CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
GHSA-3HFP-GQGH-XC5G
Vulnerability from github – Published: 2026-04-02 18:36 – Updated: 2026-04-02 18:36Impact
A supply chain attack on the axios npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm account to publish the malicious versions.
The malicious versions were live on npm for approximately 3 hours (00:21 UTC to 03:29 UTC on March 31, 2026) before being removed.
The @lightdash/cli package specified axios as a dependency with a semver range (^1.12.0) that permitted resolution to the compromised version. Any user who performed a fresh install of @lightdash/cli versions >= 0.1800.0, < 0.2695.1 (without a pre-existing lockfile) during this window may have installed the malicious axios version.
If compromised, the RAT establishes a connection to a command-and-control server (sfrclak[.]com / 142.11.206.73:8000) and provides the attacker with shell access, file system enumeration, and the ability to execute arbitrary commands. All credentials, secrets, and tokens accessible from the affected machine should be considered compromised.
Lightdash Cloud is not affected.
Patches
This has been patched in @lightdash/cli@0.2695.1. The fix pins axios to a known safe version (1.14.0).
Users should upgrade immediately:
npm install -g @lightdash/cli@0.2695.1
If users had installed the compromised version, they should check for RAT artifacts before and after upgrading:
- macOS:
/Library/Caches/com.apple.act.mond - Windows:
%PROGRAMDATA%\wt.exe - Linux:
/tmp/ld.py
If any artifacts are found, assume full compromise of that machine and rotate all accessible credentials (warehouse credentials, API tokens, SSH keys, cloud provider credentials, environment variables).
Workarounds
If users cannot upgrade immediately, they can force a safe axios resolution after installing the CLI:
npm install -g axios@1.14.0 --force
Alternatively, if users are building a Docker image or using a lockfile, they should ensure their resolved axios version is not 1.14.1 or 0.30.4:
npm ls axios
Block egress traffic to sfrclak[.]com and 142.11.206.73 at the network level to prevent the RAT from reaching its command-and-control server.
Resources
- Upstream axios issue: https://github.com/axios/axios/issues/10604
- StepSecurity analysis: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- Socket analysis: https://socket.dev/blog/axios-npm-package-compromised
- Snyk advisory (axios): https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650
- Snyk advisory (plain-crypto-js): https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652
- The Hacker News coverage: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@lightdash/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0.1800.0"
},
{
"fixed": "0.2695.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-508"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T18:36:10Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nA supply chain attack on the `axios` npm package (versions 1.14.1 and 0.30.4) introduced a malicious transitive dependency (`plain-crypto-js@4.2.1`) that deploys a cross-platform remote access trojan (RAT) on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer\u0027s npm account to publish the malicious versions.\n\nThe malicious versions were live on npm for approximately 3 hours (00:21 UTC to 03:29 UTC on March 31, 2026) before being removed.\n\nThe `@lightdash/cli` package specified axios as a dependency with a semver range (`^1.12.0`) that permitted resolution to the compromised version. Any user who performed a fresh install of `@lightdash/cli` versions `\u003e= 0.1800.0, \u003c 0.2695.1` (without a pre-existing lockfile) during this window may have installed the malicious axios version.\n\nIf compromised, the RAT establishes a connection to a command-and-control server (`sfrclak[.]com` / `142.11.206.73:8000`) and provides the attacker with shell access, file system enumeration, and the ability to execute arbitrary commands. All credentials, secrets, and tokens accessible from the affected machine should be considered compromised.\n\nLightdash Cloud is not affected.\n\n### Patches\n\nThis has been patched in `@lightdash/cli@0.2695.1`. The fix pins axios to a known safe version (1.14.0).\n\nUsers should upgrade immediately:\n\n```\nnpm install -g @lightdash/cli@0.2695.1\n```\n\nIf users had installed the compromised version, they should check for RAT artifacts before and after upgrading:\n\n- macOS: `/Library/Caches/com.apple.act.mond`\n- Windows: `%PROGRAMDATA%\\wt.exe`\n- Linux: `/tmp/ld.py`\n\nIf any artifacts are found, assume full compromise of that machine and rotate all accessible credentials (warehouse credentials, API tokens, SSH keys, cloud provider credentials, environment variables).\n\n### Workarounds\n\nIf users cannot upgrade immediately, they can force a safe axios resolution after installing the CLI:\n\n```\nnpm install -g axios@1.14.0 --force\n```\n\nAlternatively, if users are building a Docker image or using a lockfile, they should ensure their resolved axios version is not 1.14.1 or 0.30.4:\n\n```\nnpm ls axios\n```\n\nBlock egress traffic to `sfrclak[.]com` and `142.11.206.73` at the network level to prevent the RAT from reaching its command-and-control server.\n\n### Resources\n\n- Upstream axios issue: https://github.com/axios/axios/issues/10604\n- StepSecurity analysis: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan\n- Socket analysis: https://socket.dev/blog/axios-npm-package-compromised\n- Snyk advisory (axios): https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650\n- Snyk advisory (plain-crypto-js): https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652\n- The Hacker News coverage: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html",
