CWE-436
Allowed-with-ReviewInterpretation Conflict
Abstraction: Class · Status: Incomplete
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
199 vulnerabilities reference this CWE, most recent first.
GHSA-4P64-V8F5-R2GX
Vulnerability from github – Published: 2026-04-14 20:05 – Updated: 2026-04-14 20:05Summary
justhtml 1.16.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.
Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:
- programmatic DOM input to
sanitize()orsanitize_dom() - reused or mutated sanitization policy objects
- custom policies that preserve foreign namespaces such as SVG or MathML
Affected versions
justhtml<= 1.15.0
Fixed version
justhtml1.16.0released on April 12, 2026
Impact
Policy reuse and mutation
Nested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.
In-memory sanitization gaps
Programmatic DOM sanitization could miss dangerous mixed-case tag names such as ScRiPt or StYlE, and custom drop_content_tags values such as {"SCRIPT"} could silently fail to drop dangerous subtrees.
Serialization injection
Crafted programmatic doctype names could serialize into active markup before the document body.
Foreign-namespace policy bypasses
Custom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:
- animation elements such as
<set>and<animate>that mutate already-sanitized attributes after sanitization - presentation attributes such as
fill,clip-path,mask,marker-start, andcursorcontaining externalurl(...)references - programmatic DOM trees that claim
namespace="html"but serialize as<svg>or<math>, bypassing foreign-content checks
Rawtext hardening gap
Mixed-case programmatic style or script nodes could bypass rawtext hardening and preserve active stylesheet content such as remote @import rules.
Default configuration
Most of these issues did not affect the normal JustHTML(..., sanitize=True) path for ordinary parsed HTML.
The main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.
Recommended action
Upgrade to justhtml 1.16.0.
If you cannot upgrade immediately:
- do not mutate
DEFAULT_POLICY,DEFAULT_DOCUMENT_POLICY, or nested policy internals - avoid reusing policy objects after mutating nested state
- avoid preserving SVG or MathML for untrusted input
- avoid preserving
styleorscriptin custom policies for untrusted input - avoid serializing untrusted programmatic doctypes or DOM trees
Credit
Discovered during an internal security review of justhtml.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.15.0"
},
"package": {
"ecosystem": "PyPI",
"name": "justhtml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-436",
"CWE-471",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T20:05:10Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\n`justhtml` `1.16.0` fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.\n\nMost of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:\n\n- programmatic DOM input to `sanitize()` or `sanitize_dom()`\n- reused or mutated sanitization policy objects\n- custom policies that preserve foreign namespaces such as SVG or MathML\n\n## Affected versions\n\n- `justhtml` `\u003c= 1.15.0`\n\n## Fixed version\n\n- `justhtml` `1.16.0` released on April 12, 2026\n\n## Impact\n\n### Policy reuse and mutation\nNested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.\n\n### In-memory sanitization gaps\nProgrammatic DOM sanitization could miss dangerous mixed-case tag names such as `ScRiPt` or `StYlE`, and custom `drop_content_tags` values such as `{\"SCRIPT\"}` could silently fail to drop dangerous subtrees.\n\n### Serialization injection\nCrafted programmatic doctype names could serialize into active markup before the document body.\n\n### Foreign-namespace policy bypasses\nCustom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:\n\n- animation elements such as `\u003cset\u003e` and `\u003canimate\u003e` that mutate already-sanitized attributes after sanitization\n- presentation attributes such as `fill`, `clip-path`, `mask`, `marker-start`, and `cursor` containing external `url(...)` references\n- programmatic DOM trees that claim `namespace=\"html\"` but serialize as `\u003csvg\u003e` or `\u003cmath\u003e`, bypassing foreign-content checks\n\n### Rawtext hardening gap\nMixed-case programmatic `style` or `script` nodes could bypass rawtext hardening and preserve active stylesheet content such as remote `@import` rules.\n\n## Default configuration\n\nMost of these issues did **not** affect the normal `JustHTML(..., sanitize=True)` path for ordinary parsed HTML.\n\nThe main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.\n\n## Recommended action\n\nUpgrade to `justhtml` `1.16.0`.\n\nIf you cannot upgrade immediately:\n\n- do not mutate `DEFAULT_POLICY`, `DEFAULT_DOCUMENT_POLICY`, or nested policy internals\n- avoid reusing policy objects after mutating nested state\n- avoid preserving SVG or MathML for untrusted input\n- avoid preserving `style` or `script` in custom policies for untrusted input\n- avoid serializing untrusted programmatic doctypes or DOM trees\n\n## Credit\n\nDiscovered during an internal security review of `justhtml`.",
