CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
GHSA-MGR7-5782-6JH9
Vulnerability from github – Published: 2025-01-13 16:18 – Updated: 2025-01-13 16:18Impact
The Heartcore headless client library depends on Refit to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request.
This shouldn't affect Heartcore client library usage as the vulnerable method - HttpHeaders.TryAddWithoutValidation - is not used. However, since Refit is a transient dependency for applications using this library, then any users making direct use of Refit could be vulnerable.
Patches
The vulnerable version of Refit has been upgraded to a secure version, as of Umbraco.Headless.Client.Net version 1.5.0, available on Nuget.
Workarounds
If calling Refit from your own code, set any necessary HTTP headers without use of HttpHeaders.TryAddWithoutValidation.
References
See the original Refit advisory for further info.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.1"
},
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Headless.Client.Net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-13T16:18:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nThe Heartcore headless client library depends on [Refit ](https://github.com/reactiveui/refit) to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request.\n\nThis shouldn\u0027t affect Heartcore client library usage as the vulnerable method - `HttpHeaders.TryAddWithoutValidation` - is not used. However, since Refit is a transient dependency for applications using this library, then any users making direct use of Refit could be vulnerable.\n\n### Patches\nThe vulnerable version of Refit has been upgraded to a secure version, as of Umbraco.Headless.Client.Net version 1.5.0, available on [Nuget](https://www.nuget.org/packages/Umbraco.Headless.Client.Net/1.5.0).\n\n### Workarounds\nIf calling Refit from your own code, set any necessary HTTP headers without use of `HttpHeaders.TryAddWithoutValidation`.\n\n### References\nSee the [original Refit advisory](https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7) for further info.\n",
"id": "GHSA-mgr7-5782-6jh9",
"modified": "2025-01-13T16:18:39Z",
"published": "2025-01-13T16:18:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco.Headless.Client.Net/security/advisories/GHSA-mgr7-5782-6jh9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51501"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco.Headless.Client.Net"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package"
}
GHSA-MJCP-GPGX-GGCG
Vulnerability from github – Published: 2025-12-09 22:48 – Updated: 2025-12-09 22:48When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate.
For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
Details
When acting as a TLS client, OpenTofu relies on the implementation of TLS certificate verification from the standard library of the Go programming language.
The Go project has recently published the following advisory for that which indirectly affects OpenTofu's behavior:
- CVE-2025-61727: Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
OpenTofu acts as a TLS client when calling a module or provider registry to request metadata, when downloading module or provider packages from "https" URLs, and when interacting with remote services for state storage and encryption. In these situations, OpenTofu could potentially accept as valid a certificate chain containing conflicting information about whether it is valid for the target hostname.
All certificates in the chain are still checked separately for validity, and so a successful attack requires an attacker-controlled server to produce a chain of valid-but-contradictory certificates and have access to the private keys associated with each one, and for the attacker to then arrange for OpenTofu to attempt to connect to the affected hostname.
Patches
OpenTofu v1.10.8 addresses these vulnerabilities by being built against Go 1.24.11, which contains an improved version of the upstream implementation.
The OpenTofu v1.9 and v1.8 series are also affected by these vulnerabilities. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.24.11 for those series would effectively end support for certain versions of macOS and Linux, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.9 or v1.8 releases we recommend planning to upgrade to OpenTofu v1.10.8 in the near future.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-296"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T22:48:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard [SANs](https://en.wikipedia.org/wiki/Public_key_certificate#Subject_Alternative_Name_certificate) in the leaf certificate.\n\nFor example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.\n\n### Details\n\nWhen acting as a TLS client, OpenTofu relies on the implementation of TLS certificate verification from the standard library of the Go programming language.\n\nThe Go project has recently published the following advisory for that which indirectly affects OpenTofu\u0027s behavior:\n\n- [CVE-2025-61727](https://www.cve.org/CVERecord?id=CVE-2025-61727): Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509\n\nOpenTofu acts as a TLS client when calling a module or provider registry to request metadata, when downloading module or provider packages from \"https\" URLs, and when interacting with remote services for state storage and encryption. In these situations, OpenTofu could potentially accept as valid a certificate chain containing conflicting information about whether it is valid for the target hostname.\n\nAll certificates in the chain are still checked separately for validity, and so a successful attack requires an attacker-controlled server to produce a chain of valid-but-contradictory certificates and have access to the private keys associated with each one, and for the attacker to then arrange for OpenTofu to attempt to connect to the affected hostname.\n\n### Patches\n\nOpenTofu v1.10.8 addresses these vulnerabilities by being built against Go 1.24.11, which contains an improved version of the upstream implementation.\n\nThe OpenTofu v1.9 and v1.8 series are also affected by these vulnerabilities. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.24.11 for those series would effectively end support for certain versions of macOS and Linux, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.9 or v1.8 releases we recommend planning to upgrade to OpenTofu v1.10.8 in the near future.",
"id": "GHSA-mjcp-gpgx-ggcg",
"modified": "2025-12-09T22:48:08Z",
"published": "2025-12-09T22:48:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-mjcp-gpgx-ggcg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61727"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/issues/3546"
},
{
"type": "PACKAGE",
"url": "https://github.com/opentofu/opentofu"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/releases/tag/v1.10.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs"
}
GHSA-MRXW-MXHJ-P664
Vulnerability from github – Published: 2025-03-14 18:51 – Updated: 2025-03-21 15:43Summary
Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.
