Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-2GW2-QGJG-XH6P

Vulnerability from github – Published: 2025-02-20 20:24 – Updated: 2025-02-20 20:24
VLAI
Summary
Namada-apps allows Post-Genesis Validator Bypass
Details

Impact

Ledger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the --force flag. If this validator gets into the consensus set, then when computing PoS inflation inside fn update_rewards_products_and_mint_inflation, an instance of mul_floor will cause the return of an Err, which causes finalize_block to error.

Patches

This issue has been patched in apps version 1.1.0. The PoS validity predicate now enforces that the commission rate is not negative and any transaction that fails the check will be rejected, both for newly initialized validators and for commission rate change of an existing validator.

Workarounds

There are no workarounds and users are advised to upgrade.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "namada-apps"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-20T20:24:19Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nLedger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the `--force` flag. If this validator gets into the consensus set, then when computing PoS inflation inside `fn update_rewards_products_and_mint_inflation`, an instance of `mul_floor` will cause the return of an `Err`, which causes `finalize_block` to error.\n\n### Patches\n\nThis issue has been patched in apps version 1.1.0. The PoS validity predicate now enforces that the commission rate is not negative and any transaction that fails the check will be rejected, both for newly initialized validators and for commission rate change of an existing validator.\n\n### Workarounds\n\nThere are no workarounds and users are advised to upgrade.",
  "id": "GHSA-2gw2-qgjg-xh6p",
  "modified": "2025-02-20T20:24:19Z",
  "published": "2025-02-20T20:24:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anoma/namada/security/advisories/GHSA-2gw2-qgjg-xh6p"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anoma/namada"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Namada-apps allows Post-Genesis Validator Bypass"
}

GHSA-2QM5-PR8V-RJVP

Vulnerability from github – Published: 2025-09-25 18:30 – Updated: 2025-09-29 18:33
VLAI
Details

A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-25T16:15:34Z",
    "severity": "HIGH"
  },
  "details": "A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).",
  "id": "GHSA-2qm5-pr8v-rjvp",
  "modified": "2025-09-29T18:33:12Z",
  "published": "2025-09-25T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55553"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/pytorch/issues/151432"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/pytorch/pull/154645"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2XPC-6R4R-V2HH

Vulnerability from github – Published: 2023-11-01 18:30 – Updated: 2023-11-01 18:30
VLAI
Details

A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-01T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.",
  "id": "GHSA-2xpc-6r4r-v2hh",
  "modified": "2023-11-01T18:30:33Z",
  "published": "2023-11-01T18:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20086"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-icmpv6-t5TzqwNd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-345M-8C2P-V3FJ

Vulnerability from github – Published: 2024-04-27 00:30 – Updated: 2024-04-27 00:30
VLAI
Details

Malformed S2 Nonce Get command classes can be sent to crash the gateway. A hard reset is required to recover the gateway.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T22:15:08Z",
    "severity": "HIGH"
  },
  "details": "\nMalformed S2 Nonce Get command classes can be sent to crash the gateway. A hard reset is required to recover the gateway.",
  "id": "GHSA-345m-8c2p-v3fj",
  "modified": "2024-04-27T00:30:38Z",
  "published": "2024-04-27T00:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3052"
    },
    {
      "type": "WEB",
      "url": "https://community.silabs.com/068Vm0000045w2j"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3677-XG45-9RPH

Vulnerability from github – Published: 2025-02-06 21:32 – Updated: 2025-02-06 21:32
VLAI
Details

IBM EntireX 11.1 could allow a local user to cause a denial of service due to an unhandled error and fault isolation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T21:15:21Z",
    "severity": "MODERATE"
  },
  "details": "IBM EntireX 11.1 could allow a local user to cause a denial of service due to an unhandled error and fault isolation.",
  "id": "GHSA-3677-xg45-9rph",
  "modified": "2025-02-06T21:32:09Z",
  "published": "2025-02-06T21:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0158"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7182693"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37QJ-FRW5-HHJH

Vulnerability from github – Published: 2026-01-30 20:10 – Updated: 2026-02-11 23:13
VLAI
Summary
fast-xml-parser has RangeError DoS Numeric Entities Bug
Details

Summary

A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.

Details

The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:

"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) },
"num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },

The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this: - [0-9]{1,7} matches up to 9,999,999 - [0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)

The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:

val = val.replace(entity.regex, entity.val);

This causes the RangeError to propagate uncaught, crashing the parser and any application using it.

