Common Weakness Enumeration

CWE-436

Allowed-with-Review

Interpretation Conflict

Abstraction: Class · Status: Incomplete

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

199 vulnerabilities reference this CWE, most recent first.

GHSA-8V6J-9RV8-9MRH

Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-04-04 05:48
VLAI
Details

In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-01T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the \u2018rest\u2019 SPL command that lets them potentially access other REST endpoints in the system arbitrarily.",
  "id": "GHSA-8v6j-9rv8-9mrh",
  "modified": "2024-04-04T05:48:02Z",
  "published": "2023-07-06T21:15:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32708"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2023-0603"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/e615a0e1-a1b2-4196-9865-8aa646e1708c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-959Q-H8QC-6QR3

Vulnerability from github – Published: 2023-02-27 18:32 – Updated: 2023-03-07 21:30
VLAI
Details

There is a misinterpretation of input vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation of this vulnerability may cause the printer service to be abnormal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-27T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a misinterpretation of input vulnerability in BiSheng-WNM FW 3.0.0.325. Successful exploitation of this vulnerability may cause the printer service to be abnormal.",
  "id": "GHSA-959q-h8qc-6qr3",
  "modified": "2023-03-07T21:30:18Z",
  "published": "2023-02-27T18:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48261"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5deb7c23-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97XX-95PM-5QV6

Vulnerability from github – Published: 2024-03-27 09:30 – Updated: 2024-07-30 03:30
VLAI
Details

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-27T08:15:41Z",
    "severity": "LOW"
  },
  "details": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled.      curl --proto -all,-http http://curl.se  The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.",
  "id": "GHSA-97xx-95pm-5qv6",
  "modified": "2024-07-30T03:30:50Z",
  "published": "2024-03-27T09:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2384833"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2024-2004.html"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2024-2004.json"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240524-0006"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214118"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214119"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214120"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/18"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/19"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/20"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/27/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9856-9GG9-QCMQ

Vulnerability from github – Published: 2021-08-30 16:15 – Updated: 2025-01-30 14:37
VLAI
Summary
Ethereum Contains Consensus Flaw During Block Processing
Details

Impact

A vulnerability in the Geth EVM could cause a node to reject the canonical chain.

Description

A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.

All Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.

This bug was exploited on Mainnet at block 13107518, leading to a minority chain split.

Patches

A patch is included in the v1.10.8 release. The exact patch to fix the issue is contained within this commit

Workarounds

No workarounds exist, save to update and/or apply the patch commit.

References.

Post-mortem write-up.

Credits

The bug was found by @guidovranken (working for Sentnl during an audit of the Telos EVM) and reported via bounty@ethereum.org.

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ethereum/go-ethereum"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T15:08:22Z",
    "nvd_published_at": "2021-08-24T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA vulnerability in the Geth EVM could cause a node to reject the canonical chain. \n\n### Description \n\nA memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different `stateRoot` when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.\n\nAll Geth versions supporting the London hard fork are vulnerable (which predates London), so all users should update.\n\nThis bug was exploited on Mainnet at block 13107518, leading to a minority chain split. \n\n### Patches\n\nA patch is included in the `v1.10.8` release.\nThe exact patch to fix the issue is contained within this [commit](https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f)\n\n### Workarounds\n\nNo workarounds exist, save to update and/or apply the patch commit. \n\n### References. \n\nPost-mortem [write-up](https://github.com/ethereum/go-ethereum/blob/master/docs/postmortems/2021-08-22-split-postmortem.md).\n\n### Credits\n\nThe bug was found by @guidovranken (working for [Sentnl](https://sentnl.io/) during an audit of the [Telos EVM](https://www.telos.net/evm)) and reported via bounty@ethereum.org.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum/)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n",
  "id": "GHSA-9856-9gg9-qcmq",
  "modified": "2025-01-30T14:37:30Z",
  "published": "2021-08-30T16:15:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-9856-9gg9-qcmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/pull/23381/commits/4d4879cafd1b3c906fc184a8c4a357137465128f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethereum/go-ethereum"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethereum/go-ethereum/releases/tag/v1.10.8"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ethereum Contains Consensus Flaw During Block Processing"
}

GHSA-99F9-GV72-FW9R

Vulnerability from github – Published: 2024-02-01 20:53 – Updated: 2024-02-01 20:53
VLAI
Summary
Bref Doesn't Support Multiple Value Headers in ApiGatewayFormatV2
Details

Impacted Resources

bref/src/Event/Http/HttpResponse.php:61-90

Description

When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.

Precisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.

Impact

If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.

For example, if an application sets multiple Content-Security-Policy headers, then Bref would just reflect the latest one.

PoC

  1. Create a new Bref project.
  2. Create an index.php file with the following content:
<?php
header("Content-Security-Policy: script-src 'none'", false);
header("Content-Security-Policy: img-src 'self'", false);
?>
<script>alert(document.domain)</script>
<img src="https://bref.sh/favicon-32x32.png">
  1. Use the following serverless.yml to deploy the Lambda:
service: app

provider:
    name: aws
    region: eu-central-1

plugins:
    - ./vendor/bref/bref

functions:
    api:
        handler: index.php
        description: ''
        runtime: php-81-fpm
        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
        events:
            -   httpApi: '*'

# Exclude files from deployment
package:
    patterns:
        - '!node_modules/**'
        - '!tests/**'
  1. Browse the Lambda URL.
  2. Notice that the JavaScript code is executed as the Content-Security-Policy: script-src 'none' header has been removed.
  3. Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.
  4. Start a PHP server inside the project directory (e.g. php -S 127.0.0.1:8090).
  5. Browse the index.php script through the PHP server (e.g. http://127.0.0.1:8090/index.php).
  6. Notice that the JavaScript code is not executed as the Content-Security-Policy: script-src 'none' header has been kept.
  7. Notice that the external image has not been loaded as the Content-Security-Policy: img-src 'self' header has been kept.

Suggested Remediation

Concatenate all the multiple value headers' values with a comma (,) as separator and return a single header with all the values to the API Gateway.

References

  • https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "bref/bref"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-01T20:53:08Z",
    "nvd_published_at": "2024-02-01T16:17:14Z",
    "severity": "MODERATE"
  },
  "details": "## Impacted Resources\n\nbref/src/Event/Http/HttpResponse.php:61-90\n\n## Description\n\nWhen Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers.\n\nPrecisely, if PHP generates a response with two headers having the same key but different values only the latest one is kept.\n\n## Impact\n\nIf an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security.\n\nFor example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one.\n\n## PoC\n\n1. Create a new Bref project.\n2. Create an `index.php` file with the following content:\n```php\n\u003c?php\nheader(\"Content-Security-Policy: script-src \u0027none\u0027\", false);\nheader(\"Content-Security-Policy: img-src \u0027self\u0027\", false);\n?\u003e\n\u003cscript\u003ealert(document.domain)\u003c/script\u003e\n\u003cimg src=\"https://bref.sh/favicon-32x32.png\"\u003e\n```\n3. Use the following `serverless.yml` to deploy the Lambda:\n```yaml\nservice: app\n\nprovider:\n    name: aws\n    region: eu-central-1\n\nplugins:\n    - ./vendor/bref/bref\n\nfunctions:\n    api:\n        handler: index.php\n        description: \u0027\u0027\n        runtime: php-81-fpm\n        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)\n        events:\n            -   httpApi: \u0027*\u0027\n\n# Exclude files from deployment\npackage:\n    patterns:\n        - \u0027!node_modules/**\u0027\n        - \u0027!tests/**\u0027\n```\n4. Browse the Lambda URL.\n5. Notice that the JavaScript code is executed as the `Content-Security-Policy: script-src \u0027none\u0027` header has been removed.\n6. Notice that the external image has not been loaded as the `Content-Security-Policy: img-src \u0027self\u0027` header has been kept.\n7. Start a PHP server inside the project directory (e.g. `php -S 127.0.0.1:8090`).\n8. Browse the `index.php` script through the PHP server (e.g. http://127.0.0.1:8090/index.php).\n9. Notice that the JavaScript code is not executed as the `Content-Security-Policy: script-src \u0027none\u0027` header has been kept.\n10. Notice that the external image has not been loaded as the `Content-Security-Policy: img-src \u0027self\u0027` header has been kept.\n\n## Suggested Remediation\n\nConcatenate all the multiple value headers\u0027 values with a comma (`,`) as separator and return a single header with all the values to the API Gateway.\n\n## References\n\n- https://www.rfc-editor.org/rfc/rfc9110.html#section-5.2",
  "id": "GHSA-99f9-gv72-fw9r",
  "modified": "2024-02-01T20:53:08Z",
  "published": "2024-02-01T20:53:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24753"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/brefphp/bref"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/HttpResponse.php#L61-L90"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bref Doesn\u0027t Support Multiple Value Headers in ApiGatewayFormatV2"
}