libxslt v1.1.43 resolves:
- CVE-2025-24855: Fix use-after-free of XPath context node
- CVE-2024-55549: Fix UAF related to excluded namespaces
Impact
CVE-2025-24855
- "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855
CVE-2024-55549
- "Use-after-free related to excluded result prefixes"
- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-14T18:51:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nNokogiri v1.18.4 upgrades its dependency libxslt to [v1.1.43](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.43).\n\nlibxslt v1.1.43 resolves:\n\n- CVE-2025-24855: Fix use-after-free of XPath context node\n- CVE-2024-55549: Fix UAF related to excluded namespaces\n\n## Impact\n\n### CVE-2025-24855\n\n- \"Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt-\u003enode\"\n- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H\n- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128\n- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855\n\n### CVE-2024-55549\n\n- \"Use-after-free related to excluded result prefixes\"\n- MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H\n- Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127\n- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549",
"id": "GHSA-mrxw-mxhj-p664",
"modified": "2025-03-21T15:43:15Z",
"published": "2025-03-14T18:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-mrxw-mxhj-p664"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55549"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24855"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/127"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs"
}
GHSA-MWV6-3258-Q52C
Vulnerability from github – Published: 2025-12-11 22:49 – Updated: 2025-12-11 22:49A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "13.3.0"
},
{
"fixed": "14.2.34"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.0-canary.0"
},
{
"fixed": "15.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.1.1-canary.0"
},
{
"fixed": "15.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.2.0-canary.0"
},
{
"fixed": "15.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.3.0-canary.0"
},
{
"fixed": "15.3.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.4.0-canary.0"
},
{
"fixed": "15.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.5.1-canary.0"
},
{
"fixed": "15.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.6.0-canary.0"
},
{
"fixed": "15.6.0-canary.59"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-beta.0"
},
{
"fixed": "16.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.1.0-canary.0"
},
{
"fixed": "16.1.0-canary.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-400",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-11T22:49:27Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.",
"id": "GHSA-mwv6-3258-q52c",
"modified": "2025-12-11T22:49:28Z",
"published": "2025-12-11T22:49:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
},
{
"type": "WEB",
"url": "https://nextjs.org/blog/security-update-2025-12-11"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Next Vulnerable to Denial of Service with Server Components"
}
GHSA-P2Q9-36VW-C468
Vulnerability from github – Published: 2024-09-03 21:11 – Updated: 2024-09-03 21:11After several cryptographic vulnerabilities in libolm were disclosed publicly, the Matrix Foundation has officially deprecated the library. olm-sys is a thin wrapper around libolm and is now deprecated and potentially vulnerable in kind.
Users of olm-sys and its higher-level abstraction, olm-rs, are highly encouraged to switch to vodozemac as soon as possible. It is the successor effort to libolm and is written in Rust.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "olm-sys"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-03T21:11:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "After several cryptographic vulnerabilities in `libolm` were disclosed publicly, the Matrix Foundation has [officially deprecated the library](https://matrix.org/blog/2024/08/libolm-deprecation/). `olm-sys` is a thin wrapper around `libolm` and is now deprecated and potentially vulnerable in kind.\n\nUsers of `olm-sys` and its higher-level abstraction, `olm-rs`, are highly encouraged to switch to [`vodozemac`](https://crates.io/crates/vodozemac) as soon as possible. It is the successor effort to `libolm` and is written in Rust.\n",
"id": "GHSA-p2q9-36vw-c468",
"modified": "2024-09-03T21:11:21Z",
"published": "2024-09-03T21:11:21Z",
"references": [
{
"type": "PACKAGE",
"url": "https://gitlab.gnome.org/BrainBlasted/olm-sys"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/BrainBlasted/olm-sys/-/issues/12"
},
{
"type": "WEB",
"url": "https://matrix.org/blog/2024/08/libolm-deprecation"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0368.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "olm-sys: wrapped library unmaintained, potentially vulnerable"
}
GHSA-Q382-VC8Q-7JHJ
Vulnerability from github – Published: 2026-03-19 12:44 – Updated: 2026-03-19 12:44The Go SDK recently transitioned to the segmentio/encoding library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with null Unicode characters appended at the end as equivalent to their base strings.