"id": "GHSA-3hfp-gqgh-xc5g",
"modified": "2026-04-02T18:36:10Z",
"published": "2026-04-02T18:36:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lightdash/lightdash/security/advisories/GHSA-3hfp-gqgh-xc5g"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/issues/10604"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/lightdash/lightdash"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-AXIOS-15850650"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-PLAINCRYPTOJS-15850652"
},
{
"type": "WEB",
"url": "https://socket.dev/blog/axios-npm-package-compromised"
},
{
"type": "WEB",
"url": "https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html"
},
{
"type": "WEB",
"url": "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions"
}
GHSA-3VPC-4P9P-47HC
Vulnerability from github – Published: 2024-10-22 18:15 – Updated: 2024-10-22 18:15Summary
curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0
Details
HIGH severity vulnerability in curl and libcurl: announcement Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "probably the worst curl security flaw in a long time". A patched version (8.4.0) and details will be published around 06:00 UTC on October 11. curl_cffi wheels on PyPI ship with libcurl 7.84.0
PoC
Resolution
Versions after 0.7 bundles with libcurl>=8.5, which is not affected by this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.4"
},
"package": {
"ecosystem": "PyPI",
"name": "curl-cffi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0b6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-22T18:15:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\ncurl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl\u003c8.4.0\n\n### Details\nHIGH severity vulnerability in curl and libcurl: [announcement](https://github.com/curl/curl/discussions/12026#discussioncomment-7195548)\nDetails are still unknown, but seems it will be a major issue as it\u0027s advertised by curl devs as \"_probably the worst curl security flaw in a long time_\".\nA patched version (8.4.0) and details will be published around 06:00 UTC on October 11.\ncurl_cffi wheels on PyPI ship with libcurl 7.84.0\n\n### PoC\n[https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h](https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h)\n\n### Resolution\n\nVersions after 0.7 bundles with `libcurl\u003e=8.5`, which is not affected by this issue.\n",
"id": "GHSA-3vpc-4p9p-47hc",
"modified": "2024-10-22T18:15:17Z",
"published": "2024-10-22T18:15:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-3vpc-4p9p-47hc"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7xw9-w465-6x42"
},
{
"type": "PACKAGE",
"url": "https://github.com/lexiforest/curl_cffi"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "curl_cffi bundles a version of libcurl affected by High Severity vulnerability"
}
GHSA-46WH-3698-F2CX
Vulnerability from github – Published: 2026-03-29 15:37 – Updated: 2026-03-29 15:37Summary
There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 :path pseudo-header omitting the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.42
- https://github.com/traefik/traefik/releases/tag/v3.6.12
- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description ### Summary This CVE hits traefik until Version 3.6.11 and 2.11.41. gRPC-Go has an authorization bypass via missing leading slash in :path ### Details As described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3 ### PoC Update library version in https://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108 ### Impact Is described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-beta3"
},
{
"fixed": "3.6.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0-ea.1"
},
{
"fixed": "3.7.0-ea.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-29T15:37:28Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThere is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).\n\nA remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match \"deny\" rules, allowing the request to bypass the policy entirely if a fallback \"allow\" rule is present.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.42\n- https://github.com/traefik/traefik/releases/tag/v3.6.12\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nThis CVE hits traefik until Version 3.6.11 and 2.11.41.\ngRPC-Go has an authorization bypass via missing leading slash in :path\n### Details\nAs described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3\n### PoC\nUpdate library version in \nhttps://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108\n### Impact\nIs described in https://github.com/advisories/GHSA-p77j-4mvh-x3m3\n\n\u003c/details\u003e\n\n\n----------",
"id": "GHSA-46wh-3698-f2cx",
"modified": "2026-03-29T15:37:29Z",
"published": "2026-03-29T15:37:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-46wh-3698-f2cx"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-p77j-4mvh-x3m3"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/blob/67c64ed9b25fbb90f1086977a62827133a7aa01b/go.mod#L108"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.42"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.12"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-ea.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)"
}
GHSA-47H8-JMP3-9F28
Vulnerability from github – Published: 2024-12-19 15:14 – Updated: 2024-12-20 18:35pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w.
