Common Weakness Enumeration

CWE-436

Allowed-with-Review

Interpretation Conflict

Abstraction: Class · Status: Incomplete

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

199 vulnerabilities reference this CWE, most recent first.

GHSA-4P64-V8F5-R2GX

Vulnerability from github – Published: 2026-04-14 20:05 – Updated: 2026-04-14 20:05
VLAI
Summary
Multiple security fixes in justhtml
Details

Summary

justhtml 1.16.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.

Most of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:

  • programmatic DOM input to sanitize() or sanitize_dom()
  • reused or mutated sanitization policy objects
  • custom policies that preserve foreign namespaces such as SVG or MathML

Affected versions

  • justhtml <= 1.15.0

Fixed version

  • justhtml 1.16.0 released on April 12, 2026

Impact

Policy reuse and mutation

Nested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.

In-memory sanitization gaps

Programmatic DOM sanitization could miss dangerous mixed-case tag names such as ScRiPt or StYlE, and custom drop_content_tags values such as {"SCRIPT"} could silently fail to drop dangerous subtrees.

Serialization injection

Crafted programmatic doctype names could serialize into active markup before the document body.

Foreign-namespace policy bypasses

Custom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:

  • animation elements such as <set> and <animate> that mutate already-sanitized attributes after sanitization
  • presentation attributes such as fill, clip-path, mask, marker-start, and cursor containing external url(...) references
  • programmatic DOM trees that claim namespace="html" but serialize as <svg> or <math>, bypassing foreign-content checks

Rawtext hardening gap

Mixed-case programmatic style or script nodes could bypass rawtext hardening and preserve active stylesheet content such as remote @import rules.

Default configuration

Most of these issues did not affect the normal JustHTML(..., sanitize=True) path for ordinary parsed HTML.

The main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.

Recommended action

Upgrade to justhtml 1.16.0.

If you cannot upgrade immediately:

  • do not mutate DEFAULT_POLICY, DEFAULT_DOCUMENT_POLICY, or nested policy internals
  • avoid reusing policy objects after mutating nested state
  • avoid preserving SVG or MathML for untrusted input
  • avoid preserving style or script in custom policies for untrusted input
  • avoid serializing untrusted programmatic doctypes or DOM trees

Credit

Discovered during an internal security review of justhtml.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.15.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "justhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-436",
      "CWE-471",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T20:05:10Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\n`justhtml` `1.16.0` fixes multiple security issues in sanitization, serialization, and programmatic DOM handling.\n\nMost of these issues affected one of these advanced paths rather than ordinary parsed HTML with the default safe settings:\n\n- programmatic DOM input to `sanitize()` or `sanitize_dom()`\n- reused or mutated sanitization policy objects\n- custom policies that preserve foreign namespaces such as SVG or MathML\n\n## Affected versions\n\n- `justhtml` `\u003c= 1.15.0`\n\n## Fixed version\n\n- `justhtml` `1.16.0` released on April 12, 2026\n\n## Impact\n\n### Policy reuse and mutation\nNested mutation of sanitization policy internals could weaken later sanitization by leaving stale compiled sanitizers active, or by mutating exported default policy internals process-wide.\n\n### In-memory sanitization gaps\nProgrammatic DOM sanitization could miss dangerous mixed-case tag names such as `ScRiPt` or `StYlE`, and custom `drop_content_tags` values such as `{\"SCRIPT\"}` could silently fail to drop dangerous subtrees.\n\n### Serialization injection\nCrafted programmatic doctype names could serialize into active markup before the document body.\n\n### Foreign-namespace policy bypasses\nCustom policies that preserve SVG or MathML could allow active SVG features to survive sanitization, including:\n\n- animation elements such as `\u003cset\u003e` and `\u003canimate\u003e` that mutate already-sanitized attributes after sanitization\n- presentation attributes such as `fill`, `clip-path`, `mask`, `marker-start`, and `cursor` containing external `url(...)` references\n- programmatic DOM trees that claim `namespace=\"html\"` but serialize as `\u003csvg\u003e` or `\u003cmath\u003e`, bypassing foreign-content checks\n\n### Rawtext hardening gap\nMixed-case programmatic `style` or `script` nodes could bypass rawtext hardening and preserve active stylesheet content such as remote `@import` rules.\n\n## Default configuration\n\nMost of these issues did **not** affect the normal `JustHTML(..., sanitize=True)` path for ordinary parsed HTML.\n\nThe main exceptions were policy-mutation issues, which could weaken later sanitization if code mutated nested state on reused policy objects or exported defaults.\n\n## Recommended action\n\nUpgrade to `justhtml` `1.16.0`.\n\nIf you cannot upgrade immediately:\n\n- do not mutate `DEFAULT_POLICY`, `DEFAULT_DOCUMENT_POLICY`, or nested policy internals\n- avoid reusing policy objects after mutating nested state\n- avoid preserving SVG or MathML for untrusted input\n- avoid preserving `style` or `script` in custom policies for untrusted input\n- avoid serializing untrusted programmatic doctypes or DOM trees\n\n## Credit\n\nDiscovered during an internal security review of `justhtml`.",
  "id": "GHSA-4p64-v8f5-r2gx",
  "modified": "2026-04-14T20:05:10Z",
  "published": "2026-04-14T20:05:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-4p64-v8f5-r2gx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EmilStenstrom/justhtml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Multiple security fixes in justhtml"
}