Impact
When combined with duplicate keys, the described behavior leads to a "last key wins" resolution that could override the intended MCP message. This had the potential for: - Bypassing intermediary inspection: Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages. - Cross-implementation inconsistency: Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.
Fix:
The segmentio/encoding package was patched with a fix in https://github.com/segmentio/encoding/commit/7d5a25dbc5da13aed3cb047a127e4d0e96f536fb and a new version of the package was released (v0.5.4). The SDK switched to the patched version of the dependency in 724dd47aa. Users are advised to update to v1.4.1 to resolve this issue.
Credits:
Thank you to Francesco Lacerenza (Doyensec) for reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/modelcontextprotocol/go-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T12:44:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The Go SDK recently transitioned to the `segmentio/encoding` library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with `null` Unicode characters appended at the end as equivalent to their base strings.\n\n#### Impact\n\nWhen combined with duplicate keys, the described behavior leads to a \"last key wins\" resolution that could override the intended MCP message. This had the potential for:\n - **Bypassing intermediary inspection:** Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages.\n - **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.\n\n#### Fix:\n\nThe `segmentio/encoding` package was patched with a fix in https://github.com/segmentio/encoding/commit/7d5a25dbc5da13aed3cb047a127e4d0e96f536fb and a new version of the package was released (`v0.5.4`). The SDK switched to the patched version of the dependency in 724dd47aa. Users are advised to update to v1.4.1 to resolve this issue.\n\n#### Credits:\nThank you to Francesco Lacerenza (Doyensec) for reporting this issue.",
"id": "GHSA-q382-vc8q-7jhj",
"modified": "2026-03-19T12:44:07Z",
"published": "2026-03-19T12:44:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-q382-vc8q-7jhj"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/go-sdk/commit/724dd47aa3431b9d4cf9ac2eebbf7b38a629afca"
},
{
"type": "WEB",
"url": "https://github.com/segmentio/encoding/commit/7d5a25dbc5da13aed3cb047a127e4d0e96f536fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelcontextprotocol/go-sdk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk"
}
GHSA-Q5FM-55C2-V6J9
Vulnerability from github – Published: 2024-07-16 19:32 – Updated: 2024-08-21 22:30Summary
Vulnerability scan of fiona shows CVE-2023-45853. The vulnerability is in GDAL, a dependency of fiona.
Details
Fiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. The GDAL project has addressed the CVE in version 3.8.0. See https://lists.osgeo.org/pipermail/gdal-dev/2023-November/057881.html.
The Fiona version 1.9.6 wheels on PyPI include GDAL version 3.6.4 and thus could be vulnerable. All of the Fiona 1.10 pre-release wheels in PyPI include GDAL version 3.8.4 and are not vulnerable.
Impact
Systems which use GDAL versions prior to 3.8.0 to open unchecked zip files, whether in combination with fiona or not, could be susceptible to buffer overflows.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fiona"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10b1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-16T19:32:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nVulnerability scan of fiona shows [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853). The vulnerability is in GDAL, a dependency of fiona.\n\n### Details\nFiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. The GDAL project has addressed the CVE in version 3.8.0. See https://lists.osgeo.org/pipermail/gdal-dev/2023-November/057881.html.\n\nThe Fiona version 1.9.6 wheels on PyPI include GDAL version 3.6.4 and thus could be vulnerable. All of the Fiona 1.10 pre-release wheels in PyPI include GDAL version 3.8.4 and are not vulnerable.\n\n### Impact\nSystems which use GDAL versions prior to 3.8.0 to open unchecked zip files, whether in combination with fiona or not, could be susceptible to buffer overflows.",
"id": "GHSA-q5fm-55c2-v6j9",
"modified": "2024-08-21T22:30:04Z",
"published": "2024-07-16T19:32:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Toblerity/Fiona/security/advisories/GHSA-q5fm-55c2-v6j9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853"
},
{
"type": "WEB",
"url": "https://github.com/OSGeo/gdal/commit/4aa7ca61c1d2191baf1eea2a97d0dec33a41691f"
},
{
"type": "WEB",
"url": "https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c"
},
{
"type": "PACKAGE",
"url": "https://github.com/Toblerity/Fiona"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib"
}
GHSA-Q7J3-V8QV-22VQ
Vulnerability from github – Published: 2026-06-19 16:35 – Updated: 2026-06-19 16:35Impact
Possible data exposure.
