Common Weakness Enumeration

CWE-362

Allowed-with-Review

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Abstraction: Class · Status: Draft

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

2909 vulnerabilities reference this CWE, most recent first.

GHSA-494H-9924-XWW9

Vulnerability from github – Published: 2024-03-15 16:48 – Updated: 2024-03-15 16:48
VLAI
Summary
Pterodactyl Wings vulnerable to improper isolation of server file access
Details

Impact

This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible.

In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC.

Resolution

In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. While tests were written to ensure security and functionality, there may be some semantic differences of certain operations, such as different errors being returned for example. If you notice any major semantic differences, please open an issue on our issue tracker so it can be resolved. https://github.com/pterodactyl/panel/issues/new/choose

Patches

This vulnerability has been resolved in version v1.11.9 of Wings.

Everyone should update to Wings v1.11.9 (or newer).

Workarounds

None.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pterodactyl/wings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-362",
      "CWE-363"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-15T16:48:21Z",
    "nvd_published_at": "2024-03-13T21:15:59Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThis vulnerability impacts anyone running the affected versions of Wings.  The vulnerability can potentially be used to access files and directories on the host system.  The full scope of impact is exactly unknown, but reading files outside of a server\u0027s base directory (sandbox root) is possible.\n\nIn order to use this exploit, an attacker must have an existing \"server\" allocated and controlled by Wings.  Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC.\n\n### Resolution\n\nIn order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary.  Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes.  While tests were written to ensure security and functionality, there may be some semantic differences of certain operations, such as different errors being returned for example.  If you notice any major semantic differences, please open an issue on our issue tracker so it can be resolved. \u003chttps://github.com/pterodactyl/panel/issues/new/choose\u003e\n\n### Patches\n\nThis vulnerability has been resolved in version `v1.11.9` of Wings.\n\nEveryone should update to Wings `v1.11.9` (or newer).\n\n### Workarounds\n\nNone.",
  "id": "GHSA-494h-9924-xww9",
  "modified": "2024-03-15T16:48:21Z",
  "published": "2024-03-15T16:48:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/wings"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pterodactyl Wings vulnerable to improper isolation of server file access"
}

GHSA-496X-5V3M-GFF3

Vulnerability from github – Published: 2023-07-24 18:30 – Updated: 2024-08-22 21:31
VLAI
Details

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-667"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-24T16:15:11Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Linux kernel\u0027s ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_LOGOFF and SMB2_CLOSE commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.",
  "id": "GHSA-496x-5v3m-gff3",
  "modified": "2024-08-22T21:31:27Z",
  "published": "2023-07-24T18:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32258"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-32258"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2219809"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230915-0011"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-20796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-497G-7JRR-6MCV

Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30
VLAI
Details

Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T17:15:43Z",
    "severity": "HIGH"
  },
  "details": "Use after free in Windows Digital Media allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-497g-7jrr-6mcv",
  "modified": "2025-10-14T18:30:29Z",
  "published": "2025-10-14T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53150"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53150"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4985-WCH3-93JR

Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02
VLAI
Details

Windows NT OS Kernel Elevation of Privilege Vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23298"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-09T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Windows NT OS Kernel Elevation of Privilege Vulnerability.",
  "id": "GHSA-4985-wch3-93jr",
  "modified": "2022-03-17T00:02:26Z",
  "published": "2022-03-10T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23298"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23298"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-23298"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-49HH-3WXF-QHW8

Vulnerability from github – Published: 2026-07-18 09:32 – Updated: 2026-07-18 09:32
VLAI
Details

A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically with the label "not planned" by a bot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-16082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-18T09:17:07Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was identified in Sipeed PicoClaw up to 0.2.9. The impacted element is the function ExecTool.executeRun of the file pkg/agent/pipeline_execute.go. The manipulation of the argument cwe leads to time-of-check time-of-use. The attack must be carried out locally. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically with the label \"not planned\" by a bot.",
  "id": "GHSA-49hh-3wxf-qhw8",
  "modified": "2026-07-18T09:32:17Z",
  "published": "2026-07-18T09:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-16082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sipeed/picoclaw/issues/3081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sipeed/picoclaw"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-16082"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/852944"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/379794"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/379794/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-49J8-C4PR-24H9

