Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities by servicestack
CVE-2025-6445 (GCVE-0-2025-6445)
Vulnerability from cvelistv5 – Published: 2025-06-25 17:42 – Updated: 2025-06-25 18:02
VLAI
Title
ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability
Summary
ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://docs.servicestack.net/releases/v8_06#repo… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceStack | ServiceStack |
Affected:
8.4.0
|
Date Public
2025-06-23 14:02
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6445",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T18:02:15.331567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T18:02:27.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ServiceStack",
"vendor": "ServiceStack",
"versions": [
{
"status": "affected",
"version": "8.4.0"
}
]
}
],
"dateAssigned": "2025-06-20T17:17:21.657Z",
"datePublic": "2025-06-23T14:02:12.844Z",
"descriptions": [
{
"lang": "en",
"value": "ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T17:42:05.996Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-416",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-416/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://docs.servicestack.net/releases/v8_06#reported-vulnerabilities"
}
],
"source": {
"lang": "en",
"value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
},
"title": "ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-6445",
"datePublished": "2025-06-25T17:42:05.996Z",
"dateReserved": "2025-06-20T17:17:21.594Z",
"dateUpdated": "2025-06-25T18:02:27.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6444 (GCVE-0-2025-6444)
Vulnerability from cvelistv5 – Published: 2025-06-25 17:41 – Updated: 2025-06-25 18:09
VLAI
Title
ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability
Summary
ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability. This vulnerability allows remote attackers to relay NTLM credentials on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the implementation of the GetErrorResponse method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to relay NTLM credentials in the context of the current user. Was ZDI-CAN-25834.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceStack | ServiceStack |
Affected:
8.4.0
|
Date Public
2025-06-23 14:02
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T18:09:41.688322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T18:09:55.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ServiceStack",
"vendor": "ServiceStack",
"versions": [
{
"status": "affected",
"version": "8.4.0"
}
]
}
],
"dateAssigned": "2025-06-20T17:16:49.959Z",
"datePublic": "2025-06-23T14:02:07.908Z",
"descriptions": [
{
"lang": "en",
"value": "ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability. This vulnerability allows remote attackers to relay NTLM credentials on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the implementation of the GetErrorResponse method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to relay NTLM credentials in the context of the current user. Was ZDI-CAN-25834."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T17:41:36.933Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-415",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-415/"
}
],
"source": {
"lang": "en",
"value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
},
"title": "ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-6444",
"datePublished": "2025-06-25T17:41:36.933Z",
"dateReserved": "2025-06-20T17:16:49.894Z",
"dateUpdated": "2025-06-25T18:09:55.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28042 (GCVE-0-2020-28042)
Vulnerability from cvelistv5 – Published: 2020-11-01 04:50 – Updated: 2024-08-04 16:33
VLAI
Summary
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://forums.servicestack.net/t/servicestack-v5… | x_refsource_MISC |
| https://github.com/ServiceStack/ServiceStack/comm… | x_refsource_MISC |
| https://www.shielder.it/blog/2020/11/re-discoveri… | x_refsource_MISC |
| https://www.shielder.it/advisories/servicestack-j… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:56.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-04T16:43:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28042",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850",
"refsource": "MISC",
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"name": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee",
"refsource": "MISC",
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"name": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/",
"refsource": "MISC",
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/"
},
{
"name": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/",
"refsource": "MISC",
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28042",
"datePublished": "2020-11-01T04:50:48.000Z",
"dateReserved": "2020-11-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:33:56.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1010199 (GCVE-0-2019-1010199)
Vulnerability from cvelistv5 – Published: 2019-07-23 17:17 – Updated: 2024-08-05 03:07
VLAI
Summary
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0.
Severity
No CVSS data available.