PoC

Setup

Create a directory with these files:

poc/
├── package.json
├── server.js

package.json

{ "dependencies": { "fast-xml-parser": "^5.3.3" } }

server.js

const http = require('http');
const { XMLParser } = require('fast-xml-parser');

const parser = new XMLParser({ processEntities: true, htmlEntities: true });

http.createServer((req, res) => {
  if (req.method === 'POST' && req.url === '/parse') {
    let body = '';
    req.on('data', c => body += c);
    req.on('end', () => {
      const result = parser.parse(body);  // No try-catch - will crash!
      res.end(JSON.stringify(result));
    });
  } else {
    res.end('POST /parse with XML body');
  }
}).listen(3000, () => console.log('http://localhost:3000'));

Run

# Setup
npm install

# Terminal 1: Start server
node server.js

# Terminal 2: Send malicious payload (server will crash)
curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#9999999;</root>' http://localhost:3000/parse

Result

Server crashes with:

RangeError: Invalid code point 9999999

Alternative Payloads

<!-- Hex variant -->
<?xml version="1.0"?><root>&#xFFFFFF;</root>

<!-- In attribute -->
<?xml version="1.0"?><root attr="&#9999999;"/>

Impact

Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:

  • API servers accepting XML payloads
  • File processors parsing uploaded XML files
  • Message queues consuming XML messages
  • RSS/Atom feed parsers
  • SOAP/XML-RPC services

A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.3.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.9"
            },
            {
              "fixed": "5.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-30T20:10:14Z",
    "nvd_published_at": "2026-01-30T16:16:14Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `\u0026#9999999;` or `\u0026#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.\n\n### Details\nThe vulnerability exists in `/src/xmlparser/OrderedObjParser.js` at lines 44-45:\n\n```javascript\n\"num_dec\": { regex: /\u0026#([0-9]{1,7});/g, val : (_, str) =\u003e String.fromCodePoint(Number.parseInt(str, 10)) },\n\"num_hex\": { regex: /\u0026#x([0-9a-fA-F]{1,6});/g, val : (_, str) =\u003e String.fromCodePoint(Number.parseInt(str, 16)) },\n```\n\nThe `String.fromCodePoint()` method throws a `RangeError` when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:\n- `[0-9]{1,7}` matches up to 9,999,999\n- `[0-9a-fA-F]{1,6}` matches up to 0xFFFFFF (16,777,215)\n\nThe entity replacement in `replaceEntitiesValue()` (line 452) has no try-catch:\n\n```javascript\nval = val.replace(entity.regex, entity.val);\n```\n\nThis causes the RangeError to propagate uncaught, crashing the parser and any application using it.\n### PoC\n#### Setup\n\nCreate a directory with these files:\n\n```\npoc/\n\u251c\u2500\u2500 package.json\n\u251c\u2500\u2500 server.js\n```\n\n**package.json**\n```json\n{ \"dependencies\": { \"fast-xml-parser\": \"^5.3.3\" } }\n```\n\n**server.js**\n```javascript\nconst http = require(\u0027http\u0027);\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\nconst parser = new XMLParser({ processEntities: true, htmlEntities: true });\n\nhttp.createServer((req, res) =\u003e {\n  if (req.method === \u0027POST\u0027 \u0026\u0026 req.url === \u0027/parse\u0027) {\n    let body = \u0027\u0027;\n    req.on(\u0027data\u0027, c =\u003e body += c);\n    req.on(\u0027end\u0027, () =\u003e {\n      const result = parser.parse(body);  // No try-catch - will crash!\n      res.end(JSON.stringify(result));\n    });\n  } else {\n    res.end(\u0027POST /parse with XML body\u0027);\n  }\n}).listen(3000, () =\u003e console.log(\u0027http://localhost:3000\u0027));\n```\n\n#### Run\n\n```bash\n# Setup\nnpm install\n\n# Terminal 1: Start server\nnode server.js\n\n# Terminal 2: Send malicious payload (server will crash)\ncurl -X POST -H \"Content-Type: application/xml\" -d \u0027\u003c?xml version=\"1.0\"?\u003e\u003croot\u003e\u0026#9999999;\u003c/root\u003e\u0027 http://localhost:3000/parse\n``` \n#### Result\n\nServer crashes with:\n```\nRangeError: Invalid code point 9999999\n```\n\n#### Alternative Payloads\n\n```xml\n\u003c!-- Hex variant --\u003e\n\u003c?xml version=\"1.0\"?\u003e\u003croot\u003e\u0026#xFFFFFF;\u003c/root\u003e\n\n\u003c!-- In attribute --\u003e\n\u003c?xml version=\"1.0\"?\u003e\u003croot attr=\"\u0026#9999999;\"/\u003e\n```\n\n### Impact\n*Denial of Service (DoS):** Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:\n\n- **API servers** accepting XML payloads\n- **File processors** parsing uploaded XML files\n- **Message queues** consuming XML messages\n- **RSS/Atom feed parsers**\n- **SOAP/XML-RPC services**\n\nA single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.",
  "id": "GHSA-37qj-frw5-hhjh",
  "modified": "2026-02-11T23:13:02Z",
  "published": "2026-01-30T20:10:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser has RangeError DoS Numeric Entities Bug"
}