"id": "GHSA-4p64-v8f5-r2gx",
"modified": "2026-04-14T20:05:10Z",
"published": "2026-04-14T20:05:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-4p64-v8f5-r2gx"
},
{
"type": "PACKAGE",
"url": "https://github.com/EmilStenstrom/justhtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Multiple security fixes in justhtml"
}
GHSA-4VC4-M8QH-G8JM
Vulnerability from github – Published: 2025-03-12 20:20 – Updated: 2025-11-03 21:33Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
Impact
This issue may lead to authentication bypass.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ruby-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ruby-saml"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25291"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-12T20:20:24Z",
"nvd_published_at": "2025-03-12T21:15:42Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAn authentication bypass vulnerability was found in ruby-saml due to a parser differential.\nReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.\n\n### Impact\nThis issue may lead to authentication bypass.",
"id": "GHSA-4vc4-m8qh-g8jm",
"modified": "2025-11-03T21:33:11Z",
"published": "2025-03-12T20:20:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm"
},
{
"type": "WEB",
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25291"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"type": "WEB",
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAML-Toolkits/ruby-saml"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25291.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=43374519"
},
{
"type": "WEB",
"url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250314-0010"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)"
}
GHSA-546M-4W73-87M7
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed.
{
"affected": [],
"aliases": [
"CVE-2019-5892"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-10T17:29:00Z",
"severity": "MODERATE"
},
"details": "bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed.",
"id": "GHSA-546m-4w73-87m7",
"modified": "2022-05-13T01:22:33Z",
"published": "2022-05-13T01:22:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5892"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/commit/943d595a018e69b550db08cccba1d0778a86705a"
},
{
"type": "WEB",
"url": "https://frrouting.org/community/security/cve-2019-5892.html"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/releases/tag/frr-3.0.4"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/releases/tag/frr-4.0.1"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/releases/tag/frr-5.0.2"
},
{
"type": "WEB",
"url": "https://github.com/FRRouting/frr/releases/tag/frr-6.0.2"
},
{
"type": "WEB",
"url": "https://lists.frrouting.org/pipermail/frog/2019-January/000404.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-56GJ-MVH6-RP75
Vulnerability from github – Published: 2023-02-07 18:16 – Updated: 2023-02-08 16:18Summary
Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.
Details
Dompdf parses the href attribute of image tags with the following code:
src/Image/Cache.php line 135-150
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if (strtolower($name) === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
$url = $attributes["xlink:href"] ?? $attributes["href"];
if (!empty($url)) {
$inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
if ($inner_full_url === $full_url) {
throw new ImageException("SVG self-reference is not allowed", E_WARNING);
}
[$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
if (!empty($message)) {
throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
}
}
}
},
As you can see from the code snippet above, it respects xlink:href even if href is specified.
$url = $attributes["xlink:href"] ?? $attributes["href"];
However, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:
src/Svg/Tag/Image.php line 51-57
if (isset($attributes['xlink:href'])) {
$this->href = $attributes['xlink:href'];
}
if (isset($attributes['href'])) {
$this->href = $attributes['href'];
}
Since href is respected if both xlink:href and href is specified, it's possible to bypass the protection on the Dompdf side by providing an empty xlink:href attribute.