Summary
While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read. This might allow disclosure of confidential information.
Details
OpenTofu relies on go-getter for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure.
The go-getter maintainers have recently published CVE-2026-4660 for this library which indirectly affects OpenTofu's behavior.
Typical use of OpenTofu already requires caution in selection of URLs that are used to download modules and providers.
Patches
OpenTofu v1.11.10 and v1.12.3 address these vulnerabilities by upgrading to the hashicorp/go-getter@v1.8.6 that fixes this vulnerability.
The OpenTofu v1.10 series is also impacted by these vulnerabilities. However, that series is built with an older version of the library and upgrading it risks breaking the whole v1.10 series. For those using OpenTofu v1.10 releases, we recommend planning an upgrade to OpenTofu v1.11.10 in the near future.
References
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0-beta1"
},
{
"fixed": "1.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T16:35:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nPossible data exposure.\n#### Summary\nWhile downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read.\nThis might allow disclosure of confidential information.\n\n#### Details\nOpenTofu relies on [go-getter](https://github.com/hashicorp/go-getter) for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure. \n\nThe go-getter maintainers have recently published [CVE-2026-4660](https://github.com/advisories/GHSA-92mm-2pjq-r785) for this library which indirectly affects OpenTofu\u0027s behavior.\n\nTypical use of OpenTofu already requires caution in selection of URLs that are used to download modules and providers.\n\n### Patches\nOpenTofu v1.11.10 and v1.12.3 address these vulnerabilities by upgrading to the [hashicorp/go-getter@v1.8.6](https://github.com/hashicorp/go-getter/releases/tag/v1.8.6) that fixes this vulnerability.\n\nThe OpenTofu v1.10 series is also impacted by these vulnerabilities. However, that series is built with an older version of the library and upgrading it risks breaking the whole v1.10 series. \nFor those using OpenTofu v1.10 releases, we recommend planning an upgrade to OpenTofu v1.11.10 in the near future.\n\n### References\n* [Initial report](https://github.com/opentofu/opentofu/pull/4288)\n* [CVE-2026-4660](https://github.com/advisories/GHSA-92mm-2pjq-r785)\n* [OpenTofu v1.12 patch](https://github.com/opentofu/opentofu/pull/4293)\n* [OpenTofu v1.11 patch](https://github.com/opentofu/opentofu/pull/4292)\n* [Patched v1.12.3 version](https://github.com/opentofu/opentofu/releases/tag/v1.12.3)\n* [Patched v1.11.10 version](https://github.com/opentofu/opentofu/releases/tag/v1.11.10)",
"id": "GHSA-q7j3-v8qv-22vq",
"modified": "2026-06-19T16:35:10Z",
"published": "2026-06-19T16:35:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-q7j3-v8qv-22vq"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/4288"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/4292"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/4293"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-92mm-2pjq-r785"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/releases/tag/v1.8.6"
},
{
"type": "PACKAGE",
"url": "https://github.com/opentofu/opentofu"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/releases/tag/v1.11.10"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/releases/tag/v1.12.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL"
}
GHSA-R92C-9C7F-3PJ8
Vulnerability from github – Published: 2026-01-21 22:58 – Updated: 2026-02-03 20:24Impact
Unauthenticated denial of service.
Summary
When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete in a timely manner. Other processes running on the same computer as OpenTofu may also have their performance degraded due to the high CPU usage.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
Details
OpenTofu relies on a third-party implementation of .zip archive extraction from the standard library of the Go programming language. The Go project has recently published a minor release (Go 1.25.6) to address a problem of potential excessive CPU usage when accessing files in a maliciously-crafted .zip archive.
OpenTofu's threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, this particular problem affects the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed.
An attacker can exploit this by controlling the content of a package served when OpenTofu is expecting to receive a archive using the .zip format, during either provider or module package installation.
However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from a source that they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.
Patches
OpenTofu v1.11.4 addresses these vulnerabilities by being built against Go 1.25.6, which contains an improved version of the upstream implementation.
Workarounds
These vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to immediately upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.
Successful exploitation requires that the attacker control a .zip archive that OpenTofu would fetch and extract during the provider or module installation processes. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a provider or module package from a server that they control.
