must for security-relevant policies).\n\nIn addition, function `GetNamespaceSelectorsFromNamespaceLister` could retry (with deadline) to get the namespace object from the namespace lister in case of a NotFound error. But as admission webhook processing time should be kept as short as possible, this might not be a good idea.\n\nAnother option would be to perform a GET request for the namespace as a fallback in case the namespace lister returns a NotFound error.\n\n### PoC\n\nWe did not find a way to reliably reproduce such case.\n\n### Impact\n\nAdministrators attempting to enforce cluster security through Kyverno policies, but that allow less privileged users or service accounts to create/update/delete resources.\n\n\n[1]: https://github.com/kyverno/kyverno/blob/a96b1a4794b4d25cb0c6d72c05fc6355e95cf65c/pkg/utils/engine/labels.go#L10",
"id": "GHSA-jrr2-x33p-6hvc",
"modified": "2025-05-05T21:59:04Z",
"published": "2025-04-29T16:39:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-jrr2-x33p-6hvc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46342"
},
{
"type": "WEB",
"url": "https://github.com/kyverno/kyverno/commit/3ff923b7756e1681daf73849954bd88516589194"
},
{
"type": "PACKAGE",
"url": "https://github.com/kyverno/kyverno"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3652"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Kyverno vulnerable to bypass of policy rules that use namespace selectors in match statements"
}
GHSA-M48P-P8GP-9JXF
Vulnerability from github – Published: 2025-12-05 06:31 – Updated: 2025-12-05 06:31In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.
{
"affected": [],
"aliases": [
"CVE-2025-32901"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-05T05:17:02Z",
"severity": "MODERATE"
},
"details": "In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.",
"id": "GHSA-m48p-p8gp-9jxf",
"modified": "2025-12-05T06:31:30Z",
"published": "2025-12-05T06:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32901"
},
{
"type": "WEB",
"url": "https://kde.org/info/security/advisory-20250418-4.txt"
},
{
"type": "WEB",
"url": "https://kdeconnect.kde.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MFVH-6RJH-8JRP
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user.
{
"affected": [],
"aliases": [
"CVE-2024-12756"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-74",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T17:15:21Z",
"severity": "HIGH"
},
"details": "An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user.",
"id": "GHSA-mfvh-6rjh-8jrp",
"modified": "2025-02-11T18:31:34Z",
"published": "2025-02-11T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12756"
},
{
"type": "WEB",
"url": "https://support.avaya.com/css/public/documents/101091836"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.