GHSA-4VC4-M8QH-G8JM

Vulnerability from github – Published: 2025-03-12 20:20 – Updated: 2025-11-03 21:33
VLAI
Summary
Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)
Details

Summary

An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.

Impact

This issue may lead to authentication bypass.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T20:20:24Z",
    "nvd_published_at": "2025-03-12T21:15:42Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAn authentication bypass vulnerability was found in ruby-saml due to a parser differential.\nReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.\n\n### Impact\nThis issue may lead to authentication bypass.",
  "id": "GHSA-4vc4-m8qh-g8jm",
  "modified": "2025-11-03T21:33:11Z",
  "published": "2025-03-12T20:20:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
    },
    {
      "type": "WEB",
      "url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SAML-Toolkits/ruby-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25291.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=43374519"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250314-0010"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)"
}

GHSA-546M-4W73-87M7

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-10T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed.",
  "id": "GHSA-546m-4w73-87m7",
  "modified": "2022-05-13T01:22:33Z",
  "published": "2022-05-13T01:22:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FRRouting/frr/commit/943d595a018e69b550db08cccba1d0778a86705a"
    },
    {
      "type": "WEB",
      "url": "https://frrouting.org/community/security/cve-2019-5892.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FRRouting/frr/releases/tag/frr-3.0.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FRRouting/frr/releases/tag/frr-4.0.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FRRouting/frr/releases/tag/frr-5.0.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FRRouting/frr/releases/tag/frr-6.0.2"
    },
    {
      "type": "WEB",
      "url": "https://lists.frrouting.org/pipermail/frog/2019-January/000404.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56GJ-MVH6-RP75

Vulnerability from github – Published: 2023-02-07 18:16 – Updated: 2023-02-08 16:18
VLAI
Summary
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
Details

Summary

Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.

Details

Dompdf parses the href attribute of image tags with the following code:

src/Image/Cache.php line 135-150

function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
    if (strtolower($name) === "image") {
        $attributes = array_change_key_case($attributes, CASE_LOWER);
        $url = $attributes["xlink:href"] ?? $attributes["href"];
        if (!empty($url)) {
            $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
            if ($inner_full_url === $full_url) {
                throw new ImageException("SVG self-reference is not allowed", E_WARNING);
            }
            [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
            if (!empty($message)) {
                throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
            }
        }
    }
},

As you can see from the code snippet above, it respects xlink:href even if href is specified.

$url = $attributes["xlink:href"] ?? $attributes["href"];

However, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:

src/Svg/Tag/Image.php line 51-57

if (isset($attributes['xlink:href'])) {
    $this->href = $attributes['xlink:href'];
}

if (isset($attributes['href'])) {
    $this->href = $attributes['href'];
}

Since href is respected if both xlink:href and href is specified, it's possible to bypass the protection on the Dompdf side by providing an empty xlink:href attribute.