References
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T22:58:42Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nUnauthenticated denial of service.\n\n### Summary\nWhen installing module packages from attacker-controlled sources, `tofu init` may cause high CPU usage when encountering maliciously-crafted `.zip` archives for either provider or module distribution packages.\n\nThose who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete in a timely manner. Other processes running on the same computer as OpenTofu may also have their performance degraded due to the high CPU usage.\n\nThese vulnerabilities **do not** permit arbitrary code execution or allow disclosure of confidential information.\n\n### Details\n\nOpenTofu relies on a third-party implementation of `.zip` archive extraction from the standard library of the Go programming language. The Go project has recently published a minor release (Go 1.25.6) to address a problem of potential excessive CPU usage when accessing files in a maliciously-crafted `.zip` archive.\n\nOpenTofu\u0027s threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, this particular problem affects the process of installing these dependencies with `tofu init`, and so can potentially occur before an operator has had the opportunity to review what is being installed.\n\nAn attacker can exploit this by controlling the content of a package served when OpenTofu is expecting to receive a archive using the `.zip` format, during either provider or module package installation.\n\nHowever, the attacker must also coerce an OpenTofu operator into attempting dependency installation from a source that they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the `tofu init` process, which does not execute third-party dependency code itself.\n\n### Patches\n\nOpenTofu v1.11.4 addresses these vulnerabilities by being built against Go 1.25.6, which contains an improved version of the upstream implementation.\n\n### Workarounds\n\nThese vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running `tofu init`. Those who are unable to immediately upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.\n\nSuccessful exploitation requires that the attacker control a `.zip` archive that OpenTofu would fetch and extract during the provider or module installation processes. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a provider or module package from a server that they control.\n\n### References\n\n- [OpenTofu v1..11.4 release notes](https://github.com/opentofu/opentofu/releases/tag/v1.11.4)\n- [golang/go#77102](https://github.com/golang/go/issues/77102)",
"id": "GHSA-r92c-9c7f-3pj8",
"modified": "2026-02-03T20:24:00Z",
"published": "2026-01-21T22:58:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-r92c-9c7f-3pj8"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/77102"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/3689"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/commit/f5d5cdf16615ea3c298e058b062951adb02805f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/opentofu/opentofu"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/releases/tag/v1.11.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenTofu has High CPU usage in \"tofu init\" with maliciously-crafted module packages in .zip format"
}
GHSA-RRQF-W74J-24FF
Vulnerability from github – Published: 2024-09-04 17:19 – Updated: 2024-09-25 17:55Impact
There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.
Patches
You should to update to Indico 3.3.4 as soon as possible. See the docs for instructions on how to update.
Workarounds
- If you build the Indico package yourself and cannot upgrade for some reason, you can simply update the
flask-multipassdependency to>=0.5.5which fixes the vulnerability. You would do that by editingrequirements.txtbefore building the package (see commit 7dcb573837), or possibly cherry-picking that particular commit. - Otherwise you could configure your web server to disallow requests containing a query string with a parameter that starts with
javascript:
For more information
If you have any questions or comments about this advisory:
- Open a thread in our forum
- Email us privately at indico-team@cern.ch
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indico"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45399"
],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-04T17:19:14Z",
"nvd_published_at": "2024-09-04T20:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nThere is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created.\nExploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of this, it can only target newly created (and thus unprivileged) Indico users so the benefits of exploiting it are very limited.\n\n### Patches\nYou should to update to [Indico 3.3.4](https://github.com/indico/indico/releases/tag/v3.3.4) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\n- If you build the Indico package yourself and cannot upgrade for some reason, you can simply update the `flask-multipass` dependency to `\u003e=0.5.5` which fixes the vulnerability. You would do that by editing `requirements.txt` before building the package (see commit 7dcb573837), or possibly cherry-picking that particular commit.\n- Otherwise you could configure your web server to disallow requests containing a query string with a parameter that starts with `javascript:`\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)",
"id": "GHSA-rrqf-w74j-24ff",
"modified": "2024-09-25T17:55:29Z",
"published": "2024-09-04T17:19:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/indico/indico/security/advisories/GHSA-rrqf-w74j-24ff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45399"
},
{
"type": "WEB",
"url": "https://github.com/indico/flask-multipass/commit/0bdcf656d469e5f675cb56fd644d82fea3a97c2a"
},
{
"type": "WEB",
"url": "https://github.com/indico/indico/commit/7dcb573837b9fd09d95f74d1baeae225b164cc8f"
},
{
"type": "PACKAGE",
"url": "https://github.com/indico/indico"
},
{
"type": "WEB",
"url": "https://github.com/indico/indico/releases/tag/v3.3.4"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2024-90.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Indico has a Cross-Site-Scripting during account creation"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.