GHSA-3F57-W2RP-72FC

Vulnerability from github – Published: 2022-05-17 00:15 – Updated: 2022-11-08 12:43
VLAI
Summary
Undertow Uncaught Exception vulnerability
Details

A long URL proxy request lead to java.nio.BufferOverflowException in Undertow.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.3.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.25.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-7046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T12:43:33Z",
    "nvd_published_at": "2016-10-03T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "A long URL proxy request lead to java.nio.BufferOverflowException in Undertow.",
  "id": "GHSA-3f57-w2rp-72fc",
  "modified": "2022-11-08T12:43:33Z",
  "published": "2022-05-17T00:15:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7046"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/c518b5a1784061d807efedcef0a03fcd35a53de2"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1376646"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/undertow-io/undertow"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/UNDERTOW-835"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2016-7046"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undertow Uncaught Exception vulnerability"
}

GHSA-3G9H-9HP4-654V

Vulnerability from github – Published: 2026-03-18 20:11 – Updated: 2026-03-25 18:12
VLAI
Summary
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
Details

Summary

The SiYuan kernel WebSocket server accepts unauthenticated connections when a specific “auth keepalive” query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON.

A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service.

Details

1. Authentication Bypass via Keepalive Query

Unauthenticated connections are accepted if the request URI matches a specific pattern intended for an authentication page keepalive.

File: kernel/server/serve.go

if !authOk {
    authOk = strings.Contains(s.Request.RequestURI, "/ws?app=siyuan") &&
             strings.Contains(s.Request.RequestURI, "&id=auth&type=auth")
}

2. Unsafe Type Assertions on Untrusted Input

Incoming JSON messages are parsed into a generic map and fields are accessed without validation.

File: kernel/server/serve.go

cmdStr := request["cmd"].(string)
cmdId  := request["reqId"].(float64)
param  := request["param"].(map[string]interface{})

Malformed or missing fields trigger a runtime panic. The handler does not implement local panic recovery, allowing crashes to propagate.

PoC

Step 1 — Prepare workspace directory

mkdir -p ./workspace

Step 2 — Run SiYuan container

docker run -d \
  -p 6806:6806 \
  -e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan \
  --workspace=/siyuan/workspace

Service becomes reachable at http://127.0.0.1:6806

Step 3 — Confirm service availability

Open in browser:

http://127.0.0.1:6806

Step 4 — Connect to unauthenticated WebSocket endpoint

ws://127.0.0.1:6806/ws?app=siyuan&id=auth&type=auth

This connection is accepted without credentials.

Step 5 — Send malformed payload

Payload:


{}

Step 6 — Observe behavior

Monitor container logs:


docker logs -f <container_id>

Impact

An unauthenticated attacker with network access can repeatedly crash the kernel, causing persistent denial of service.

