Search criteria
57 vulnerabilities
CVE-2025-13353 (GCVE-0-2025-13353)
Vulnerability from cvelistv5 – Published: 2025-12-02 11:03 – Updated: 2025-12-02 16:54
VLAI?
Summary
In gokey versions <0.2.0,
a flaw in the seed decryption logic resulted in passwords incorrectly
being derived solely from the initial vector and the AES-GCM
authentication tag of the key seed.
This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.
Impact
This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s
option) are not impacted. The confidentiality of the seed itself is
also not impacted (it is not required to regenerate the seed itself).
Specific impact includes:
* keys/secrets generated from a seed file may have lower entropy: it
was expected that the whole seed would be used to generate keys (240
bytes of entropy input), where in vulnerable versions only 28 bytes was
used
* a malicious entity could have recovered all passwords, generated
from a particular seed, having only the seed file in possession without
the knowledge of the seed master password
Patches
The code logic bug has been fixed in gokey version 0.2.0
and above. Due to the deterministic nature of gokey, fixed versions
will produce different passwords/secrets using seed files, as all seed
entropy will be used now.
System secret rotation guidance
It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0
and above), and provision/rotate these secrets into respective systems
in place of the old secret. A specific rotation procedure is
system-dependent, but most common patterns are described below.
Systems that do not require the old password/secret for rotation
Such systems usually have a "Forgot password" facility or a
similar facility allowing users to rotate their password/secrets by
sending a unique "magic" link to the user's email or phone. In such
cases users are advised to use this facility and input the newly
generated password secret, when prompted by the system.
Systems that require the old password/secret for rotation
Such systems usually have a modal password rotation window
usually in the user settings section requiring the user to input the
old and the new password sometimes with a confirmation. To
generate/recover the old password in such cases users are advised to:
* temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password
* use gokey version 0.2.0 or above to generate the new password
* populate the system provided password rotation form
Systems that allow multiple credentials for the same account to be provisioned
Such systems usually require a secret or a cryptographic
key as a credential for access, but allow several credentials at the
same time. One example is SSH: a particular user may have several
authorized public keys configured on the SSH server for access. For such
systems users are advised to:
* generate a new secret/key/credential using gokey version 0.2.0 or above
* provision the new secret/key/credential in addition to the existing credential on the system
* verify that the access or required system operation is still possible with the new secret/key/credential
* revoke authorization for the existing/old credential from the system
Credit
This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program.
Severity ?
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | gokey |
Affected:
0.1.0 , < 0.2.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T16:50:27.674442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T16:54:23.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "github.com/cloudflare/gokey",
"product": "gokey",
"repo": "https://github.com/cloudflare/gokey",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.2.0",
"status": "affected",
"version": "0.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\n \u003cdiv\u003e\n \u003cp\u003eIn gokey versions \u003ccode\u003e\u0026lt;0.2.0\u003c/code\u003e,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.\u003c/p\u003e\n\u003cp\u003eThis issue has been fixed in gokey version \u003ccode\u003e0.2.0\u003c/code\u003e. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the \u003ccode\u003e-s\u003c/code\u003e option). Even if the input seed file stays the same, version \u003ccode\u003e0.2.0\u003c/code\u003e gokey will generate different secrets.\u003c/p\u003e\n\u003ch3\u003eImpact\u003c/h3\u003e\n\u003cp\u003eThis vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the \u003ccode\u003e-s\u003c/code\u003e option). Keys/secrets generated just from the master password (without the \u003ccode\u003e-s\u003c/code\u003e\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ekeys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused\u003c/li\u003e\n\u003cli\u003ea malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003ePatches\u003c/h3\u003e\n\u003cp\u003eThe code logic bug has been fixed in gokey version \u003ccode\u003e0.2.0\u003c/code\u003e\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.\u003c/p\u003e\n\u003ch3\u003eSystem secret rotation guidance\u003c/h3\u003e\n\u003cp\u003eIt is advised for users to regenerate passwords/secrets using the patched version of gokey (\u003ccode\u003e0.2.0\u003c/code\u003e\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.\u003c/p\u003e\n\u003ch4\u003eSystems that do not require the old password/secret for rotation\u003c/h4\u003e\n\u003cp\u003eSuch systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user\u0027s email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.\u003c/p\u003e\n\u003ch4\u003eSystems that require the old password/secret for rotation\u003c/h4\u003e\n\u003cp\u003eSuch systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003etemporarily download \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/gokey/releases/tag/v0.1.3\"\u003egokey version \u003ccode\u003e0.1.3\u003c/code\u003e\u003c/a\u003e for their respective operating system to recover the old password\u003c/li\u003e\n\u003cli\u003euse gokey version \u003ccode\u003e0.2.0\u003c/code\u003e or above to generate the new password\u003c/li\u003e\n\u003cli\u003epopulate the system provided password rotation form\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eSystems that allow multiple credentials for the same account to be provisioned\u003c/h4\u003e\n\u003cp\u003eSuch systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003egenerate a new secret/key/credential using gokey version \u003ccode\u003e0.2.0\u003c/code\u003e or above\u003c/li\u003e\n\u003cli\u003eprovision the new secret/key/credential in addition to the existing credential on the system\u003c/li\u003e\n\u003cli\u003everify that the access or required system operation is still possible with the new secret/key/credential\u003c/li\u003e\n\u003cli\u003erevoke authorization for the existing/old credential from the system\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eCredit\u003c/h3\u003e\n\u003cp\u003eThis vulnerability was found by Th\u00e9o Cusnir (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hackerone.com/mister_mime?type=user\"\u003e@mister_mime\u003c/a\u003e) and responsibly disclosed through Cloudflare\u0027s bug bounty program.\u003c/p\u003e\n \u003c/div\u003e\n\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "In gokey versions \u003c0.2.0,\n a flaw in the seed decryption logic resulted in passwords incorrectly \nbeing derived solely from the initial vector and the AES-GCM \nauthentication tag of the key seed.\n\n\nThis issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets.\n\n\nImpact\nThis vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s\n option) are not impacted. The confidentiality of the seed itself is \nalso not impacted (it is not required to regenerate the seed itself). \nSpecific impact includes:\n\n\n\n * keys/secrets generated from a seed file may have lower entropy: it \nwas expected that the whole seed would be used to generate keys (240 \nbytes of entropy input), where in vulnerable versions only 28 bytes was \nused\n\n * a malicious entity could have recovered all passwords, generated \nfrom a particular seed, having only the seed file in possession without \nthe knowledge of the seed master password\n\n\n\n\nPatches\nThe code logic bug has been fixed in gokey version 0.2.0\n and above. Due to the deterministic nature of gokey, fixed versions \nwill produce different passwords/secrets using seed files, as all seed \nentropy will be used now.\n\n\nSystem secret rotation guidance\nIt is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0\n and above), and provision/rotate these secrets into respective systems \nin place of the old secret. A specific rotation procedure is \nsystem-dependent, but most common patterns are described below.\n\n\nSystems that do not require the old password/secret for rotation\nSuch systems usually have a \"Forgot password\" facility or a\n similar facility allowing users to rotate their password/secrets by \nsending a unique \"magic\" link to the user\u0027s email or phone. In such \ncases users are advised to use this facility and input the newly \ngenerated password secret, when prompted by the system.\n\n\nSystems that require the old password/secret for rotation\nSuch systems usually have a modal password rotation window\n usually in the user settings section requiring the user to input the \nold and the new password sometimes with a confirmation. To \ngenerate/recover the old password in such cases users are advised to:\n\n\n\n * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password\n\n * use gokey version 0.2.0 or above to generate the new password\n\n * populate the system provided password rotation form\n\n\n\n\nSystems that allow multiple credentials for the same account to be provisioned\nSuch systems usually require a secret or a cryptographic \nkey as a credential for access, but allow several credentials at the \nsame time. One example is SSH: a particular user may have several \nauthorized public keys configured on the SSH server for access. For such\n systems users are advised to:\n\n\n\n * generate a new secret/key/credential using gokey version 0.2.0 or above\n\n * provision the new secret/key/credential in addition to the existing credential on the system\n\n * verify that the access or required system operation is still possible with the new secret/key/credential\n\n * revoke authorization for the existing/old credential from the system\n\n\n\n\nCredit\nThis vulnerability was found by Th\u00e9o Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare\u0027s bug bounty program."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330 Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T11:03:21.832Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxm"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "gokey allows secret recovery from a seed file without the master password",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-13353",
"datePublished": "2025-12-02T11:03:21.832Z",
"dateReserved": "2025-11-18T11:21:27.669Z",
"dateUpdated": "2025-12-02T16:54:23.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7054 (GCVE-0-2025-7054)
Vulnerability from cvelistv5 – Published: 2025-08-07 15:19 – Updated: 2025-08-07 15:52
VLAI?