GHSA-9C7V-CW9Q-4FPC

Vulnerability from github – Published: 2026-02-10 06:30 – Updated: 2026-02-10 06:30
VLAI
Details

Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T04:16:03Z",
    "severity": "LOW"
  },
  "details": "Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.",
  "id": "GHSA-9c7v-cw9q-4fpc",
  "modified": "2026-02-10T06:30:38Z",
  "published": "2026-02-10T06:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23686"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3673213"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F9P-CP3C-72JF

Vulnerability from github – Published: 2024-01-24 20:20 – Updated: 2024-01-24 21:32
VLAI
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in trillium-http and trillium-client
Details

Summary

Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers.

Details

Outbound trillium_http::HeaderValue and trillium_http::HeaderName can be constructed infallibly and were not checked for illegal bytes when sending requests from the client or responses from the server. Thus, if an attacker has sufficient control over header values (or names) in a request or response that they could inject \r\n sequences, they could get the client and server out of sync, and then pivot to gain control over other parts of requests or responses. (i.e. exfiltrating data from other requests, SSRF, etc.)

Patches

trillium-http >= 0.3.12:

  • If a header name is invalid in server response headers, the specific header and any associated values are omitted from network transmission.
  • If a header value is invalid in server response headers, the individual header value is omitted from network transmission. Other headers values with the same header name will still be sent.

trillium-client >= 0.5.4:

  • If any header name or header value is invalid in the client request headers, awaiting the client Conn returns an Error::MalformedHeader prior to any network access.

Workarounds

trillium services and client applications should sanitize or validate untrusted input that is included in header values and header names. Carriage return, newline, and null characters are not allowed.

Impact

This only affects use cases where attackers have control of outbound headers, and can insert "\r\n" sequences. Specifically, if untrusted and unvalidated input is inserted into header names or values.

A note on timing from @jbr on behalf of trillium-rs

@divergentdave filed this vulnerability many months ago but I did not see it until the evening of Jan 23, 2024. Patches were issued less than 24h after reading the vulnerability. The security policy has been updated to avoid delays like this in the future.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "trillium-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "trillium-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-24T20:20:38Z",
    "nvd_published_at": "2024-01-24T20:15:53Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nInsufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers.\n\n### Details\nOutbound `trillium_http::HeaderValue` and `trillium_http::HeaderName` can be constructed infallibly and were not checked for illegal bytes when sending requests from the client or responses from the server. Thus, if an attacker has sufficient control over header values (or names) in a request or response that they could inject `\\r\\n` sequences, they could get the client and server out of sync, and then pivot to gain control over other parts of requests or responses. (i.e. exfiltrating data from other requests, SSRF, etc.)\n\n### Patches\n\n#### trillium-http \u003e= 0.3.12:\n* If a header name is invalid in server response headers, the specific header and any associated values are omitted from network transmission.\n* If a header value is invalid in server response headers, the individual header value is omitted from network transmission. Other headers values with the same header name will still be sent.\n\n#### trillium-client \u003e= 0.5.4:\n* If any header name or header value is invalid in the client request headers, awaiting the client Conn returns an `Error::MalformedHeader` prior to any network access.\n\n### Workarounds\n\ntrillium services and client applications should sanitize or validate untrusted input that is included in header values and header names. Carriage return, newline, and null characters are not allowed.\n\n### Impact\n\nThis only affects use cases where attackers have control of outbound headers, and can insert \"\\r\\n\" sequences. Specifically, if untrusted and unvalidated input is inserted into header names or values.\n\n### A note on timing from @jbr on behalf of `trillium-rs`\n\n@divergentdave filed this vulnerability many months ago but I did not see it until the evening of Jan 23, 2024. Patches were issued less than 24h after reading the vulnerability. The [security policy](https://github.com/trillium-rs/trillium/blob/main/SECURITY.md) has been [updated](https://github.com/trillium-rs/trillium/commit/b27950ceae52aa7a0f482494fe67b6069234d417) to avoid delays like this in the future.",
  "id": "GHSA-9f9p-cp3c-72jf",
  "modified": "2024-01-24T21:32:24Z",
  "published": "2024-01-24T20:20:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trillium-rs/trillium/security/advisories/GHSA-9f9p-cp3c-72jf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trillium-rs/trillium/commit/16a42b3f8378a3fa4e61ece3e3e37e6a530df51d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trillium-rs/trillium/commit/8d468f85e27b8d0943d6f43ce9f8c7397141a999"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trillium-rs/trillium"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0008.html"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) in trillium-http and trillium-client"
}