All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.
Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected.
An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c.
Thanks to ⬡-49016 for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyrage"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56327"
],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-25",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-19T15:14:06Z",
"nvd_published_at": "2024-12-19T23:15:07Z",
"severity": "HIGH"
},
"details": "`pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w.\n\nAll details of GHSA-4fg7-vxc8-qx5w are relevant to `pyrage` for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details.\n\nVersions of `pyrage` before 1.2.0 lack plugin support and are therefore **not affected**.\n\nAn equivalent issue was fixed in [the reference Go implementation of age](https://github.com/FiloSottile/age), see advisory [GHSA-32gq-x56h-299c](https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c).\n\nThanks to \u2b21-49016 for reporting this issue.",
"id": "GHSA-47h8-jmp3-9f28",
"modified": "2024-12-20T18:35:12Z",
"published": "2024-12-19T15:14:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c"
},
{
"type": "WEB",
"url": "https://github.com/str4d/rage/security/advisories/GHSA-4fg7-vxc8-qx5w"
},
{
"type": "WEB",
"url": "https://github.com/woodruffw/pyrage/security/advisories/GHSA-47h8-jmp3-9f28"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56327"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4fg7-vxc8-qx5w"
},
{
"type": "PACKAGE",
"url": "https://github.com/woodruffw/pyrage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution"
}
GHSA-52CW-PVQ9-9M5V
Vulnerability from github – Published: 2024-07-17 16:00 – Updated: 2024-07-22 16:54Impact
TinyMCE v6 has a configuration value convert_unsafe_embeds set to false which allows svg files containing javascript to be used in <object> or <embed> tags, which can be used as a vector for XSS attacks.
Note that <embed> tags are not allowed by default.
After patching the default value of convert_unsafe_embeds will be set to true. This means that <object> tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved <object> tags. Developers can override this configuration if desired to revert to the original behaviour.
We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.
References:
- https://www.silverstripe.org/download/security-releases/ss-2024-001
- https://github.com/advisories/GHSA-5359-pvf2-pw78
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T16:00:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nTinyMCE v6 has a configuration value `convert_unsafe_embeds` set to `false` which allows svg files containing javascript to be used in `\u003cobject\u003e` or `\u003cembed\u003e` tags, which can be used as a vector for XSS attacks.\n\nNote that `\u003cembed\u003e` tags are not allowed by default.\n\nAfter patching the default value of `convert_unsafe_embeds` will be set to `true`. This means that `\u003cobject\u003e` tags will be converted to iframes instead the next time the page is saved, which may break any pages that rely upon previously saved `\u003cobject\u003e` tags. Developers can override this configuration if desired to revert to the original behaviour.\n\nWe reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS.\n\n### References:\n- https://www.silverstripe.org/download/security-releases/ss-2024-001\n- https://github.com/advisories/GHSA-5359-pvf2-pw78\n\n",
"id": "GHSA-52cw-pvq9-9m5v",
"modified": "2024-07-22T16:54:34Z",
"published": "2024-07-17T16:00:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-52cw-pvq9-9m5v"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2024-001.yaml"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5359-pvf2-pw78"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/ss-2024-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Silverstripe uses TinyMCE which allows svg files linked in object tags"
}
GHSA-534C-HCR7-67JG
Vulnerability from github – Published: 2024-09-17 18:36 – Updated: 2024-11-14 17:45Summary
Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.