Summary
Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames.
QUIC connections possess a set of connection identifiers (IDs); see Section 5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Once the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers.
An unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, Section 19.16 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-19.6 requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop.This issue affects quiche: from 0.15.0 before 0.24.5.
Severity ?
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Affected:
0.15.0 , < 0.24.5
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-07T15:52:05.471684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-07T15:52:20.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "quiche",
"repo": "https://github.com/cloudflare/quiche",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "0.24.5",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eQUIC connections possess a set of connection identifiers (IDs); see\u003c/span\u003e \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://datatracker.ietf.org/doc/html/rfc9000#section-5.1\"\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eSection 5.1 of RFC 9000\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003e. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eOnce the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers.\u003c/span\u003e\u003c/p\u003e\u003cspan style=\"background-color: transparent;\"\u003eAn unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://datatracker.ietf.org/doc/html/rfc9000#section-19.6\"\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eSection 19.16 of RFC 9000\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop.\u003c/span\u003e\u003cp\u003eThis issue affects quiche: from 0.15.0 before 0.24.5.\u003c/p\u003e"
}
],
"value": "Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames.\n\nQUIC connections possess a set of connection identifiers (IDs); see Section 5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Once the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers.\n\nAn unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, Section 19.16 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-19.6 requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop.This issue affects quiche: from 0.15.0 before 0.24.5."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-07T15:19:29.542Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-m3hh-f9gh-74c2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Infinite loop triggered by connection ID retirement",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-7054",
"datePublished": "2025-08-07T15:19:29.542Z",
"dateReserved": "2025-07-03T21:30:56.005Z",
"dateUpdated": "2025-08-07T15:52:20.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4821 (GCVE-0-2025-4821)
Vulnerability from cvelistv5 – Published: 2025-06-18 15:47 – Updated: 2025-06-18 18:29
VLAI?
Summary
Impact
Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.
An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames covering a large range of packet numbers (including packet numbers that had never been sent); see RFC 9000 Section 19.3. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. In extreme cases, the window might grow beyond the limit of the internal variable's type, leading to an overflow panic.
Patches
quiche 0.24.4 is the earliest version containing the fix for this issue.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Affected:
<0.24.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4821",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T18:29:42.416230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T18:29:54.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "cloudflare-quiche",
"product": "quiche",
"vendor": "Cloudflare",
"versions": [
{
"status": "affected",
"version": "\u003c0.24.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eImpact\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eCloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.\u003cbr\u003e\u003cbr\u003eAn unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim\u0027s congestion control state by sending ACK frames covering a large range of packet numbers (including packet numbers that had never been sent); see RFC 9000 Section 19.3. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. In extreme cases, the window might grow beyond the limit of the internal variable\u0027s type, leading to an overflow panic.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003ePatches\u003c/div\u003e\u003cbr\u003equiche 0.24.4 is the earliest version containing the fix for this issue.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Impact\n\nCloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.\n\nAn unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim\u0027s congestion control state by sending ACK frames covering a large range of packet numbers (including packet numbers that had never been sent); see RFC 9000 Section 19.3. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. In extreme cases, the window might grow beyond the limit of the internal variable\u0027s type, leading to an overflow panic.\n\n\n\nPatches\n\n\nquiche 0.24.4 is the earliest version containing the fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:47:52.211Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-6m38-4r9r-5c4m"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect congestion window growth by invalid ACK ranges",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-4821",
"datePublished": "2025-06-18T15:47:52.211Z",
"dateReserved": "2025-05-16T11:52:39.111Z",
"dateUpdated": "2025-06-18T18:29:54.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4820 (GCVE-0-2025-4820)
Vulnerability from cvelistv5 – Published: 2025-06-18 15:45 – Updated: 2025-06-18 18:27
VLAI?
Summary
Impact
Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.
An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support.
Patches
quiche 0.24.4 is the earliest version containing the fix for this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Affected:
<0.24.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-18T18:27:27.515226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T18:27:38.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "cloudflare-quiche",
"product": "quiche",
"vendor": "Cloudflare",
"versions": [
{
"status": "affected",
"version": "\u003c0.24.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cb\u003eImpact\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eCloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.\u003cbr\u003e\u003cbr\u003eAn unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim\u0027s congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cb\u003ePatches\u003c/b\u003e\u003c/div\u003e\u003cbr\u003equiche 0.24.4 is the earliest version containing the fix for this issue."
}
],
"value": "Impact\n\nCloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support.\n\nAn unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim\u0027s congestion control state by sending ACK frames exercising an opportunistic ACK attack; see RFC 9000 Section 21.4. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support.\n\n\n\nPatches\n\n\nquiche 0.24.4 is the earliest version containing the fix for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T15:45:49.994Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-2v9p-3p3h-w56j"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Incorrect congestion window growth by optimistic ACK",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-4820",
"datePublished": "2025-06-18T15:45:49.994Z",
"dateReserved": "2025-05-16T11:52:21.636Z",
"dateUpdated": "2025-06-18T18:27:38.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6087 (GCVE-0-2025-6087)
Vulnerability from cvelistv5 – Published: 2025-06-16 18:30 – Updated: 2025-06-16 18:55
VLAI?
Summary
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.
This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next.
For example:
https://victim-site.com/_next/image?url=https://attacker.com
In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.