Impact
An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dompdf/dompdf"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.2"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.2"
]
}
],
"aliases": [
"CVE-2023-24813"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-07T18:16:23Z",
"nvd_published_at": "2023-02-07T19:15:00Z",
"severity": "CRITICAL"
},
"details": "### Summary\nDue to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.\n\n### Details\nDompdf parses the href attribute of `image` tags with the following code:\n\n[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)\n``` php\nfunction ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n if (strtolower($name) === \"image\") {\n $attributes = array_change_key_case($attributes, CASE_LOWER);\n $url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n if (!empty($url)) {\n $inner_full_url = Helpers::build_url($parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $url);\n if ($inner_full_url === $full_url) {\n throw new ImageException(\"SVG self-reference is not allowed\", E_WARNING);\n }\n [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $options);\n if (!empty($message)) {\n throw new ImageException(\"This SVG document references a restricted resource. $message\", E_WARNING);\n }\n }\n }\n},\n```\n\nAs you can see from the code snippet above, it respects `xlink:href` even if `href` is specified.\n``` php\n$url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n```\n\nHowever, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:\n\n[`src/Svg/Tag/Image.php` line 51-57](https://github.com/dompdf/php-svg-lib/blob/76876c6cf3080bcb6f249d7d59705108166a6685/src/Svg/Tag/Image.php#L51-L57)\n``` php\nif (isset($attributes[\u0027xlink:href\u0027])) {\n $this-\u003ehref = $attributes[\u0027xlink:href\u0027];\n}\n\nif (isset($attributes[\u0027href\u0027])) {\n $this-\u003ehref = $attributes[\u0027href\u0027];\n}\n```\n\nSince `href` is respected if both `xlink:href` and `href` is specified, it\u0027s possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute.\n\n### Impact\nAn attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.",
"id": "GHSA-56gj-mvh6-rp75",
"modified": "2023-02-08T16:18:55Z",
"published": "2023-02-07T18:16:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24813"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa"
},
{
"type": "PACKAGE",
"url": "https://github.com/dompdf/dompdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "URI validation failure on SVG parsing. Bypass of CVE-2023-23924"
}
GHSA-59QP-CFJ3-RP64
Vulnerability from github – Published: 2026-07-07 20:03 – Updated: 2026-07-07 20:03Summary
Potential bypass of domain name filter by crafting a DNS request with multiple questions, with the first question being legitimate.
Impact
Depends on a local attackers ability to craft multiple questions and the remote DoH server supporting them.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/tinfoil-factory/netfoil"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-436",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T20:03:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nPotential bypass of domain name filter by crafting a DNS request with multiple questions, with the first question being legitimate.\n\n### Impact\nDepends on a local attackers ability to craft multiple questions and the remote DoH server supporting them.",
"id": "GHSA-59qp-cfj3-rp64",
"modified": "2026-07-07T20:03:49Z",
"published": "2026-07-07T20:03:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tinfoil-factory/netfoil/security/advisories/GHSA-59qp-cfj3-rp64"
},
{
"type": "PACKAGE",
"url": "https://github.com/tinfoil-factory/netfoil"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "netfoil has a domain name filter bypass via multiple questions"
}
GHSA-5GFM-WPXJ-WJGQ
Vulnerability from github – Published: 2025-11-26 22:07 – Updated: 2025-11-26 22:07Summary
CVE-2025-12816 has been reserved by CERT/CC
Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
Details
A critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within forge/lib/asn1.js. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives.
This vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type).
Impact
This flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data.
This vulnerability impacts the ans1.validate function in node-forge before patched version 1.3.2.
https://github.com/digitalbazaar/forge/blob/main/lib/asn1.js.
The following components in node-forge are impacted.
lib/asn1.js
lib/x509.js
lib/pkcs12.js
lib/pkcs7.js
lib/rsa.js
lib/pbe.js
lib/ed25519.js
Any downstream application using these components is impacted.