Vulnerability from github – Published: 2022-05-17 05:24 – Updated: 2025-01-21 21:30
VLAI
Details

** DISPUTED ** Race condition in Online Armor Premium 4.0.0.35 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-5169"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-08-25T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED ** Race condition in Online Armor Premium 4.0.0.35 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack.  NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute.",
  "id": "GHSA-49j8-c4pr-24h9",
  "modified": "2025-01-21T21:30:42Z",
  "published": "2022-05-17T05:24:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5169"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2010-05/0026.html"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-05/0066.html"
    },
    {
      "type": "WEB",
      "url": "http://countermeasures.trendmicro.eu/you-just-cant-trust-a-drunk"
    },
    {
      "type": "WEB",
      "url": "http://matousec.com/info/advisories/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
    },
    {
      "type": "WEB",
      "url": "http://matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php"
    },
    {
      "type": "WEB",
      "url": "http://www.f-secure.com/weblog/archives/00001949.html"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/67660"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/39924"
    },
    {
      "type": "WEB",
      "url": "http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-49WX-627V-6MCQ

Vulnerability from github – Published: 2022-04-29 01:28 – Updated: 2022-04-29 01:28
VLAI
Details

sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-1562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-12-31T05:00:00Z",
    "severity": "HIGH"
  },
  "details": "sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.",
  "id": "GHSA-49wx-627v-6mcq",
  "modified": "2022-04-29T01:28:17Z",
  "published": "2022-04-29T01:28:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-1562"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/320153"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/320302"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/320440"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/7482"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4C2X-G299-MPV8

Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2025-04-20 03:38
VLAI
Details

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-05T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Todd Miller\u0027s sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.",
  "id": "GHSA-4c2x-g299-mpv8",
  "modified": "2025-04-20T03:38:27Z",
  "published": "2022-05-13T01:41:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000367"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1381"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1382"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEXC4NNIG2QOZY6N2YUK246KI3D3UQO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEXC4NNIG2QOZY6N2YUK246KI3D3UQO"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201705-15"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42183"
    },
    {
      "type": "WEB",
      "url": "https://www.sudo.ws/alerts/linux_tty.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00077.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00078.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00079.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/142783/Sudo-get_process_ttyname-Race-Condition.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Jun/3"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3867"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/05/30/16"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/12/22/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/12/22/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98745"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038582"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-3304-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4C32-X28M-P8H3

Vulnerability from github – Published: 2022-05-02 03:45 – Updated: 2022-05-02 03:45
VLAI
Details

Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 allows local users to cause a denial of service (crash) or gain privileges via vectors related to kqueues, which triggers a use after free, leading to a NULL pointer dereference or memory corruption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-3527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-10-06T22:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 allows local users to cause a denial of service (crash) or gain privileges via vectors related to kqueues, which triggers a use after free, leading to a NULL pointer dereference or memory corruption.",
  "id": "GHSA-4c32-x28m-p8h3",
  "modified": "2022-05-02T03:45:58Z",
  "published": "2022-05-02T03:45:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3527"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/58544"
    },
    {
      "type": "WEB",
      "url": "http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/506449"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/36375"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1022982"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4C5F-9MJ4-M247

Vulnerability from github – Published: 2026-01-05 15:07 – Updated: 2026-01-05 15:07
VLAI
Summary
flagd: Multiple Go Runtime CVEs Impact Security and Availability
Details

Summary

In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling.