Impact:
* SSRF via unrestricted remote URL loading
* Arbitrary remote content loading
* Potential internal service exposure or phishing risks through domain abuse
Mitigation:
The following mitigations have been put in place:
* Server side updates to Cloudflare’s platform to restrict the content loaded via the /_next/image endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next
* Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 to the Cloudflare adapter for Open Next. The patched version of the adapter is found here @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0
* Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here: create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3
In addition to the automatic mitigation deployed on Cloudflare’s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns if they need to allow-list external urls with images assets.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Credits
Edward Coristine
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T18:55:28.409358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T18:55:53.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/opennextjs",
"defaultStatus": "unaffected",
"packageName": "opennextjs-cloudflare",
"repo": "https://github.com/opennextjs/opennextjs-cloudflare",
"versions": [
{
"lessThan": "1.3.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Edward Coristine"
}
],
"datePublic": "2025-06-15T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA Server-Side Request Forgery (SSRF) vulnerability was identified in the \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e@opennextjs/cloudflare\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e/_next/image\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e endpoint.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis issue allowed attackers to load remote resources from arbitrary hosts under the victim site\u2019s domain for any site deployed using the Cloudflare adapter for Open Next.\u0026nbsp;\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eFor example:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ci\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://victim-site.com/_next/image?url=https://attacker.com\"\u003ehttps://victim-site.com/_next/image?url=https://attacker.com\u003c/a\u003e\u003c/i\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn this example, attacker-controlled content from attacker.com is served through the victim site\u2019s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact:\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eSSRF via unrestricted remote URL loading\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eArbitrary remote content loading\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePotential internal service exposure or phishing risks through domain abuse\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cb\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eMitigation:\u003c/span\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe following mitigations have been put in place:\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eServer side updates to Cloudflare\u2019s platform to restrict the content loaded via the\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e/_next/image\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eendpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next\u003c/span\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/opennextjs/opennextjs-cloudflare/pull/727\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eRoot cause fix\u003c/span\u003e\u003c/a\u003e\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eto the Cloudflare adapter for Open Next. The patched version of the adapter is found here\u0026nbsp;\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0\"\u003e\u003cspan style=\"background-color: transparent;\"\u003e@opennextjs/cloudflare@1.3.0\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-sdk/pull/9608\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ePackage dependency update\u003c/span\u003e\u003c/a\u003e\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eto create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here:\u0026nbsp;\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.npmjs.com/package/create-cloudflare/v/2.49.3\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ecreate-cloudflare@2.49.3\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn addition to the automatic mitigation deployed on Cloudflare\u2019s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eremotePatterns \u003c/span\u003e\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns\"\u003e\u003cspan style=\"background-color: transparent;\"\u003efilter in Next config\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e if they need to allow-list external urls with images assets.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the /_next/image endpoint.\n\nThis issue allowed attackers to load remote resources from arbitrary hosts under the victim site\u2019s domain for any site deployed using the Cloudflare adapter for Open Next.\u00a0\n\n\n\n\nFor example:\n\n https://victim-site.com/_next/image?url=https://attacker.com \n\nIn this example, attacker-controlled content from attacker.com is served through the victim site\u2019s domain (victim-site.com), violating the same-origin policy and potentially misleading users or other services.\n\n\n\n\nImpact:\n\n * SSRF via unrestricted remote URL loading\n\n\n\n\n * Arbitrary remote content loading\n\n\n\n\n * Potential internal service exposure or phishing risks through domain abuse\n\n\n\n\n\n\n\nMitigation:\n\nThe following mitigations have been put in place:\n\n * Server side updates to Cloudflare\u2019s platform to restrict the content loaded via the\u00a0/_next/image\u00a0endpoint to images. The update automatically mitigates the issue for all existing and any future sites deployed to Cloudflare using the affected version of the Cloudflare adapter for Open Next\n\n\n\n\n * Root cause fix https://github.com/opennextjs/opennextjs-cloudflare/pull/727 \u00a0to the Cloudflare adapter for Open Next. The patched version of the adapter is found here\u00a0 @opennextjs/cloudflare@1.3.0 https://www.npmjs.com/package/@opennextjs/cloudflare/v/1.3.0 \n\n\n * Package dependency update https://github.com/cloudflare/workers-sdk/pull/9608 \u00a0to create-cloudflare (c3) to use the fixed version of the Cloudflare adapter for Open Next. The patched version of create-cloudflare is found here:\u00a0 create-cloudflare@2.49.3 https://www.npmjs.com/package/create-cloudflare/v/2.49.3 \n\n\n\n\nIn addition to the automatic mitigation deployed on Cloudflare\u2019s platform, we encourage affected users to upgrade to @opennext/cloudflare v1.3.0 and use the remotePatterns https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns filter in Next config https://nextjs.org/docs/pages/api-reference/components/image#remotepatterns if they need to allow-list external urls with images assets."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T18:30:44.180Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/opennextjs/opennextjs-cloudflare"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SSRF vulnerability in opennextjs-cloudflare via /_next/image endpoint",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-6087",
"datePublished": "2025-06-16T18:30:44.180Z",
"dateReserved": "2025-06-14T02:12:00.423Z",
"dateUpdated": "2025-06-16T18:55:53.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4366 (GCVE-0-2025-4366)
Vulnerability from cvelistv5 – Published: 2025-05-22 15:50 – Updated: 2025-06-18 13:46
VLAI?
Summary
A request smuggling vulnerability identified within Pingora’s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning.
Fixed in: https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff
Impact: The issue could lead to request smuggling in cases where Pingora’s proxying framework, pingora-proxy, is used for caching allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection.
Severity ?
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:30:25.819289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-18T13:46:25.042Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare/pingora",
"defaultStatus": "unaffected",
"packageName": "Pingora",
"repo": "https://github.com/cloudflare/pingora",
"versions": [
{
"lessThan": "0.5.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"datePublic": "2025-05-22T15:11:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(244, 249, 250);\"\u003eA request smuggling vulnerability identified within Pingora\u2019s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eFixed in:\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact: The issue could lead to request smuggling in cases where Pingora\u2019s proxying framework, pingora-proxy, is used for caching allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A request smuggling vulnerability identified within Pingora\u2019s proxying framework, pingora-proxy, allows malicious HTTP requests to be injected via manipulated request bodies on cache HITs, leading to unauthorized request execution and potential cache poisoning.\n\nFixed in:\u00a0 https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff https://github.com/cloudflare/pingora/commit/fda3317ec822678564d641e7cf1c9b77ee3759ff \n\nImpact: The issue could lead to request smuggling in cases where Pingora\u2019s proxying framework, pingora-proxy, is used for caching allowing an attacker to manipulate headers and URLs in subsequent requests made on the same HTTP/1.1 connection."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T15:50:20.789Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/pingora"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Request Smuggling Vulnerability in Pingora",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-4366",
"datePublished": "2025-05-22T15:50:20.789Z",
"dateReserved": "2025-05-05T17:42:10.923Z",
"dateUpdated": "2025-06-18T13:46:25.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4658 (GCVE-0-2025-4658)
Vulnerability from cvelistv5 – Published: 2025-05-13 16:33 – Updated: 2025-05-13 20:11
VLAI?
Summary
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.
Severity ?
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
Ethan Heilman
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4658",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T20:09:04.295789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T20:11:58.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OPKSSH",
"repo": "https://github.com/openpubkey/opkssh",
"vendor": "OPKSSH",
"versions": [
{
"lessThanOrEqual": "0.4.0",
"status": "affected",
"version": "0.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ethan Heilman"
}
],
"datePublic": "2025-05-13T16:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T16:35:03.891Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/openpubkey/opkssh"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in OPKSSH",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-4658",
"datePublished": "2025-05-13T16:33:35.195Z",
"dateReserved": "2025-05-13T16:07:17.466Z",
"dateUpdated": "2025-05-13T20:11:58.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3757 (GCVE-0-2025-3757)
Vulnerability from cvelistv5 – Published: 2025-05-13 16:33 – Updated: 2025-05-13 20:12
VLAI?
Summary
Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.
Severity ?
CWE
- CWE-305 - Authentication Bypass by Primary Weakness
Assigner
References
Credits
Ethan Heilman
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T20:12:39.788784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T20:12:58.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OPKSSH",
"repo": "https://github.com/openpubkey/openpubkey",
"vendor": "OPKSSH",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "Openpubkey",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ethan Heilman"
}
],
"datePublic": "2025-05-13T16:33:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVersions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Versions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/AU:Y",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T16:34:54.991Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/openpubkey/openpubkey"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in OpenPubKey",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-3757",
"datePublished": "2025-05-13T16:33:18.074Z",
"dateReserved": "2025-04-17T11:00:58.093Z",
"dateUpdated": "2025-05-13T20:12:58.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4144 (GCVE-0-2025-4144)
Vulnerability from cvelistv5 – Published: 2025-05-01 00:50 – Updated: 2025-05-01 15:33
VLAI?
Summary
PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped.
