CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
GHSA-5J8P-438X-RGG5
Vulnerability from github – Published: 2025-12-09 17:24 – Updated: 2025-12-09 17:24Summary
There is a critical vulnerability on xmlseclibs CVE-2025-66475, a dependency of php-saml
Update to the following versions of php-saml which forces the use of patched versions of xmlseclibs: - 2.21.1 - 3.8.1 - 4.3.1
Impact
Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "onelogin/php-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.21.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "onelogin/php-saml"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "onelogin/php-saml"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T17:24:09Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "**Summary**\n\nThere is a critical vulnerability on xmlseclibs [CVE-2025-66475](https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9), a dependency of php-saml\n\nUpdate to the following versions of php-saml which forces the use of patched versions of xmlseclibs:\n- [2.21.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/2.21.1)\n- [3.8.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/3.8.1)\n- [4.3.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1)\n\n\n**Impact**\n\nSignature Wrapping Vulnerabilities allows an attacker to impersonate a user.",
"id": "GHSA-5j8p-438x-rgg5",
"modified": "2025-12-09T17:24:09Z",
"published": "2025-12-09T17:24:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/php-saml/security/advisories/GHSA-5j8p-438x-rgg5"
},
{
"type": "WEB",
"url": "https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAML-Toolkits/php-saml"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/php-saml/releases/tag/2.21.1"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/php-saml/releases/tag/3.8.1"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": " SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475 "
}
GHSA-5MWF-688X-MR7X
Vulnerability from github – Published: 2025-02-19 22:17 – Updated: 2025-03-10 22:39Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.
Original Description
Summary
Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.
libxml2 v2.13.6 addresses:
- CVE-2025-24928
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
- CVE-2024-56171
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
Impact
CVE-2025-24928
Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.
CVE-2024-56171
Use-after-free is possible during validation against untrusted
XML Schemas (.xsd) and, potentially, validation of untrusted documents
against trusted Schemas if they make use of xsd:keyref in combination
with recursively defined types that have additional identity constraints.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-19T22:17:19Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.\n\n# Original Description\n\n## Summary\n\nNokogiri v1.18.3 upgrades its dependency libxml2 to\n[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828\n\n## Impact\n\n### CVE-2025-24928\n\nStack-buffer overflow is possible when reporting DTD validation\nerrors if the input contains a long (~3kb) QName prefix.\n\n### CVE-2024-56171\n\nUse-after-free is possible during validation against untrusted\nXML Schemas (.xsd) and, potentially, validation of untrusted documents\nagainst trusted Schemas if they make use of `xsd:keyref` in combination\nwith recursively defined types that have additional identity constraints.",
"id": "GHSA-5mwf-688x-mr7x",
"modified": "2025-03-10T22:39:14Z",
"published": "2025-02-19T22:17:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171",
"withdrawn": "2025-03-10T22:39:14Z"
}
GHSA-5PMW-9J92-3C4C
Vulnerability from github – Published: 2025-02-24 18:27 – Updated: 2025-02-24 18:27OpenH264 recently reported a heap overflow that was fixed in upstream 63db555 and integrated into our 0.6.6 release. For users relying on Cisco's pre-compiled DLL, we also published 0.8.0, which is compatible with their latest fixed DLL version 2.6.0.
In other words:
- if you rely on our source feature only, >=0.6.6 should be safe,
- if you rely on libloading, you must upgrade to 0.8.0 and use their latest DLL >=2.6.0.
Users handling untrusted video files should update immediately.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openh264-sys2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-24T18:27:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "OpenH264 recently reported a [heap overflow](https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x) that was fixed in upstream [63db555](https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449) and [integrated into](https://github.com/ralfbiedert/openh264-rs/commit/3a822fff0b4c9a984622ca2b179fe8898ac54b14) our 0.6.6 release. For users relying on Cisco\u0027s pre-compiled DLL, we also published 0.8.0, which is compatible with their latest fixed DLL version 2.6.0. \n\nIn other words:\n- if you rely on our `source` feature only, \u003e=0.6.6 should be safe,\n- if you rely on `libloading`, you must upgrade to 0.8.0 _and_ use their latest DLL \u003e=2.6.0. \n\nUsers handling untrusted video files should update immediately.",
"id": "GHSA-5pmw-9j92-3c4c",
"modified": "2025-02-24T18:27:25Z",
"published": "2025-02-24T18:27:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27091"
},
{
"type": "WEB",
"url": "https://github.com/cisco/openh264/pull/3818"
},
{
"type": "WEB",
"url": "https://github.com/ralfbiedert/openh264-rs/commit/3a822fff0b4c9a984622ca2b179fe8898ac54b14"
},
{
"type": "PACKAGE",
"url": "https://github.com/ralfbiedert/openh264-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenH264 Rust API Openh264 Decoding Functions Heap Overflow Vulnerability"
}
GHSA-5W6V-399V-W3CC
Vulnerability from github – Published: 2025-04-21 21:55 – Updated: 2025-04-21 21:55Summary
Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.