Details
Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The vulnerability is triggered by the following code snippet:
// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41
public function render(InvoiceDocument $document, InvoiceModel $model): Response
{
$spreadsheet = IOFactory::load($document->getFilename());
$worksheet = $spreadsheet->getActiveSheet();
$entries = $model->getCalculator()->getEntries();
$sheetReplacer = $model->toArray();
$invoiceItemCount = \count($entries);
if ($invoiceItemCount > 1) {
$this->addTemplateRows($worksheet, $invoiceItemCount);
}
}
The IOFactory::load function utilizes simplexml_load_string, which has previously been demonstrated to be vulnerable to XXE attacks.
While this is not directly an XXE in Kimai, it does however impact the latest stable version.
PoC
By uploading a malicious XLSX template, the payload will be triggered every time an invoice is generated.
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter/......." > %xxe;]>.....
For a better a visibility, I will upload both a: - Malicious template sample for testing - An exported invoice, showing the contents of target file during the export.
Impact
Local File Read / RCE in edge cases where phar:// can be utilized with gadget chains .
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.20.1"
},
"package": {
"ecosystem": "Packagist",
"name": "kimai/kimai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.21.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T18:36:50Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nKimai uses [PHPSpreadsheet](https://github.com/PHPOffice/PhpSpreadsheet) for importing and exporting invoices. Recently, a [CVE](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7) was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.\n\n\n### Details\n\nExploitation requires an Administrator account, allowing the upload of an `XLSX` template containing the payload. The vulnerability is triggered by the following code snippet:\n\n```php\n// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41\npublic function render(InvoiceDocument $document, InvoiceModel $model): Response\n{\n $spreadsheet = IOFactory::load($document-\u003egetFilename());\n $worksheet = $spreadsheet-\u003egetActiveSheet();\n $entries = $model-\u003egetCalculator()-\u003egetEntries();\n $sheetReplacer = $model-\u003etoArray();\n $invoiceItemCount = \\count($entries);\n if ($invoiceItemCount \u003e 1) {\n $this-\u003eaddTemplateRows($worksheet, $invoiceItemCount);\n }\n}\n```\n\nThe `IOFactory::load` function utilizes `simplexml_load_string`, which has previously been demonstrated to be vulnerable to XXE attacks.\n\nWhile this is not directly an XXE in Kimai, it does however impact the latest stable version.\n\n \n### PoC\n\nBy uploading a malicious `XLSX` template, the payload will be triggered every time an invoice is generated.\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\u0027UTF-7\u0027 standalone=\"yes\"?\u003e\n+ADw-!DOCTYPE foo [ \u003c!ENTITY % xxe SYSTEM \"php://filter/.......\" \u003e %xxe;]\u003e.....\n```\n\nFor a better a visibility, I will upload both a:\n- Malicious template sample for testing \n- An exported invoice, showing the contents of target file during the export. \n\n### Impact\nLocal File Read / RCE in edge cases where `phar://` can be utilized with [gadget chains](https://github.com/ambionics/phpggc) . \n\n\n[export.xlsx](https://github.com/user-attachments/files/16803913/export.xlsx)\n[sample_template.xlsx](https://github.com/user-attachments/files/16803916/sample_template.xlsx)\n",
"id": "GHSA-534c-hcr7-67jg",
"modified": "2024-11-14T17:45:16Z",
"published": "2024-09-17T18:36:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7"
},
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-534c-hcr7-67jg"
},
{
"type": "WEB",
"url": "https://github.com/kimai/kimai/commit/3204dcb03e1003dba90178667a4667ce3edb87b5"
},
{
"type": "PACKAGE",
"url": "https://github.com/kimai/kimai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Kimai has an XXE Leading to Local File Read"
}
GHSA-537C-GMF6-5CCF
Vulnerability from github – Published: 2026-06-15 20:12 – Updated: 2026-06-15 20:12pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cryptography"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "48.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T20:12:27Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "pyca/cryptography\u0027s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
"id": "GHSA-537c-gmf6-5ccf",
"modified": "2026-06-15T20:12:27Z",