Fixed in:
https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27
Impact:
PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T14:30:41.553527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T15:33:23.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare",
"defaultStatus": "unaffected",
"packageName": "workers-oauth-provider",
"repo": "https://github.com/cloudflare/workers-oauth-provider",
"versions": [
{
"lessThan": "0.0.5",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"datePublic": "2025-04-30T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-mcp\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eMCP framework\u003c/span\u003e\u003c/a\u003e. However, it\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;was found that an attacker could cause the check to be skipped.\u003c/span\u003e\u003c/p\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eFixed in:\u003c/span\u003e\u003c/p\u003e\u003cp\u003e \u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-oauth-provider/pull/27\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://github.com/cloudflare/workers-oauth-provider/pull/27\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e\u003cb\u003e\u003cbr\u003e\u003c/b\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eImpact: \u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003ePKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eThis bug completely bypasses PKCE protection.\u003c/span\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it\u00a0was found that an attacker could cause the check to be skipped.\n\n\nFixed in:\n\n \n\n https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27 \n\n\nImpact: \n\nPKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.).\u00a0This bug completely bypasses PKCE protection."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T00:50:27.543Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/workers-oauth-provider/pull/27"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "PKCE bypass via downgrade attack",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-4144",
"datePublished": "2025-05-01T00:50:27.543Z",
"dateReserved": "2025-04-30T16:39:00.801Z",
"dateUpdated": "2025-05-01T15:33:23.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4143 (GCVE-0-2025-4143)
Vulnerability from cvelistv5 – Published: 2025-05-01 00:19 – Updated: 2025-05-01 15:33
VLAI?
Summary
The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration.
Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/26 https://github.com/cloudflare/workers-oauth-provider/pull/26
Impact:
Under certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim's credentials to the same OAuth server and subsequently impersonate them.
In order for the attack to be possible, the OAuth server's authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.
Note: It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check. Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it's not that he didn't know what he was doing, it's that he knew what he was doing but flubbed it.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T14:34:12.301406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T15:33:28.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare",
"defaultStatus": "unaffected",
"packageName": "workers-oauth-provider",
"repo": "https://github.com/cloudflare/workers-oauth-provider",
"versions": [
{
"lessThan": "0.0.5",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"datePublic": "2025-04-30T16:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eThe OAuth implementation in workers-oauth-provider that is part of \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-mcp\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eMCP framework\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e, did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eFixed in:\u0026nbsp;\u003c/b\u003e\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-oauth-provider/pull/26\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://github.com/cloudflare/workers-oauth-provider/pull/26\u003c/span\u003e\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003cb\u003eImpact:\u003c/b\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e \u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eUnder certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim\u0027s credentials to the same OAuth server and subsequently impersonate them.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eIn order for the attack to be possible, the OAuth server\u0027s authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ci\u003eNote: It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.\u0026nbsp;\u003c/i\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u003ci\u003eReaders who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it\u0027s not that he didn\u0027t know what he was doing, it\u0027s that he knew what he was doing but flubbed it.\u003c/i\u003e\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirect_uri was on the allowed list of redirect URIs for the given client registration.\n\nFixed in:\u00a0 https://github.com/cloudflare/workers-oauth-provider/pull/26 https://github.com/cloudflare/workers-oauth-provider/pull/26 \n\nImpact:\n\n \n\nUnder certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim\u0027s credentials to the same OAuth server and subsequently impersonate them.\n\nIn order for the attack to be possible, the OAuth server\u0027s authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.\n\nNote: It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.\u00a0Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it\u0027s not that he didn\u0027t know what he was doing, it\u0027s that he knew what he was doing but flubbed it."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T00:19:52.737Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/workers-oauth-provider/pull/26"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing validation of redirect_uri on authorize endpoint",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-4143",
"datePublished": "2025-05-01T00:19:52.737Z",
"dateReserved": "2025-04-30T16:36:33.506Z",
"dateUpdated": "2025-05-01T15:33:28.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3978 (GCVE-0-2021-3978)
Vulnerability from cvelistv5 – Published: 2025-01-29 10:00 – Updated: 2025-02-12 16:03
VLAI?
Summary
When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.
Severity ?
7.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | octorpki |
Affected:
0 , < v1.4.2
(semver)
|
Credits
Ties de Kock
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-3978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:19:06.799392Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:03:40.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare/cfrpki/cmd/octorpki",
"defaultStatus": "unaffected",
"packageName": "octorpki",
"platforms": [
"Go"
],
"product": "octorpki",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "v1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ties de Kock"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\"\u003ehttps://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service\u003c/a\u003e) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
}
],
"value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T10:00:53.237Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85"
}
],
"source": {
"advisory": "GHSA-3pqh-p72c-fj85",
"discovery": "EXTERNAL"
},
"title": "Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2021-3978",
"datePublished": "2025-01-29T10:00:53.237Z",
"dateReserved": "2021-11-18T20:10:42.977Z",
"dateUpdated": "2025-02-12T16:03:40.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0651 (GCVE-0-2025-0651)
Vulnerability from cvelistv5 – Published: 2025-01-22 17:34 – Updated: 2025-02-12 20:41
VLAI?
Summary
Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation.
User with a low system privileges can create a set of symlinks inside the C:\ProgramData\Cloudflare\warp-diag-partials folder. After triggering the 'Reset all settings" option the WARP service will delete the files that the symlink was pointing to. Given the WARP service operates with System privileges this might lead to deleting files owned by the System user.
This issue affects WARP: before 2024.12.492.0.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | WARP |
Affected:
0 , < 2024.12.492.0
(custom)
|
Credits
https://hackerone.com/sim0nsecurity?type=user
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-22T17:44:56.041413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:23.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "2024.12.492.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "https://hackerone.com/sim0nsecurity?type=user"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation.\u003cbr\u003e\u003cbr\u003eUser with a low system privileges\u0026nbsp; can create a set of symlinks inside the\u0026nbsp;\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eC:\\ProgramData\\Cloudflare\\warp-diag-partials folder. After triggering the \u0027Reset all settings\" option the WARP service will delete the files that the symlink was pointing to. Given the WARP service operates with System privileges this might lead to deleting files owned by the System user.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects WARP: before 2024.12.492.0.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation.\n\nUser with a low system privileges\u00a0 can create a set of symlinks inside the\u00a0C:\\ProgramData\\Cloudflare\\warp-diag-partials folder. After triggering the \u0027Reset all settings\" option the WARP service will delete the files that the symlink was pointing to. Given the WARP service operates with System privileges this might lead to deleting files owned by the System user.\nThis issue affects WARP: before 2024.12.492.0."
}
],
"impacts": [
{
"capecId": "CAPEC-165",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-165 File Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/R:U/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-22T17:35:44.533Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "File symlink abuse might lead to deleting files belonging to SYSTEM user",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2025-0651",
"datePublished": "2025-01-22T17:34:16.705Z",
"dateReserved": "2025-01-22T15:57:16.758Z",
"dateUpdated": "2025-02-12T20:41:23.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1410 (GCVE-0-2024-1410)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:06 – Updated: 2024-08-01 18:40
VLAI?