libxml2 v2.13.8 addresses:
- CVE-2025-32414
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
- CVE-2025-32415
- described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
Impact
CVE-2025-32414: No impact
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
There is no impact from this CVE for Nokogiri users.
CVE-2025-32415: Low impact
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
In the upstream issue, further context is provided by the maintainer:
The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.
MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-21T21:55:56Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\nNokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).\n\nlibxml2 v2.13.8 addresses:\n\n- CVE-2025-32414\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889\n- CVE-2025-32415\n - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890\n\n## Impact\n\n### CVE-2025-32414: No impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.\n\n**There is no impact** from this CVE for Nokogiri users.\n\n\n### CVE-2025-32415: Low impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.\n\nIn the upstream issue, further context is provided by the maintainer:\n\n\u003e The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted\n\u003e documents against trusted Schemas if they make use of xsd:keyref in combination with recursively\n\u003e defined types that have additional identity constraints.\n\nMITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.",
"id": "GHSA-5w6v-399v-w3cc",
"modified": "2025-04-21T21:55:56Z",
"published": "2025-04-21T21:55:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415"
}
GHSA-63CX-G855-HVV4
Vulnerability from github – Published: 2025-08-25 21:01 – Updated: 2025-08-25 21:01mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to http:// backends. It does not affect mitmproxy's regular mode.
All users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.
More details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.1.1"
},
"package": {
"ecosystem": "PyPI",
"name": "mitmproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T21:01:00Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "mitmproxy 12.1.1 and below embed python-hyper/h2 \u2264 v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to `http://` backends. It does not affect mitmproxy\u0027s regular mode.\n\nAll users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.\n\nMore details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.",
"id": "GHSA-63cx-g855-hvv4",
"modified": "2025-08-25T21:01:01Z",
"published": "2025-08-25T21:01:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-63cx-g855-hvv4"
},
{
"type": "WEB",
"url": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h"
},
{
"type": "PACKAGE",
"url": "https://github.com/mitmproxy/mitmproxy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mitmproxy binaries embed a vulnerable python-hyper/h2 dependency"
}
GHSA-64GP-R758-8PFM
Vulnerability from github – Published: 2024-12-23 20:15 – Updated: 2024-12-23 20:15A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server.
Impact
Cross-site scripting (XSS) vulnerability in the management console.
Patches
Fixed in HAL 3.7.7.Final
Workarounds
No workaround available
References
See also: https://issues.redhat.com/browse/WFLY-19969
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.hal:hal-console"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.7.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-23T20:15:16Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server.\n\n### Impact\nCross-site scripting (XSS) vulnerability in the management console.\n\n### Patches\nFixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) \n\n### Workarounds\nNo workaround available\n\n### References\nSee also: https://issues.redhat.com/browse/WFLY-19969\n",
"id": "GHSA-64gp-r758-8pfm",
"modified": "2024-12-23T20:15:16Z",
"published": "2024-12-23T20:15:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hal/console/security/advisories/GHSA-64gp-r758-8pfm"
},
{
"type": "PACKAGE",
"url": "https://github.com/hal/console"
},
{
"type": "WEB",
"url": "https://github.com/hal/console/releases/tag/v3.7.7"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/WFLY-19969"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Cross Site Scripting (XSS) vulnerability while uploading content to a new deployment"
}
GHSA-658G-P7JG-WX5G
Vulnerability from github – Published: 2026-04-02 18:34 – Updated: 2026-04-06 23:41Impact
This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).
Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.
Potential impact includes:
- Execution of a malicious
postinstallscript - Remote Access Trojan (RAT) installation
- Exfiltration of credentials and sensitive data
Not impacted:
- Bruno desktop app users
- Users who installed outside the attack window
Patches
The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.