Impact is highest when the service is exposed beyond localhost (e.g., Docker deployments, reverse proxies, LAN access, or public hosting).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:11:00Z",
    "nvd_published_at": "2026-03-20T23:16:45Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nThe SiYuan kernel WebSocket server accepts unauthenticated connections when a specific \u201cauth keepalive\u201d query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON.\n\nA remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service.\n\n## Details\n**1. Authentication Bypass via Keepalive Query**\n\nUnauthenticated connections are accepted if the request URI matches a specific pattern intended for an authentication page keepalive.\n\n**File: kernel/server/serve.go**\n\n```\nif !authOk {\n    authOk = strings.Contains(s.Request.RequestURI, \"/ws?app=siyuan\") \u0026\u0026\n             strings.Contains(s.Request.RequestURI, \"\u0026id=auth\u0026type=auth\")\n}\n\n```\n\n**2. Unsafe Type Assertions on Untrusted Input**\n\nIncoming JSON messages are parsed into a generic map and fields are accessed without validation.\n\n**File: kernel/server/serve.go**\n\n```\ncmdStr := request[\"cmd\"].(string)\ncmdId  := request[\"reqId\"].(float64)\nparam  := request[\"param\"].(map[string]interface{})\n\n```\nMalformed or missing fields trigger a runtime panic.\nThe handler does not implement local panic recovery, allowing crashes to propagate.\n\n## PoC\n**Step 1 \u2014 Prepare workspace directory**\n\n```sh\nmkdir -p ./workspace\n```\n\n**Step 2 \u2014 Run SiYuan container**\n\n```\ndocker run -d \\\n  -p 6806:6806 \\\n  -e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \\\n  -v $(pwd)/workspace:/siyuan/workspace \\\n  b3log/siyuan \\\n  --workspace=/siyuan/workspace\n```\n\nService becomes reachable at http://127.0.0.1:6806\n\n**Step 3 \u2014 Confirm service availability**\n\nOpen in browser:\n\n```sh\nhttp://127.0.0.1:6806\n```\n\n**Step 4 \u2014 Connect to unauthenticated WebSocket endpoint**\n\n```sh\nws://127.0.0.1:6806/ws?app=siyuan\u0026id=auth\u0026type=auth\n```\n\nThis connection is accepted without credentials.\n\n**Step 5 \u2014 Send malformed payload**\n\nPayload:\n\n```sh\n\n{}\n\n```\n\n**Step 6 \u2014 Observe behavior**\n\nMonitor container logs:\n\n```sh\n\ndocker logs -f \u003ccontainer_id\u003e\n\n```\n## Impact\nAn unauthenticated attacker with network access can repeatedly crash the kernel, causing persistent denial of service.\n\nImpact is highest when the service is exposed beyond localhost (e.g., Docker deployments, reverse proxies, LAN access, or public hosting).",
  "id": "GHSA-3g9h-9hp4-654v",
  "modified": "2026-03-25T18:12:26Z",
  "published": "2026-03-18T20:11:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33203"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass"
}

GHSA-3GMG-R977-HQCC

Vulnerability from github – Published: 2025-01-23 12:32 – Updated: 2026-02-23 12:31
VLAI
Details

Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 allows a highly privileged attacker to cause denial of service via configuration change.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 allows a highly privileged attacker to cause denial of service via configuration change.",
  "id": "GHSA-3gmg-r977-hqcc",
  "modified": "2026-02-23T12:31:29Z",
  "published": "2025-01-23T12:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0648"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2025-0648"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2025-0648"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3HJG-VC7R-RCRW

Vulnerability from github – Published: 2022-04-07 15:20 – Updated: 2022-04-07 15:20
VLAI
Summary
Denial of Service vulnerability in @podium/layout and @podium/proxy
Details

Impact

An attacker using the Trailer header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected.

Patches

@podium/layout which is the main way developers/users are vulnerable to this exploit, has been patched in version 4.6.110. All earlier versions are vulnerable. @podium/proxy which is the source of the vulnerability and is used by @podium/layout has been patched in version 4.2.74. All earlier versions are vulnerable.

Workarounds

It is not easily possible to work around this issue without upgrading. We recommend upgrading @podium/layout and/or @podium/proxy as soon as possible.

For more information

If you have any questions or comments about this advisory: * Open an issue in podium-lib/issues

Credits

The vulnerability was reported by krynos from Ercoli Consulting via FINN.no's private bug bounty program

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@podium/layout"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.110"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@podium/proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.74"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-07T15:20:23Z",
    "nvd_published_at": "2022-04-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server.\nAll Podium layouts that include podlets with proxy endpoints are affected.\n\n### Patches\n`@podium/layout` which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.\n`@podium/proxy` which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable.\n\n### Workarounds\nIt is not easily possible to work around this issue without upgrading. We recommend upgrading `@podium/layout` and/or `@podium/proxy` as soon as possible.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [podium-lib/issues](https://github.com/podium-lib/issues)\n\n### Credits\nThe vulnerability was reported by [krynos](https://hackerone.com/krynos) from [Ercoli Consulting](https://www.ercoliconsulting.eu/) via FINN.no\u0027s private bug bounty program\n",
  "id": "GHSA-3hjg-vc7r-rcrw",
  "modified": "2022-04-07T15:20:23Z",
  "published": "2022-04-07T15:20:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/podium-lib/layout/releases/tag/v4.6.110"
    },
    {
      "type": "WEB",
      "url": "https://github.com/podium-lib/proxy/releases/tag/v4.2.74"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service vulnerability in @podium/layout and @podium/proxy"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.