Summary
Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Each QUIC connection possesses a set of connection Identifiers (IDs); see RFC 9000 Section 5.1 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Endpoints declare the number of active connection IDs they are willing to support using the active_connection_id_limit transport parameter. The peer can create new IDs using a NEW_CONNECTION_ID frame but must stay within the active ID limit. This is done by retirement of old IDs, the endpoint sends NEW_CONNECTION_ID includes a value in the retire_prior_to field, which elicits a RETIRE_CONNECTION_ID frame as confirmation. An unauthenticated remote attacker can exploit the vulnerability by sending NEW_CONNECTION_ID frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that RETIRE_CONNECTION_ID frames can only be sent at a slower rate than they are received, leading to storage of information related to connection IDs in an unbounded queue. Quiche versions 0.19.2 and 0.20.1 are the earliest to address this problem. There is no workaround for affected versions.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Affected:
0.15.0 , < <0.19.2
(semver)
Affected: 0.20.0 , < <0.20.1 (semver) |
Credits
Marten Seeman (@marten-seemann)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T14:23:25.900496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:59:28.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:20.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-xhg9-xwch-vr7x"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "quiche",
"platforms": [
"Rust"
],
"product": "quiche",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "\u003c0.19.2",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
},
{
"lessThan": "\u003c0.20.1",
"status": "affected",
"version": "0.20.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marten Seeman (@marten-seemann)"
}
],
"datePublic": "2024-03-12T18:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eCloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eEach QUIC connection possesses a set of connection Identifiers (IDs); see \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://datatracker.ietf.org/doc/html/rfc9000#section-5.1\"\u003e\u003cspan style=\"background-color: transparent;\"\u003eRFC 9000 Section 5.1\u003c/span\u003e\u003c/a\u003e\u003cspan style=\"background-color: transparent;\"\u003e. Endpoints declare the number of active connection IDs they are willing to support using the active_connection_id_limit transport parameter. The peer can create new IDs using a NEW_CONNECTION_ID frame but must stay within the active ID limit. This is done by retirement of old IDs, the endpoint sends NEW_CONNECTION_ID includes a value in the retire_prior_to field, which elicits a RETIRE_CONNECTION_ID frame as confirmation. An unauthenticated remote attacker can exploit the vulnerability by sending NEW_CONNECTION_ID frames and manipulating the connection (e.g. by restricting the peer\u0027s congestion window size) so that RETIRE_CONNECTION_ID frames can only be sent at a slower rate than they are received, leading to storage of information related to connection IDs in an unbounded queue. \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eQuiche versions 0.19.2 and 0.20.1 are the earliest to address this problem. There is no workaround for affected versions.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. Each QUIC connection possesses a set of connection Identifiers (IDs); see RFC 9000 Section 5.1 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Endpoints declare the number of active connection IDs they are willing to support using the active_connection_id_limit transport parameter. The peer can create new IDs using a NEW_CONNECTION_ID frame but must stay within the active ID limit. This is done by retirement of old IDs, the endpoint sends NEW_CONNECTION_ID includes a value in the retire_prior_to field, which elicits a RETIRE_CONNECTION_ID frame as confirmation. An unauthenticated remote attacker can exploit the vulnerability by sending NEW_CONNECTION_ID frames and manipulating the connection (e.g. by restricting the peer\u0027s congestion window size) so that RETIRE_CONNECTION_ID frames can only be sent at a slower rate than they are received, leading to storage of information related to connection IDs in an unbounded queue. Quiche versions 0.19.2 and 0.20.1 are the earliest to address this problem. There is no workaround for affected versions.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T18:06:05.475Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-xhg9-xwch-vr7x"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded storage of information related to connection ID retirement, in quiche ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2024-1410",
"datePublished": "2024-03-12T18:06:05.475Z",
"dateReserved": "2024-02-09T16:54:34.642Z",
"dateUpdated": "2024-08-01T18:40:20.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1765 (GCVE-0-2024-1765)
Vulnerability from cvelistv5 – Published: 2024-03-12 18:04 – Updated: 2024-08-01 18:48
VLAI?
Summary
Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.
A remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.
Exploitation was possible for the duration of the connection which could be extended by the attacker.
quiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.
Severity ?
5.9 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Affected:
0.15.0 , ≤ <0.19.1
(semver)
Affected: 0.20.0 , < <0.20.1 (semver) |
Credits
Marten Seeman (@marten-seemann)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T14:44:18.732134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:25.467Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:22.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "quiche",
"platforms": [
"Rust"
],
"product": "quiche",
"vendor": "Cloudflare",
"versions": [
{
"lessThanOrEqual": "\u003c0.19.1",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
},
{
"lessThan": "\u003c0.20.1",
"status": "affected",
"version": "0.20.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marten Seeman (@marten-seemann)"
}
],
"datePublic": "2024-03-12T18:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eCloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003erunning quiche server or client\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e.\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eA remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.\u003cbr\u003eExploitation was possible for the duration of the connection which could be extended by the attacker.\u0026nbsp;\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003equiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client.\nA remote attacker could take advantage of this vulnerability by repeatedly sending an unlimited number of 1-RTT CRYPTO frames after previously completing the QUIC handshake.\nExploitation was possible for the duration of the connection which could be extended by the attacker.\u00a0\nquiche 0.19.2 and 0.20.1 are the earliest versions containing the fix for this issue.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
},
{
"capecId": "CAPEC-125",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-125 Flooding"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-12T18:04:54.915Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unlimited resource allocation by QUIC CRYPTO frames flooding in quiche",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2024-1765",
"datePublished": "2024-03-12T18:04:54.915Z",
"dateReserved": "2024-02-22T16:04:47.125Z",
"dateUpdated": "2024-08-01T18:48:22.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0212 (GCVE-0-2024-0212)
Vulnerability from cvelistv5 – Published: 2024-01-29 09:13 – Updated: 2025-06-06 17:40
VLAI?
Summary
The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.
Severity ?
8.1 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | Cloudflare-WordPress |
Affected:
0 , ≤ 4.12.2
(patch)
|
Credits
lucius0101 (HackerOne Researcher)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T17:41:16.185Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/Cloudflare-WordPress/security/advisories/GHSA-h2fj-7r3m-7gf2"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://github.com/cloudflare/Cloudflare-WordPress/releases/tag/v4.12.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T20:23:05.888917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-06T17:40:11.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Cloudflare-WordPress",
"platforms": [
"Wordpress"
],
"product": "Cloudflare-WordPress",
"repo": "https://github.com/cloudflare/Cloudflare-WordPress",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "4.12.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.12.2",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "lucius0101 (HackerOne Researcher)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.\u003cbr\u003e"
}
],
"value": "The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-29T09:13:44.939Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/Cloudflare-WordPress/security/advisories/GHSA-h2fj-7r3m-7gf2"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/cloudflare/Cloudflare-WordPress/releases/tag/v4.12.3"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cloudflare WordPress plugin enables information disclosure of Cloudflare API (for low privileged users)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2024-0212",
"datePublished": "2024-01-29T09:13:44.939Z",
"dateReserved": "2024-01-03T09:08:21.334Z",
"dateUpdated": "2025-06-06T17:40:11.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6992 (GCVE-0-2023-6992)
Vulnerability from cvelistv5 – Published: 2024-01-04 11:11 – Updated: 2024-09-06 18:16
VLAI?
Summary
Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.
A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.
Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.
Severity ?
4 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | zlib |
Affected:
0 , < 8352d10
(git)
|
Credits
Martin Schwarzl
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://github.com/cloudflare/zlib"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-12T16:53:31.056293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T18:16:58.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "zlib",
"platforms": [
"C"
],
"product": "zlib",
"repo": "https://github.com/cloudflare/zlib",
"vendor": "Cloudflare",
"versions": [
{
"lessThan": "8352d10",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Martin Schwarzl"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.\u003c/span\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePatches: The issue has been patched in commit \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c\"\u003e\u003ctt\u003e8352d10\u003c/tt\u003e\u003c/a\u003e. The upstream repository is not affected.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.\nA local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.\nPatches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
},
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "CWE-126: Buffer Over-read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-04T11:14:15.933Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/cloudflare/zlib"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Memory corruption issues is Cloudflare zlib implementation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-6992",
"datePublished": "2024-01-04T11:11:07.558Z",
"dateReserved": "2023-12-20T10:48:40.396Z",
"dateUpdated": "2024-09-06T18:16:58.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7080 (GCVE-0-2023-7080)
Vulnerability from cvelistv5 – Published: 2023-12-29 11:58 – Updated: 2024-08-02 08:50
VLAI?
Summary
The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.
This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 (CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.
Severity ?