"published": "2026-06-15T20:12:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-537c-gmf6-5ccf"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20260609.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Vulnerable OpenSSL included in cryptography wheels"
}
GHSA-5423-JCJM-2GPV
Vulnerability from github – Published: 2025-04-18 19:35 – Updated: 2025-04-18 19:35Summary
net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8
More Details: CVE-2025-22871
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.24
- https://github.com/traefik/traefik/releases/tag/v3.3.6
- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0-rc1"
},
{
"fixed": "3.4.0-rc2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.4.0-rc1"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-18T19:35:17Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nnet/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x \u003c 1.23.8\n\nMore Details: [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871)\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.24\n- https://github.com/traefik/traefik/releases/tag/v3.3.6\n- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2",
"id": "GHSA-5423-jcjm-2gpv",
"modified": "2025-04-18T19:35:17Z",
"published": "2025-04-18T19:35:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5423-jcjm-2gpv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.24"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.3.6"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Traefik affected by Go HTTP Request Smuggling Vulnerability"
}
GHSA-594F-3595-C47V
Vulnerability from github – Published: 2026-03-18 12:59 – Updated: 2026-03-18 12:59Summary
The terraform-provider-argocd might have been vulnerable to GO-2026-4337 / CVE-2025-68121 ("Unexpected session resumption in crypto/tls").
Details
See https://pkg.go.dev/vuln/GO-2026-4337 for the upstream vulnerability.
Provider versions starting with v7.15.1 are using go 1.25.8 for building and are thus no longer affected.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj-labs/terraform-provider-argocd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.3-0.20260316182343-b3364f3f32e7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T12:59:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe terraform-provider-argocd might have been vulnerable to GO-2026-4337 / CVE-2025-68121 (\"Unexpected session resumption in crypto/tls\").\n\n### Details\n\nSee https://pkg.go.dev/vuln/GO-2026-4337 for the upstream vulnerability.\n\nProvider versions starting with `v7.15.1` are using `go 1.25.8` for building and are thus no longer affected.",
"id": "GHSA-594f-3595-c47v",
"modified": "2026-03-18T12:59:01Z",
"published": "2026-03-18T12:59:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj-labs/terraform-provider-argocd/security/advisories/GHSA-594f-3595-c47v"
},
{
"type": "WEB",
"url": "https://github.com/argoproj-labs/terraform-provider-argocd/commit/b3364f3f32e70f1563c5f3162d370db704430294"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj-labs/terraform-provider-argocd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121"
}
GHSA-5J59-XGG2-R9C4
Vulnerability from github – Published: 2025-12-12 17:21 – Updated: 2026-01-15 21:55It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "13.3.1-canary.0"
},
{
"fixed": "14.2.35"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.0.6"
},
{
"fixed": "15.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.1.10"
},
{
"fixed": "15.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.2.7"
},
{
"fixed": "15.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.3.7"
},
{
"fixed": "15.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.4.9"
},
{
"fixed": "15.4.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.5.8"
},
{
"fixed": "15.5.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "15.6.0-canary.59"
},
{
"fixed": "15.6.0-canary.60"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.9"
},
{
"fixed": "16.0.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.1.0-canary.17"
},
{
"fixed": "16.1.0-canary.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-400",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-12T17:21:57Z",
"nvd_published_at": "2025-12-12T00:15:46Z",
"severity": "HIGH"
},
"details": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption. \n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.",
"id": "GHSA-5j59-xgg2-r9c4",
"modified": "2026-01-15T21:55:04Z",
"published": "2025-12-12T17:21:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67779"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
},
{
"type": "WEB",
"url": "https://nextjs.org/blog/security-update-2025-12-11"
},
{
"type": "WEB",
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2025-67779"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.