Impact

An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dompdf/dompdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.2"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-07T18:16:23Z",
    "nvd_published_at": "2023-02-07T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nDue to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.\n\n### Details\nDompdf parses the href attribute of `image` tags with the following code:\n\n[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)\n``` php\nfunction ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {\n    if (strtolower($name) === \"image\") {\n        $attributes = array_change_key_case($attributes, CASE_LOWER);\n        $url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n        if (!empty($url)) {\n            $inner_full_url = Helpers::build_url($parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $url);\n            if ($inner_full_url === $full_url) {\n                throw new ImageException(\"SVG self-reference is not allowed\", E_WARNING);\n            }\n            [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url[\"protocol\"], $parsed_url[\"host\"], $parsed_url[\"path\"], $options);\n            if (!empty($message)) {\n                throw new ImageException(\"This SVG document references a restricted resource. $message\", E_WARNING);\n            }\n        }\n    }\n},\n```\n\nAs you can see from the code snippet above, it respects `xlink:href` even if `href` is specified.\n``` php\n$url = $attributes[\"xlink:href\"] ?? $attributes[\"href\"];\n```\n\nHowever, php-svg-lib, which is later used to parse the svg file, parses the href attribute with the following code:\n\n[`src/Svg/Tag/Image.php` line 51-57](https://github.com/dompdf/php-svg-lib/blob/76876c6cf3080bcb6f249d7d59705108166a6685/src/Svg/Tag/Image.php#L51-L57)\n``` php\nif (isset($attributes[\u0027xlink:href\u0027])) {\n    $this-\u003ehref = $attributes[\u0027xlink:href\u0027];\n}\n\nif (isset($attributes[\u0027href\u0027])) {\n    $this-\u003ehref = $attributes[\u0027href\u0027];\n}\n```\n\nSince `href` is respected if both `xlink:href` and `href` is specified, it\u0027s possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute.\n\n### Impact\nAn attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes.",
  "id": "GHSA-56gj-mvh6-rp75",
  "modified": "2023-02-08T16:18:55Z",
  "published": "2023-02-07T18:16:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dompdf/dompdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "URI validation failure on SVG parsing. Bypass of CVE-2023-23924"
}

GHSA-59QP-CFJ3-RP64

Vulnerability from github – Published: 2026-07-07 20:03 – Updated: 2026-07-07 20:03
VLAI
Summary
netfoil has a domain name filter bypass via multiple questions
Details

Summary

Potential bypass of domain name filter by crafting a DNS request with multiple questions, with the first question being legitimate.

Impact

Depends on a local attackers ability to craft multiple questions and the remote DoH server supporting them.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tinfoil-factory/netfoil"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T20:03:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nPotential bypass of domain name filter by crafting a DNS request with multiple questions, with the first question being legitimate.\n\n### Impact\nDepends on a local attackers ability to craft multiple questions and the remote DoH server supporting them.",
  "id": "GHSA-59qp-cfj3-rp64",
  "modified": "2026-07-07T20:03:49Z",
  "published": "2026-07-07T20:03:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinfoil-factory/netfoil/security/advisories/GHSA-59qp-cfj3-rp64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinfoil-factory/netfoil"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "netfoil has a domain name filter bypass via multiple questions"
}

GHSA-5GFM-WPXJ-WJGQ

Vulnerability from github – Published: 2025-11-26 22:07 – Updated: 2025-11-26 22:07
VLAI
Summary
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
Details

Summary

CVE-2025-12816 has been reserved by CERT/CC

Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Details

A critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within forge/lib/asn1.js. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives.

This vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type).

Impact

This flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data.

This vulnerability impacts the ans1.validate function in node-forge before patched version 1.3.2. https://github.com/digitalbazaar/forge/blob/main/lib/asn1.js.

The following components in node-forge are impacted. lib/asn1.js lib/x509.js lib/pkcs12.js lib/pkcs7.js lib/rsa.js lib/pbe.js lib/ed25519.js

Any downstream application using these components is impacted.