8.5 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | wrangler |
Affected:
0 , ≤ 3.0.0
(patch)
Affected: 0 , < 3.19.0 (patch) Affected: 0 , ≤ 2.0.0 (patch) Affected: 0 , < 2.20.2 (patch) |
Credits
Peter Wu (Lekensteyn)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/issues/4430"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/pull/4437"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/pull/4535"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/pull/4550"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "wrangler",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "wrangler",
"repo": "https://github.com/cloudflare/workers-sdk",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "3.19.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "patch"
},
{
"changes": [
{
"at": "3.19.0",
"status": "unaffected"
}
],
"lessThan": "3.19.0",
"status": "affected",
"version": "0",
"versionType": "patch"
},
{
"changes": [
{
"at": "2.20.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "0",
"versionType": "patch"
},
{
"changes": [
{
"at": "2.20.2",
"status": "unaffected"
}
],
"lessThan": "2.20.2",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": " Peter Wu (Lekensteyn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. \u003cb\u003ewrangler dev\u003c/b\u003e would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate \u003cb\u003eOrigin\u003c/b\u003e/\u003cb\u003eHost\u003c/b\u003e headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If \u003cb\u003ewrangler dev --remote\u003c/b\u003e was being used, an attacker could access production resources if they were bound to the worker.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in \u003cb\u003ewrangler@3.19.0\u003c/b\u003e and \u003cb\u003ewrangler@2.20.2\u003c/b\u003e. Whilst \u003cb\u003ewrangler dev\u003c/b\u003e\u0027s inspector server listens on local interfaces by default as of \u003cb\u003ewrangler@3.16.0\u003c/b\u003e, an \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7\"\u003eSSRF vulnerability in miniflare\u003c/a\u003e\u0026nbsp;(CVE-2023-7078) allowed access from the local network until \u003cb\u003ewrangler@3.18.0\u003c/b\u003e. \u003cb\u003ewrangler@3.19.0\u003c/b\u003e and \u003cb\u003ewrangler@2.20.2\u003c/b\u003e introduced validation for the \u003cb\u003eOrigin\u003c/b\u003e/\u003cb\u003eHost\u003c/b\u003e headers.\u003cbr\u003e"
}
],
"value": "The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.\n\nThis issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev\u0027s inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7 \u00a0(CVE-2023-7078) allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T12:08:25.935Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf"
},
{
"url": "https://github.com/cloudflare/workers-sdk/issues/4430"
},
{
"url": "https://github.com/cloudflare/workers-sdk/pull/4437"
},
{
"url": "https://github.com/cloudflare/workers-sdk/pull/4535"
},
{
"url": "https://github.com/cloudflare/workers-sdk/pull/4550"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Arbitrary remote code execution within wrangler dev Workers sandbox",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unfortunately, Wrangler doesn\u0027t provide any configuration for which host that inspector server should listen on. Please upgrade to at least \u003cb\u003ewrangler@3.16.0\u003c/b\u003e, and configure Wrangler to listen on local interfaces instead with \u003cb\u003ewrangler dev --ip 127.0.0.1\u003c/b\u003e to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website."
}
],
"value": "Unfortunately, Wrangler doesn\u0027t provide any configuration for which host that inspector server should listen on. Please upgrade to at least wrangler@3.16.0, and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-7080",
"datePublished": "2023-12-29T11:58:36.214Z",
"dateReserved": "2023-12-22T09:59:52.954Z",
"dateUpdated": "2024-08-02T08:50:07.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7079 (GCVE-0-2023-7079)
Vulnerability from cvelistv5 – Published: 2023-12-29 11:54 – Updated: 2024-08-02 08:50
VLAI?
Summary
Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file.
Severity ?
6.4 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | wrangler |
Affected:
0 , ≤ 3.9.0
(patch)
Affected: 0 , < 3.19.0 (patch) |
Credits
Peter Wu (Lekensteyn)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-cfph-4qqh-w828"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/pull/4532"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/pull/4535"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "wrangler",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "wrangler",
"repo": "https://github.com/cloudflare/workers-sdk",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "3.19.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.0",
"status": "affected",
"version": "0",
"versionType": "patch"
},
{
"changes": [
{
"at": "3.19.0",
"status": "unaffected"
}
],
"lessThan": "3.19.0",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": " Peter Wu (Lekensteyn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sending specially crafted HTTP requests and inspector messages to Wrangler\u0027s dev server could result in any file on the user\u0027s computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file.\u003cbr\u003e"
}
],
"value": "Sending specially crafted HTTP requests and inspector messages to Wrangler\u0027s dev server could result in any file on the user\u0027s computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T12:08:49.883Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-cfph-4qqh-w828"
},
{
"url": "https://github.com/cloudflare/workers-sdk/pull/4532"
},
{
"url": "https://github.com/cloudflare/workers-sdk/pull/4535"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Arbitrary remote file read in Wrangler dev server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eConfigure Wrangler to listen on local interfaces instead with \u003ccode\u003e\u003cb\u003ewrangler dev --ip 127.0.0.1\u003c/b\u003e\u003c/code\u003e. This is the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf\"\u003edefault as of \u003ccode\u003ewrangler@3.16.0\u003c/code\u003e\u003c/a\u003e, and removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.\u003c/p\u003e"
}
],
"value": "Configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1. This is the default as of wrangler@3.16.0 https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-f8mp-x433-5wpf , and removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-7079",
"datePublished": "2023-12-29T11:54:08.925Z",
"dateReserved": "2023-12-22T09:59:49.428Z",
"dateUpdated": "2024-08-02T08:50:07.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7078 (GCVE-0-2023-7078)
Vulnerability from cvelistv5 – Published: 2023-12-29 11:53 – Updated: 2024-08-26 20:31
VLAI?
Summary
Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | miniflare |
Affected:
0 , ≤ <=3.20230821.0
(patch)
Affected: 0 , < 3.20231030.2 (patch) |
Credits
Peter Wu (Lekensteyn)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/pull/4532"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cloudflare:miniflare:*:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unaffected",
"product": "miniflare",
"vendor": "cloudflare",
"versions": [
{
"lessThan": "3.20231030.2",
"status": "affected",
"version": "3.20230821.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T20:29:16.545842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T20:31:04.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "miniflare",
"platforms": [
"Windows",
"MacOS",
"Linux"
],
"product": "miniflare",
"repo": "https://github.com/cloudflare/workers-sdk",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "3.20231030.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c=3.20230821.0",
"status": "affected",
"version": "0",
"versionType": "patch"
},
{
"changes": [
{
"at": "3.20231030.2",
"status": "unaffected"
}
],
"lessThan": "3.20231030.2",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": " Peter Wu (Lekensteyn)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSending specially crafted HTTP requests to Miniflare\u0027s server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in \u003ccode\u003ewrangler\u003c/code\u003e\u0026nbsp;until \u003ccode\u003e3.19.0\u003c/code\u003e), an attacker on the local network could access other local servers.\u003c/p\u003e"
}
],
"value": "Sending specially crafted HTTP requests to Miniflare\u0027s server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler\u00a0until 3.19.0), an attacker on the local network could access other local servers.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T12:09:03.496Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7"
},
{
"url": "https://github.com/cloudflare/workers-sdk/pull/4532"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in Miniflare",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the \u003ctt\u003ehost: \"127.0.0.1\"\u003c/tt\u003e option."
}
],
"value": "Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the host: \"127.0.0.1\" option."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-7078",
"datePublished": "2023-12-29T11:53:06.669Z",
"dateReserved": "2023-12-22T09:58:30.164Z",
"dateUpdated": "2024-08-26T20:31:04.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6193 (GCVE-0-2023-6193)
Vulnerability from cvelistv5 – Published: 2023-12-12 13:32 – Updated: 2024-08-02 08:21
VLAI?
Summary
quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.
QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue.
