Common Weakness Enumeration

CWE-475

Allowed

Undefined Behavior for Input to API

Abstraction: Base · Status: Incomplete

The behavior of this function is undefined unless its control parameter is set to a specific value.

30 vulnerabilities reference this CWE, most recent first.

GHSA-HQXW-F8MX-CPMW

Vulnerability from github – Published: 2023-05-11 20:37 – Updated: 2023-05-11 20:37
VLAI
Summary
distribution catalog API endpoint can lead to OOM via malicious user input
Details

Impact

Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.

Patches

Upgrade to at least 2.8.2-beta.1 if you are running v2.8.x release. If you use the code from the main branch, update at least to the commit after f55a6552b006a381d9167e328808565dd2bf77dc.

Workarounds

There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section.

References

/v2/_catalog endpoint accepts a parameter to control the maximum amount of records returned (query string: n).

When not given the default n=100 is used. The server trusts that n has an acceptable value, however when using a maliciously large value, it allocates an array/slice of n of strings before filling the slice with data.

This behaviour was introduced ~7yrs ago [1].

Recommendation

The /v2/_catalog endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations.

Because of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet.

For more information

If you have any questions or comments about this advisory: * Open an issue in distribution repository * Email us at cncf-distribution-security@lists.cncf.io

[1] faulty commit

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/docker/distribution"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.2-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-11T20:37:54Z",
    "nvd_published_at": "2023-06-06T20:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nSystems that run `distribution` built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious `/v2/_catalog` API endpoint request. \n\n### Patches\n\nUpgrade to at least 2.8.2-beta.1 if you are running `v2.8.x` release. If you use the code from the main branch, update at least to the commit after [f55a6552b006a381d9167e328808565dd2bf77dc](https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc).\n\n### Workarounds\n\nThere is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section.\n\n### References\n\n`/v2/_catalog` endpoint accepts a parameter to control the maximum amount of records returned (query string: `n`).\n\nWhen not given the default `n=100` is used.  The server trusts that `n` has an acceptable value, however when using a \nmaliciously large value, it allocates an array/slice of `n` of strings before filling the slice with data.\n\nThis behaviour was introduced ~7yrs ago [1].\n\n### Recommendation\n\nThe `/v2/_catalog` endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations.\n\nBecause of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet.\n\n###  For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [distribution repository](https://github.com/distribution/distribution)\n* Email us at [cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io)\n\n[1] [faulty commit](https://github.com/distribution/distribution/blob/b7e26bac741c76cb792f8e14c41a2163b5dae8df/registry/handlers/catalog.go#L45)",
  "id": "GHSA-hqxw-f8mx-cpmw",
  "modified": "2023-05-11T20:37:54Z",
  "published": "2023-05-11T20:37:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2189886"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/distribution/distribution"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00035.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "distribution catalog API endpoint can lead to OOM via malicious user input"
}

GHSA-J6RJ-W66M-7R3C

Vulnerability from github – Published: 2025-06-17 18:31 – Updated: 2025-06-17 18:31
VLAI
Details

A Local File Inclusion vulnerability in a Trend Micro Apex Central widget below version 8.0.6955 could allow an attacker to gain remote code execution on affected installations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-17T18:15:26Z",
    "severity": "HIGH"
  },
  "details": "A Local File Inclusion vulnerability in a Trend Micro Apex Central widget below version 8.0.6955 could allow an attacker to gain remote code execution on affected installations.",
  "id": "GHSA-j6rj-w66m-7r3c",
  "modified": "2025-06-17T18:31:37Z",
  "published": "2025-06-17T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47865"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/en-US/solution/KA-0019355"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2G8-2VHM-M4CX

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application's own code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475",
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:28Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application\u0027s own code.",
  "id": "GHSA-m2g8-2vhm-m4cx",
  "modified": "2025-03-20T12:32:43Z",
  "published": "2025-03-20T12:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12390"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/1add2b26-460d-4aa5-8fda-ab045d153177"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2RV-2GGP-66M7

Vulnerability from github – Published: 2024-04-18 21:30 – Updated: 2024-04-18 21:30
VLAI
Details

A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-18T20:15:17Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\nThe vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.",
  "id": "GHSA-m2rv-2ggp-66m7",
  "modified": "2024-04-18T21:30:31Z",
  "published": "2024-04-18T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20380"
    },
    {
      "type": "WEB",
      "url": "https://blog.clamav.net/2024/04/clamav-131-123-106-patch-versions.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQ6J-35MG-9RJ6

Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2024-08-26 21:30
VLAI
Details

In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-391",
      "CWE-475"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed",
  "id": "GHSA-mq6j-35mg-9rj6",
  "modified": "2024-08-26T21:30:32Z",
  "published": "2024-04-08T03:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52533"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1777148475750809602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ5V-RWP8-P7GM

Vulnerability from github – Published: 2025-12-02 00:27 – Updated: 2025-12-02 00:27
VLAI
Summary
rtvm-interpreter lacks sufficient checks in public API
Details

The affected function is unsound due to insufficient checks on public struct field.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rtvm-interpreter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-475"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:27:10Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "The affected function is unsound due to insufficient checks on public struct field.",
  "id": "GHSA-pq5v-rwp8-p7gm",
  "modified": "2025-12-02T00:27:10Z",
  "published": "2025-12-02T00:27:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0131.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": " rtvm-interpreter lacks sufficient checks in public API"
}

GHSA-Q4R9-2GMR-G75G

Vulnerability from github – Published: 2024-05-22 12:32 – Updated: 2024-05-22 12:32
VLAI
Details

A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user's email and assigning them an 'admin' role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user\u0027s email and assigning them an \u0027admin\u0027 role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.",
  "id": "GHSA-q4r9-2gmr-g75g",
  "modified": "2024-05-22T12:32:26Z",
  "published": "2024-05-22T12:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4153"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/336db0ae-fe33-44b9-ba9d-bf117e0d90c4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9V3-53XG-6F9P

Vulnerability from github – Published: 2023-09-09 15:30 – Updated: 2024-04-04 07:34
VLAI
Details

Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-09T15:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Null pointer dereference when viewing a specially crafted email in Mutt \u003e1.5.2 \u003c2.2.12",
  "id": "GHSA-q9v3-53xg-6f9p",
  "modified": "2024-04-04T07:34:33Z",
  "published": "2023-09-09T15:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4874"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0.patch"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5494"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/26/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8R4-HC5W-5WW3

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-06 00:00
VLAI
Details

Undefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-475",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Undefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.",
  "id": "GHSA-v8r4-hc5w-5ww3",
  "modified": "2022-08-06T00:00:53Z",
  "published": "2022-08-02T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf05541d"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2f08363a-47a2-422d-a7de-ce96a89ad08e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8V4-4V92-48H2

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2024-01-23 18:31
VLAI
Details

Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-475"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-23T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.",
  "id": "GHSA-v8v4-4v92-48h2",
  "modified": "2024-01-23T18:31:08Z",
  "published": "2022-05-24T17:34:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7925"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-49142"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.