These components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12816"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-26T22:07:19Z",
"nvd_published_at": "2025-11-25T20:15:58Z",
"severity": "HIGH"
},
"details": "### Summary\n\nCVE-2025-12816 has been reserved by CERT/CC\n\n**Description**\nAn Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.\n\n\n### Details\n\nA critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within `forge/lib/asn1.js`. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives.\n\nThis vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type).\n\n### Impact\n\nThis flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data.\n\nThis vulnerability impacts the `ans1.validate` function in `node-forge` before patched version `1.3.2`.\nhttps://github.com/digitalbazaar/forge/blob/main/lib/asn1.js.\n\nThe following components in `node-forge` are impacted.\n[lib/asn1.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153)\n[lib/x509.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667)\n[lib/pkcs12.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328)\n[lib/pkcs7.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90)\n[lib/rsa.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167)\n[lib/pbe.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363)\n[lib/ed25519.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81)\n\nAny downstream application using these components is impacted.\n\nThese components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.",
"id": "GHSA-5gfm-wpxj-wjgq",
"modified": "2025-11-26T22:07:20Z",
"published": "2025-11-26T22:07:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/pull/1124"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/521113"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/521113"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/node-forge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization"
}
GHSA-5HMM-P9XX-45X3
Vulnerability from github – Published: 2024-03-18 18:32 – Updated: 2025-11-05 00:31Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.
{
"affected": [],
"aliases": [
"CVE-2024-28054"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-18T17:15:07Z",
"severity": "HIGH"
},
"details": "Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.",
"id": "GHSA-5hmm-p9xx-45x3",
"modified": "2025-11-05T00:31:17Z",
"published": "2024-03-18T18:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28054"
},
{
"type": "WEB",
"url": "https://gitlab.com/amavis/amavis/-/issues/112"
},
{
"type": "WEB",
"url": "https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054"
},
{
"type": "WEB",
"url": "https://lists.amavis.org/pipermail/amavis-users/2024-March/006811.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDF6M3UXP45INVSWB4HXEDZH35CVZIJ4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ"
},
{
"type": "WEB",
"url": "https://metacpan.org/pod/MIME::Tools"
},
{
"type": "WEB",
"url": "https://www.amavis.org/release-notes.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5Q69-34VJ-QHX4
Vulnerability from github – Published: 2024-09-05 18:30 – Updated: 2024-09-05 18:30IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.
{
"affected": [],
"aliases": [
"CVE-2024-45097"
],
"database_specific": {
"cwe_ids": [
"CWE-436",
"CWE-650"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-05T16:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.",
"id": "GHSA-5q69-34vj-qhx4",
"modified": "2024-09-05T18:30:56Z",
"published": "2024-09-05T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45097"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7167255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5WWG-Q432-32VV
Vulnerability from github – Published: 2026-03-04 09:31 – Updated: 2026-03-05 18:31SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.
{
"affected": [],
"aliases": [
"CVE-2026-27444"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T09:15:56Z",
"severity": "HIGH"
},
"details": "SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.",
"id": "GHSA-5wwg-q432-32vv",
"modified": "2026-03-05T18:31:36Z",
"published": "2026-03-04T09:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27444"
},
{
"type": "WEB",
"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5XCX-R88V-8V7G
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.
{
"affected": [],
"aliases": [
"CVE-2018-6560"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-02T14:29:00Z",
"severity": "HIGH"
},
"details": "In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.",
"id": "GHSA-5xcx-r88v-8v7g",
"modified": "2022-05-13T01:53:07Z",
"published": "2022-05-13T01:53:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6560"
},
{
"type": "WEB",
"url": "https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2766"
},
{
"type": "WEB",
"url": "https://github.com/flatpak/flatpak/releases/tag/0.10.3"
},
{
"type": "WEB",
"url": "https://github.com/flatpak/flatpak/releases/tag/0.8.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-105: HTTP Request Splitting
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
CAPEC-273: HTTP Response Smuggling
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).
See CanPrecede relationships for possible consequences.
CAPEC-34: HTTP Response Splitting
An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.
See CanPrecede relationships for possible consequences.