Quiche versions greater than 0.19.0 address this problem.
Severity ?
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | quiche |
Affected:
0.15.0 , ≤ 0.19.0
(semver)
|
Credits
Marten Seemann
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm"
},
{
"tags": [
"x_transferred"
],
"url": "https://datatracker.ietf.org/doc/html/rfc9000#section-8.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "cloudflare-quiche",
"product": "quiche",
"vendor": "Cloudflare",
"versions": [
{
"lessThanOrEqual": "0.19.0",
"status": "affected",
"version": "0.15.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Marten Seemann "
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.\u003cbr\u003eQUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer\u0027s congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. \u003cbr\u003eQuiche versions greater than 0.19.0 address this problem."
}
],
"value": "quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.\nQUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer\u0027s congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. \nQuiche versions greater than 0.19.0 address this problem."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-272",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-272 Protocol Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-12T13:32:03.183Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm"
},
{
"url": "https://datatracker.ietf.org/doc/html/rfc9000#section-8.2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unbounded queuing of path validation messages in cloudflare-quiche",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-6193",
"datePublished": "2023-12-12T13:32:03.183Z",
"dateReserved": "2023-11-17T14:39:07.534Z",
"dateUpdated": "2024-08-02T08:21:17.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6180 (GCVE-0-2023-6180)
Vulnerability from cvelistv5 – Published: 2023-12-05 15:02 – Updated: 2024-08-02 08:21
VLAI?
Summary
The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | tokio-boring |
Affected:
4.0.0 , ≤ 4.1.0
(semver)
|
Credits
Eric Rosenberg
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/cloudflare/boring/tree/master/tokio-boring",
"defaultStatus": "unaffected",
"modules": [
"toki-boring"
],
"packageName": "boring",
"product": "tokio-boring",
"vendor": "Cloudflare",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Eric Rosenberg"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The tokio-boring library in version 4.0.0 is affected by a memory leak issue that can lead to excessive resource consumption and potential DoS by resource exhaustion. The set_ex_data function used by the library did not deallocate memory used by pre-existing data in memory each time after completing a TLS connection causing the program to consume more resources with each new connection.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
},
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-05T15:02:40.007Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/boring/security/advisories/GHSA-pjrj-h4fg-6gm4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Resource exhaustion via memory leak in tokio-boring",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-6180",
"datePublished": "2023-12-05T15:02:40.007Z",
"dateReserved": "2023-11-16T19:15:23.367Z",
"dateUpdated": "2024-08-02T08:21:17.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3747 (GCVE-0-2023-3747)
Vulnerability from cvelistv5 – Published: 2023-09-07 12:11 – Updated: 2024-09-26 14:17
VLAI?
Summary
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running.
Severity ?
5.5 (Medium)
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | WARP Client |
Affected:
0 , < 6.29
(release)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:01:57.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#retrieve-the-override-code"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T14:00:41.348588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:17:57.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "6.29",
"status": "unaffected"
}
],
"lessThan": "6.29",
"status": "affected",
"version": "0",
"versionType": "release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eZero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date \u0026amp; time on the local device where WARP is running.\u003c/p\u003e"
}
],
"value": "Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date \u0026 time on the local device where WARP is running.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-207",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-207 Removing Important Client Functionality"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-07T12:11:01.435Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone"
},
{
"tags": [
"related"
],
"url": "https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#retrieve-the-override-code"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Validation on Override Codes for Always-Enabled WARP Mode",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-3747",
"datePublished": "2023-09-07T12:11:01.435Z",
"dateReserved": "2023-07-18T08:43:28.555Z",
"dateUpdated": "2024-09-26T14:17:57.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0654 (GCVE-0-2023-0654)
Vulnerability from cvelistv5 – Published: 2023-08-29 15:05 – Updated: 2024-09-30 17:46
VLAI?
Summary
Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker's app.
Severity ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | WARP Client |
Affected:
0 , < 6.29
(patch)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:17:50.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-5r97-pqv6-xpx7"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0654",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T17:35:06.811748Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T17:46:56.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "6.29",
"status": "unaffected"
}
],
"lessThan": "6.29",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a misconfiguration, the WARP Mobile Client (\u0026lt; 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim\u0027s device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker\u0027s app.\u003c/p\u003e"
}
],
"value": "Due to a misconfiguration, the WARP Mobile Client (\u003c 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim\u0027s device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker\u0027s app.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-506",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-506 Tapjacking"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T15:05:19.623Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-5r97-pqv6-xpx7"
},
{
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Spoofing User\u0027s Activity Loads in WARP Mobile Client (Android)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-0654",
"datePublished": "2023-08-29T15:05:19.623Z",
"dateReserved": "2023-02-02T17:45:39.047Z",
"dateUpdated": "2024-09-30T17:46:56.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0238 (GCVE-0-2023-0238)
Vulnerability from cvelistv5 – Published: 2023-08-29 14:56 – Updated: 2024-09-30 17:47
VLAI?
Summary
Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | WARP Client |
Affected:
0 , < 6.29
(patch)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:44.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-23rx-f69w-g75c"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T17:35:13.806344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T17:47:12.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "6.29",
"status": "unaffected"
}
],
"lessThan": "6.29",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to lack of a security policy, the WARP Mobile Client (\u0026lt;=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim\u0027s device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app."
}
],
"value": "Due to lack of a security policy, the WARP Mobile Client (\u003c=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim\u0027s device to exploit a peculiarity in an Android function, wherein under certain conditions, the malicious app could dictate the task behaviour of the WARP app."
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T14:56:50.791Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-23rx-f69w-g75c"
},
{
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Injecting Activity Loads in WARP Mobile Client",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-0238",
"datePublished": "2023-08-29T14:56:50.791Z",
"dateReserved": "2023-01-12T11:58:45.802Z",
"dateUpdated": "2024-09-30T17:47:12.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4241 (GCVE-0-2023-4241)
Vulnerability from cvelistv5 – Published: 2023-08-16 10:13 – Updated: 2024-10-02 16:12
VLAI?
Summary
lol-html can cause panics on certain HTML inputs. Anyone processing arbitrary 3rd party HTML with the library is affected.
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | lol-html |
Affected:
0 , < 1.1.1
(patch)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:03.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/lol-html/security/advisories/GHSA-c3x7-354f-4p2x"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cloudflare:lol-html:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "lol-html",
"vendor": "cloudflare",
"versions": [
{
"lessThan": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T16:11:18.728012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T16:12:50.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "lol-html",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "1.1.1",
"status": "unaffected"
}
],
"lessThan": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "lol-html can cause panics on certain HTML inputs. Anyone processing arbitrary 3rd party HTML with the library is affected.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "lol-html can cause panics on certain HTML inputs. Anyone processing arbitrary 3rd party HTML with the library is affected.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-16T10:13:12.564Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/lol-html/security/advisories/GHSA-c3x7-354f-4p2x"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "lol-html panics on certain HTML inputs",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-4241",
"datePublished": "2023-08-16T10:13:12.564Z",
"dateReserved": "2023-08-08T15:06:18.780Z",
"dateUpdated": "2024-10-02T16:12:50.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2754 (GCVE-0-2023-2754)
Vulnerability from cvelistv5 – Published: 2023-08-03 13:53 – Updated: 2024-10-17 14:12
VLAI?
Summary
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.
Severity ?