CWE
- Cross Site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ServiceStack/ServiceStack/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceStack | ServiceStack Framework |
Affected:
4.5.14 [fixed: 5.2.0]
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:18.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ServiceStack Framework",
"vendor": "ServiceStack",
"versions": [
{
"status": "affected",
"version": "4.5.14 [fixed: 5.2.0]"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-23T17:17:14.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1010199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ServiceStack Framework",
"version": {
"version_data": [
{
"version_value": "4.5.14 [fixed: 5.2.0]"
}
]
}
}
]
},
"vendor_name": "ServiceStack"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610",
"refsource": "MISC",
"url": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1010199",
"datePublished": "2019-07-23T17:17:14.000Z",
"dateReserved": "2019-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:07:18.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6445 (GCVE-0-2025-6445)
Vulnerability from nvd – Published: 2025-06-25 17:42 – Updated: 2025-06-25 18:02
VLAI
Title
ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability
Summary
ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://docs.servicestack.net/releases/v8_06#repo… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceStack | ServiceStack |
Affected:
8.4.0
|
Date Public
2025-06-23 14:02
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6445",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T18:02:15.331567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T18:02:27.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ServiceStack",
"vendor": "ServiceStack",
"versions": [
{
"status": "affected",
"version": "8.4.0"
}
]
}
],
"dateAssigned": "2025-06-20T17:17:21.657Z",
"datePublic": "2025-06-23T14:02:12.844Z",
"descriptions": [
{
"lang": "en",
"value": "ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T17:42:05.996Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-416",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-416/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://docs.servicestack.net/releases/v8_06#reported-vulnerabilities"
}
],
"source": {
"lang": "en",
"value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
},
"title": "ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-6445",
"datePublished": "2025-06-25T17:42:05.996Z",
"dateReserved": "2025-06-20T17:17:21.594Z",
"dateUpdated": "2025-06-25T18:02:27.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6444 (GCVE-0-2025-6444)
Vulnerability from nvd – Published: 2025-06-25 17:41 – Updated: 2025-06-25 18:09
VLAI
Title
ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability
Summary
ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability. This vulnerability allows remote attackers to relay NTLM credentials on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the implementation of the GetErrorResponse method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to relay NTLM credentials in the context of the current user. Was ZDI-CAN-25834.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceStack | ServiceStack |
Affected:
8.4.0
|
Date Public
2025-06-23 14:02
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T18:09:41.688322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T18:09:55.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ServiceStack",
"vendor": "ServiceStack",
"versions": [
{
"status": "affected",
"version": "8.4.0"
}
]
}
],
"dateAssigned": "2025-06-20T17:16:49.959Z",
"datePublic": "2025-06-23T14:02:07.908Z",
"descriptions": [
{
"lang": "en",
"value": "ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability. This vulnerability allows remote attackers to relay NTLM credentials on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the implementation of the GetErrorResponse method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to relay NTLM credentials in the context of the current user. Was ZDI-CAN-25834."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T17:41:36.933Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-415",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-415/"
}
],
"source": {
"lang": "en",
"value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"
},
"title": "ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-6444",
"datePublished": "2025-06-25T17:41:36.933Z",
"dateReserved": "2025-06-20T17:16:49.894Z",
"dateUpdated": "2025-06-25T18:09:55.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28042 (GCVE-0-2020-28042)
Vulnerability from nvd – Published: 2020-11-01 04:50 – Updated: 2024-08-04 16:33
VLAI
Summary
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://forums.servicestack.net/t/servicestack-v5… | x_refsource_MISC |
| https://github.com/ServiceStack/ServiceStack/comm… | x_refsource_MISC |
| https://www.shielder.it/blog/2020/11/re-discoveri… | x_refsource_MISC |
| https://www.shielder.it/advisories/servicestack-j… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:33:56.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-04T16:43:03.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28042",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850",
"refsource": "MISC",
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"name": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee",
"refsource": "MISC",
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"name": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/",
"refsource": "MISC",
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack/"
},
{
"name": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/",
"refsource": "MISC",
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass/"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28042",
"datePublished": "2020-11-01T04:50:48.000Z",
"dateReserved": "2020-11-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T16:33:56.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1010199 (GCVE-0-2019-1010199)
Vulnerability from nvd – Published: 2019-07-23 17:17 – Updated: 2024-08-05 03:07
VLAI
Summary
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0.
Severity
No CVSS data available.
CWE
- Cross Site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ServiceStack/ServiceStack/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ServiceStack | ServiceStack Framework |
Affected:
4.5.14 [fixed: 5.2.0]
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:18.472Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ServiceStack Framework",
"vendor": "ServiceStack",
"versions": [
{
"status": "affected",
"version": "4.5.14 [fixed: 5.2.0]"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-23T17:17:14.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1010199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ServiceStack Framework",
"version": {
"version_data": [
{
"version_value": "4.5.14 [fixed: 5.2.0]"
}
]
}
}
]
},
"vendor_name": "ServiceStack"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side validation and If Browser encoding is bypassed, the victim is affected when opening a crafted URL. The fixed version is: 5.2.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610",
"refsource": "MISC",
"url": "https://github.com/ServiceStack/ServiceStack/commit/a0e0d7de20f5d1712f1793f925496def4383c610"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1010199",
"datePublished": "2019-07-23T17:17:14.000Z",
"dateReserved": "2019-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:07:18.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}