CVE ID Impacted Package Severity Description & Impact on flagd
CVE-2025-47907 database/sql 7.0 (High) Race Condition: Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations.
CVE-2025-61725 net/mail 7.5 (High) DoS: Inefficient complexity in ParseAddress. Attackers can provide crafted email strings with large domain literals to exhaust CPU if flagd parses email-formatted metadata.
CVE-2025-61723 encoding/pem 7.5 (High) DoS: Quadratic complexity when parsing invalid PEM inputs. Relevant if flagd loads TLS certificates or keys via PEM files from untrusted sources.
CVE-2025-61729 crypto/x509 7.5 (High) Resource Exhaustion: HostnameError.Error() lacks string concatenation limits. A malicious TLS certificate with thousands of hostnames could crash flagd during connection handshakes.
CVE-2025-58188 net/http Medium Request Smuggling: Improper header handling in HTTP/1.1. Could allow attackers to bypass security filters positioned in front of flagd sync or evaluation APIs.
CVE-2025-58187 archive/zip Medium DoS: Improper validation of malformed ZIP archives. Impacts flagd if configured to fetch and unpack zipped configuration bundles from remote providers.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/open-feature/flagd/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/open-feature/flagd/flagd-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/open-feature/flagd/flagd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-362",
      "CWE-400",
      "CWE-407",
      "CWE-444",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T15:07:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nIn 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation engine for OpenFeature). These CVEs primarily focus on Denial of Service (DoS) through resource exhaustion and Race Conditions in database handling. \n\n| CVE ID | Impacted Package | Severity | Description \u0026 Impact on flagd |\n| -- | -- | -- | -- |\n| CVE-2025-47907 | database/sql | 7.0 (High) | Race Condition:  Canceling a query during a Scan call can return data from the wrong query. Critical if flagd uses SQL-based sync providers (e.g., Postgres), potentially leading to incorrect flag configurations. |\n| CVE-2025-61725 | net/mail | 7.5 (High) | DoS: Inefficient complexity in ParseAddress.  Attackers can provide crafted email strings with large domain literals to exhaust CPU if flagd parses email-formatted metadata. |\n| CVE-2025-61723 | encoding/pem | 7.5 (High) | DoS: Quadratic complexity when parsing invalid PEM inputs. Relevant if flagd loads TLS certificates or keys via PEM files from untrusted sources. |\n| CVE-2025-61729 | crypto/x509 | 7.5 (High) | Resource Exhaustion: HostnameError.Error() lacks string concatenation limits. A malicious TLS certificate with thousands of hostnames could crash flagd during connection handshakes. |\n| CVE-2025-58188 | net/http | Medium | Request Smuggling: Improper header handling in HTTP/1.1. Could allow attackers to bypass security filters positioned in front of flagd sync or evaluation APIs. |\n| CVE-2025-58187 | archive/zip | Medium | DoS:  Improper validation of malformed ZIP archives.  Impacts flagd if configured to fetch and unpack zipped configuration bundles from remote providers. |",
  "id": "GHSA-4c5f-9mj4-m247",
  "modified": "2026-01-05T15:07:46Z",
  "published": "2026-01-05T15:07:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-feature/flagd/security/advisories/GHSA-4c5f-9mj4-m247"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-feature/flagd/pull/1840"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-feature/flagd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-feature/flagd/releases/tag/core%2Fv0.13.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "flagd: Multiple Go Runtime CVEs Impact Security and Availability"
}

Mitigation
Architecture and Design

In languages that support it, use synchronization primitives. Only wrap these around critical code to minimize the impact on performance.

Mitigation
Architecture and Design

Use thread-safe capabilities such as the data access abstraction in Spring.

Mitigation
Architecture and Design
  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).
Mitigation
Implementation

When using multithreading and operating on shared variables, only use thread-safe functions.

Mitigation
Implementation

Use atomic operations on shared variables. Be wary of innocent-looking constructs such as "x++". This may appear atomic at the code layer, but it is actually non-atomic at the instruction layer, since it involves a read, followed by a computation, followed by a write.

Mitigation
Implementation

Use a mutex if available, but be sure to avoid related weaknesses such as CWE-412.

Mitigation
Implementation

Avoid double-checked locking (CWE-609) and other implementation errors that arise when trying to avoid the overhead of synchronization.

Mitigation
Implementation

Disable interrupts or signals over critical parts of the code, but also make sure that the code does not go into a large or infinite loop.

Mitigation
Implementation

Use the volatile type modifier for critical variables to avoid unexpected compiler optimization or reordering. This does not necessarily solve the synchronization problem, but it can help.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.