7.4 (High)
CWE
- CWE-319 - Cleartext Transmission of Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | WARP |
Affected:
0 , < 2023.7.160.0
(release)
|
Credits
vanhoefm
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:33:05.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T14:12:35.312663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T14:12:44.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Client"
],
"packageName": "WARP Client",
"platforms": [
"Windows"
],
"product": "WARP",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "2023.7.160.0",
"status": "unaffected"
}
],
"lessThan": "2023.7.160.0",
"status": "affected",
"version": "0",
"versionType": "release"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe victim\u0027s device would need to be connected to a rogue Wi-Fi network, that announces support for IPv6, and assigns itself the same IPv6 address that WARP Client sets the IPv6 DNS server as.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The victim\u0027s device would need to be connected to a rogue Wi-Fi network, that announces support for IPv6, and assigns itself the same IPv6 address that WARP Client sets the IPv6 DNS server as.\n\n"
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "vanhoefm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device.\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117 Interception"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:53:00.634Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w"
},
{
"tags": [
"product"
],
"url": "https://developers.cloudflare.com/warp-client/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users are encouraged to update to the latest WARP Client (Windows) version available:\u0026nbsp;2023.7.160.0"
}
],
"value": "Users are encouraged to update to the latest WARP Client (Windows) version available:\u00a02023.7.160.0"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Plaintext transmission of DNS requests in Windows 1.1.1.1 WARP client",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDisabling IPv6 support in local devices\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Disabling IPv6 support in local devices\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-2754",
"datePublished": "2023-08-03T13:53:00.634Z",
"dateReserved": "2023-05-17T07:55:45.392Z",
"dateUpdated": "2024-10-17T14:12:44.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3766 (GCVE-0-2023-3766)
Vulnerability from cvelistv5 – Published: 2023-08-03 13:49 – Updated: 2024-10-09 20:33
VLAI?
Summary
A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker with knowledge of this vulnerability to craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.
Severity ?
5.9 (Medium)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | odoh-rs |
Affected:
0 , < 1.0.2
(patch)
|
Credits
00xc
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:49.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/cloudflare/odoh-rs/pull/28"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T20:30:46.313165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T20:33:55.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"MacOS",
"Windows"
],
"product": "odoh-rs",
"repo": "https://github.com/cloudflare/odoh-rs",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "1.0.2",
"status": "unaffected"
}
],
"lessThan": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "00xc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker\u0026nbsp;with knowledge of this vulnerability to craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.\u003c/p\u003e"
}
],
"value": "A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients and enables an attacker\u00a0with knowledge of this vulnerability to craft and send specially designed encrypted queries to targeted ODOH servers running with odoh-rs. Upon successful exploitation, the server will crash abruptly, disrupting its normal operation and rendering the service temporarily unavailable.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T13:49:46.751Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/odoh-rs/security/advisories/GHSA-gpcv-p28p-fv2p"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cloudflare/odoh-rs/pull/28"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Invalid Slice Split Results in Server Panic",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-3766",
"datePublished": "2023-08-03T13:49:46.751Z",
"dateReserved": "2023-07-19T09:00:02.933Z",
"dateUpdated": "2024-10-09T20:33:55.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3348 (GCVE-0-2023-3348)
Vulnerability from cvelistv5 – Published: 2023-08-03 13:47 – Updated: 2024-10-09 20:34
VLAI?
Summary
The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.
Severity ?
5.7 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | Wrangler |
Affected:
3 , < 3.1.1
(semver)
Affected: 2 , < 2.20.1 (semver) |
Credits
robocap42 (HackerOne researcher)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://developers.cloudflare.com/workers/wrangler/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T20:30:56.298602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T20:34:14.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wrangler",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "3.1.1",
"status": "unaffected"
}
],
"lessThan": "3.1.1",
"status": "affected",
"version": "3",
"versionType": "semver"
},
{
"changes": [
{
"at": "2.20.1",
"status": "unaffected"
}
],
"lessThan": "2.20.1",
"status": "affected",
"version": "2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "robocap42 (HackerOne researcher)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eThe Wrangler command line tool\u0026nbsp; (\u0026lt;=wrangler@3.1.0 or \u0026lt;=wrangler@2.20.1)\u0026nbsp;was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim\u0027s files present outside of the directory for the development server.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The Wrangler command line tool\u00a0 (\u003c=wrangler@3.1.0 or \u003c=wrangler@2.20.1)\u00a0was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim\u0027s files present outside of the directory for the development server.\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T09:17:49.419Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp"
},
{
"tags": [
"product"
],
"url": "https://github.com/cloudflare/workers-sdk"
},
{
"tags": [
"related"
],
"url": "https://developers.cloudflare.com/workers/wrangler/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to wrangler@3.1.1 or higher\u003cbr\u003eFor wrangler v2 upgrade to wrangler@2.20.1 or higher"
}
],
"value": "Upgrade to wrangler@3.1.1 or higher\nFor wrangler v2 upgrade to wrangler@2.20.1 or higher"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Directory traversal vulnerability in Cloudflare Wrangler",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-3348",
"datePublished": "2023-08-03T13:47:07.296Z",
"dateReserved": "2023-06-21T07:20:37.335Z",
"dateUpdated": "2024-10-09T20:34:14.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1862 (GCVE-0-2023-1862)
Vulnerability from cvelistv5 – Published: 2023-06-20 08:28 – Updated: 2024-12-09 18:31
VLAI?
Summary
Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target's device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target's device must've been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target's credentials.
Severity ?
7.3 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | WARP Client |
Affected:
0 , < 2023.3.381.0
(patch)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:05:26.782Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
},
{
"tags": [
"x_transferred"
],
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-q55r-53c8-5642"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T18:30:47.223049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T18:31:09.155Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "WARP",
"platforms": [
"Windows"
],
"product": "WARP Client",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "2023.3.381.0",
"status": "unaffected"
}
],
"lessThan": "2023.3.381.0",
"status": "affected",
"version": "0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the \u003cstrong\u003ewarp-svc.exe\u003c/strong\u003e\u0026nbsp;binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target\u0027s device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target\u0027s device must\u0027ve been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target\u0027s credentials.\u003c/p\u003e"
}
],
"value": "Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe\u00a0binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target\u0027s device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target\u0027s device must\u0027ve been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target\u0027s credentials.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-20T08:28:12.578Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://developers.cloudflare.com/warp-client/get-started/windows/"
},
{
"url": "https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release"
},
{
"url": "https://github.com/cloudflare/advisories/security/advisories/GHSA-q55r-53c8-5642"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote access to warp-svc.exe in Cloudflare WARP",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-1862",
"datePublished": "2023-06-20T08:28:12.578Z",
"dateReserved": "2023-04-05T08:09:47.664Z",
"dateUpdated": "2024-12-09T18:31:09.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3040 (GCVE-0-2023-3040)
Vulnerability from cvelistv5 – Published: 2023-06-14 11:54 – Updated: 2025-01-02 19:21
VLAI?
Summary
A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | lua-resty-json |
Affected:
1 , < 14
(git)
|
Credits
Carlos López (00xc)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/lua-resty-json/pull/14"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/cloudflare/lua-resty-json/security/advisories/GHSA-h8rp-9622-83pg"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T19:20:25.305557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T19:21:32.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "lua-resty-json",
"platforms": [
"Windows",
"Linux",
"MacOS",
"x86",
"64 bit",
"32 bit"
],
"product": "lua-resty-json",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "14",
"status": "unaffected"
}
],
"lessThan": "14",
"status": "affected",
"version": "1",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Carlos L\u00f3pez (00xc)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data\u003c/span\u003e. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker to launch a DoS if the function was used to parse untrusted input data. It is important to note that because this debug function was only used in tests and demos, it was not exploitable in a normal environment.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540 Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-14T11:55:19.181Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"url": "https://github.com/cloudflare/lua-resty-json/pull/14"
},
{
"url": "https://github.com/cloudflare/lua-resty-json/security/advisories/GHSA-h8rp-9622-83pg"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Out of Bounds Access Leading to Undefined Behavior",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-3040",
"datePublished": "2023-06-14T11:54:51.131Z",
"dateReserved": "2023-06-01T15:55:07.745Z",
"dateUpdated": "2025-01-02T19:21:32.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}