GHSA-9FX3-39VW-Q4X9

Vulnerability from github – Published: 2026-02-11 12:30 – Updated: 2026-02-11 12:30
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T12:16:03Z",
    "severity": "HIGH"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an unauthenticated user to cause denial of service through memory or CPU exhaustion by bypassing JSON validation middleware limits.",
  "id": "GHSA-9fx3-39vw-q4x9",
  "modified": "2026-02-11T12:30:22Z",
  "published": "2026-02-11T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0958"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3463363"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586202"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9JXR-MWPP-W643

Vulnerability from github – Published: 2023-04-21 20:27 – Updated: 2023-04-21 20:27
VLAI
Summary
Improper header validation in httpsoft/http-message
Details

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.0.12.

Workarounds

There are no known workarounds.

References

  • https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "httpsoft/http-message"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-21T20:27:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nImproper header parsing. An attacker could sneak in a newline (`\\n`) into both the header names and values. While the specification states that `\\r\\n\\r\\n` is used to terminate the header list, many servers in the wild will also accept `\\n\\n`.\n\n### Patches\n\nThe issue is patched in 1.0.12.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4",
  "id": "GHSA-9jxr-mwpp-w643",
  "modified": "2023-04-21T20:27:12Z",
  "published": "2023-04-21T20:27:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/httpsoft/http-message/security/advisories/GHSA-9jxr-mwpp-w643"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29197"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/httpsoft/http-message"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper header validation in httpsoft/http-message"
}

GHSA-9Q2P-VC84-2RWM

Vulnerability from github – Published: 2026-03-09 19:54 – Updated: 2026-03-09 19:54
VLAI
Summary
OpenClaw: system.run allow-always persistence included shell-commented payload tails
Details

OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries.

A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted # before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.

Latest published npm version: 2026.3.2

Fixed on main on March 7, 2026 in 939b18475d734ed75173f59507e3ebbdfe1992b7 by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted # literals continue to work.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.3.2
  • Patched version: >= 2026.3.7

Fix Commit(s)

  • 939b18475d734ed75173f59507e3ebbdfe1992b7

Release Process Note

npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.

Thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T19:54:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "OpenClaw\u0027s `system.run` allowlist analysis did not honor POSIX shell comment semantics when deriving `allow-always` persistence entries.\n\nA caller in `security=allowlist` mode who received an `allow-always` decision could submit a shell command whose tail was commented out at runtime, for example by using an unquoted `#` before a chained payload. The runtime shell would execute only the pre-comment portion, but allowlist persistence could still analyze and store the non-executed tail as a trusted follow-up command.\n\nLatest published npm version: `2026.3.2`\n\nFixed on `main` on March 7, 2026 in `939b18475d734ed75173f59507e3ebbdfe1992b7` by teaching shell tokenization and chain/pipeline analysis to stop at unquoted shell comments, so allow-always persistence now tracks only commands that the shell can actually execute. Normal real chained commands and quoted `#` literals continue to work.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.2`\n- Patched version: `\u003e= 2026.3.7`\n\n## Fix Commit(s)\n\n- `939b18475d734ed75173f59507e3ebbdfe1992b7`\n\n## Release Process Note\n\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @tdjackey for reporting.",
  "id": "GHSA-9q2p-vc84-2rwm",
  "modified": "2026-03-09T19:54:46Z",
  "published": "2026-03-09T19:54:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9q2p-vc84-2rwm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/939b18475d734ed75173f59507e3ebbdfe1992b7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw: system.run allow-always persistence included shell-commented payload tails"
}

No mitigation information available for this CWE.

CAPEC-105: HTTP Request Splitting

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-34: HTTP Response Splitting

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.

See CanPrecede relationships for possible consequences.