Additionally, Bruno has taken further hardening steps:
- Pinned
axiosto a known safe version to prevent accidental resolution to malicious releases - Fix implemented in: https://github.com/usebruno/bruno/pull/7632
Recommendation
If users installed @usebruno/cli during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets:
For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.2.0"
},
"package": {
"ecosystem": "npm",
"name": "@usebruno/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34841"
],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-494",
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T18:34:04Z",
"nvd_published_at": "2026-04-06T17:17:10Z",
"severity": "CRITICAL"
},
"details": "### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat",
"id": "GHSA-658g-p7jg-wx5g",
"modified": "2026-04-06T23:41:01Z",
"published": "2026-04-02T18:34:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34841"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/issues/10604"
},
{
"type": "WEB",
"url": "https://github.com/usebruno/bruno/pull/7632"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/usebruno/bruno"
},
{
"type": "WEB",
"url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Axios npm Supply Chain Incident Impacting @usebruno/cli"
}
GHSA-6JQF-MV7M-3Q7P
Vulnerability from github – Published: 2025-11-13 22:36 – Updated: 2025-11-17 21:50The standard library net/http package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.45.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.45.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-13T22:36:01Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\n\nSee https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.",
"id": "GHSA-6jqf-mv7m-3q7p",
"modified": "2025-11-17T21:50:44Z",
"published": "2025-11-13T22:36:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6jqf-mv7m-3q7p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency"
}
GHSA-6VXV-WG6J-5QWP
Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42Summary
Gogs renders Jupyter notebook files (.ipynb) using jsvine/notebookjs, but the version is outdated, missing patches for known XSS vulnerabilities.
Details
Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:
https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47
The latest version of jsvine/notebookjs is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.
PoC
- Create a new repository
- Create a file inside the repository named
xss.ipynband give it the following content:
{"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2}
- Save the file and view the file in Gogs. Notice that the XSS popup triggers:
Impact
Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:42:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nGogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities.\n\n### Details\n\nGogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:\n\nhttps://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47\n\nThe latest version of [jsvine/notebookjs](https://github.com/jsvine/notebookjs) is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.\n\n### PoC\n\n1. Create a new repository\n2. Create a file inside the repository named `xss.ipynb` and give it the following content:\n\n```json\n{\"cells\": [{\"cell_type\": \"markdown\", \"metadata\": {}, \"source\": [\"\u003cimg src=x onerror=\\\"alert(origin)\\\"\u003e\"]}], \"metadata\": {}, \"nbformat\": 4, \"nbformat_minor\": 2}\n```\n\n\u003cimg width=\"1054\" height=\"208\" alt=\"image\" src=\"https://github.com/user-attachments/assets/49b7f33c-c4df-4537-99e9-b1ea74f2c6de\" /\u003e\n\n3. Save the file and view the file in Gogs. Notice that the XSS popup triggers:\n\n\u003cimg width=\"1317\" height=\"407\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3b18d870-7194-41b0-92db-687e952abc07\" /\u003e\n\n### Impact\n\nAny user with rights to create repositories can create XSS payloads that take over the victim\u0027s account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.",
"id": "GHSA-6vxv-wg6j-5qwp",
"modified": "2026-06-19T21:42:52Z",
"published": "2026-06-19T21:42:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-6vxv-wg6j-5qwp"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gogs: XSS in .ipynb files renderer due to outdated notebookjs"
}
GHSA-79V4-65XG-PQ4G
Vulnerability from github – Published: 2025-02-11 18:06 – Updated: 2025-02-12 18:20pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cryptography"
},
"ranges": [
{
"events": [
{
"introduced": "42.0.0"
},
{
"fixed": "44.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-12797"
],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-392"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-11T18:06:42Z",
"nvd_published_at": "2025-02-11T16:15:38Z",
"severity": "LOW"
},
"details": "pyca/cryptography\u0027s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
"id": "GHSA-79v4-65xg-pq4g",
"modified": "2025-02-12T18:20:06Z",
"published": "2025-02-11T18:06:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyca/cryptography/security/advisories/GHSA-79v4-65xg-pq4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12797"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyca/cryptography"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20250211.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/11/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/11/4"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Vulnerable OpenSSL included in cryptography wheels"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.