These components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-forge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-12816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-26T22:07:19Z",
    "nvd_published_at": "2025-11-25T20:15:58Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nCVE-2025-12816 has been reserved by CERT/CC\n\n**Description**\nAn Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.\n\n\n### Details\n\nA critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within `forge/lib/asn1.js`. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives.\n\nThis vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type).\n\n### Impact\n\nThis flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data.\n\nThis vulnerability impacts the `ans1.validate` function in `node-forge` before patched version `1.3.2`.\nhttps://github.com/digitalbazaar/forge/blob/main/lib/asn1.js.\n\nThe following components in `node-forge` are impacted.\n[lib/asn1.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153)\n[lib/x509.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667)\n[lib/pkcs12.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328)\n[lib/pkcs7.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90)\n[lib/rsa.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167)\n[lib/pbe.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363)\n[lib/ed25519.js](https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81)\n\nAny downstream application using these components is impacted.\n\nThese components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.",
  "id": "GHSA-5gfm-wpxj-wjgq",
  "modified": "2025-11-26T22:07:20Z",
  "published": "2025-11-26T22:07:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/pull/1124"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalbazaar/forge"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/asn1.js#L1153"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/ed25519.js#L81"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pbe.js#L363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs12.js#L328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/pkcs7.js#L90"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/rsa.js#L1167"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/blob/2bb97afb5058285ef09bcf1d04d6bd6b87cffd58/lib/x509.js#L667"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/521113"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/521113"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/node-forge"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization"
}

GHSA-5HMM-P9XX-45X3

Vulnerability from github – Published: 2024-03-18 18:32 – Updated: 2025-11-05 00:31
VLAI
Details

Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-18T17:15:07Z",
    "severity": "HIGH"
  },
  "details": "Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.",
  "id": "GHSA-5hmm-p9xx-45x3",
  "modified": "2025-11-05T00:31:17Z",
  "published": "2024-03-18T18:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28054"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/amavis/amavis/-/issues/112"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/amavis/amavis/-/raw/v2.13.1/README_FILES/README.CVE-2024-28054"
    },
    {
      "type": "WEB",
      "url": "https://lists.amavis.org/pipermail/amavis-users/2024-March/006811.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CDF6M3UXP45INVSWB4HXEDZH35CVZIJ4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6J2MK2CS3KNJOS66QLW2MBJ4PIDLWJP5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQQQQPTZ5JHXTUCYUXZHY6RZJ6VOGOAJ"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/pod/MIME::Tools"
    },
    {
      "type": "WEB",
      "url": "https://www.amavis.org/release-notes.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q69-34VJ-QHX4

Vulnerability from github – Published: 2024-09-05 18:30 – Updated: 2024-09-05 18:30
VLAI
Details

IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification.",
  "id": "GHSA-5q69-34vj-qhx4",
  "modified": "2024-09-05T18:30:56Z",
  "published": "2024-09-05T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45097"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7167255"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WWG-Q432-32VV

Vulnerability from github – Published: 2026-03-04 09:31 – Updated: 2026-03-05 18:31
VLAI
Details

SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27444"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-04T09:15:56Z",
    "severity": "HIGH"
  },
  "details": "SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the email headers, causing an interpretation conflict with other mail infrastructure that allows an attacker to fake the source of the email or decrypt it.",
  "id": "GHSA-5wwg-q432-32vv",
  "modified": "2026-03-05T18:31:36Z",
  "published": "2026-03-04T09:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27444"
    },
    {
      "type": "WEB",
      "url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5XCX-R88V-8V7G

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-02T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon.",
  "id": "GHSA-5xcx-r88v-8v7g",
  "modified": "2022-05-13T01:53:07Z",
  "published": "2022-05-13T01:53:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6560"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flatpak/flatpak/releases/tag/0.10.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flatpak/flatpak/releases/tag/0.8.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-105: HTTP Request Splitting

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-34: HTTP Response Splitting

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.

See CanPrecede relationships for possible consequences.