Common Weakness Enumeration

CWE-117

Allowed

Improper Output Neutralization for Logs

Abstraction: Base · Status: Draft

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

193 vulnerabilities reference this CWE, most recent first.

GHSA-C63Q-7GVC-8XQ3

Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-04-17 09:31
VLAI
Details

A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the toolsetroute parameter. This parameter is not properly sanitized before being written to logs, allowing the attacker to inject control characters such as newlines and ANSI escape sequences. This enables the attacker to obscure legitimate log entries and insert forged ones, which could facilitate social engineering attacks, potentially leading to an operator executing dangerous commands or visiting malicious URLs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T09:16:05Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the AAP MCP server. An unauthenticated remote attacker can exploit a log injection vulnerability by sending specially crafted input to the `toolsetroute` parameter. This parameter is not properly sanitized before being written to logs, allowing the attacker to inject control characters such as newlines and ANSI escape sequences. This enables the attacker to obscure legitimate log entries and insert forged ones, which could facilitate social engineering attacks, potentially leading to an operator executing dangerous commands or visiting malicious URLs.",
  "id": "GHSA-c63q-7gvc-8xq3",
  "modified": "2026-04-17T09:31:20Z",
  "published": "2026-04-17T09:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6494"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6494"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459131"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CC2J-MF6C-HCH7

Vulnerability from github – Published: 2023-08-30 18:30 – Updated: 2024-02-16 18:31
VLAI
Details

In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed.

The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-30T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. \n\nThe vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine.",
  "id": "GHSA-cc2j-mf6c-hch7",
  "modified": "2024-02-16T18:31:04Z",
  "published": "2023-08-30T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4571"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2023-0810"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CH8J-Q2RQ-5C87

Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2023-01-09 21:30
VLAI
Details

A vulnerability classified as problematic has been found in OpenDNS OpenResolve. This affects an unknown part of the file resolverapi/endpoints.py. The manipulation leads to improper output neutralization for logs. The name of the patch is 9eba6ba5abd89d0e36a008921eb307fcef8c5311. It is recommended to apply a patch to fix this issue. The identifier VDB-217197 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-10011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-02T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability classified as problematic has been found in OpenDNS OpenResolve. This affects an unknown part of the file resolverapi/endpoints.py. The manipulation leads to improper output neutralization for logs. The name of the patch is 9eba6ba5abd89d0e36a008921eb307fcef8c5311. It is recommended to apply a patch to fix this issue. The identifier VDB-217197 was assigned to this vulnerability.",
  "id": "GHSA-ch8j-q2rq-5c87",
  "modified": "2023-01-09T21:30:22Z",
  "published": "2023-01-03T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opendns/OpenResolve/commit/9eba6ba5abd89d0e36a008921eb307fcef8c5311"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217197"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217197"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CX25-XG7C-XFM5

Vulnerability from github – Published: 2025-07-30 18:31 – Updated: 2025-11-14 22:46
VLAI
Summary
Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability
Details

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). 

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts-extras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "struts:struts"
      },
      "versions": [
        "1.2.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-30T20:02:07Z",
    "nvd_published_at": "2025-07-30T16:15:28Z",
    "severity": "MODERATE"
  },
  "details": "** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.\n\nThis issue affects Apache Struts Extras: before 2.\n\nWhen using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).\u00a0\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-cx25-xg7c-xfm5",
  "modified": "2025-11-14T22:46:51Z",
  "published": "2025-07-30T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54656"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rr"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/30/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability"
}

GHSA-F39F-G3GV-88JQ

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2022-11-18 21:30
VLAI
Details

A vulnerability was found in Simple History Plugin. It has been rated as critical. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213785 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-117",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-16T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability was found in Simple History Plugin. It has been rated as critical. This issue affects some unknown processing of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213785 was assigned to this vulnerability.",
  "id": "GHSA-f39f-g3gv-88jq",
  "modified": "2022-11-18T21:30:17Z",
  "published": "2022-11-16T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4011"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/142cPciqIhNbfKhhxIwbrYFTegLvnwin_/view"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1AJXip8UG_ADbxtokPzAb61-lEg-xLebZ/view"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.213785"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8XJ-XXR8-6Q36

Vulnerability from github – Published: 2023-12-13 09:30 – Updated: 2023-12-13 09:30
VLAI
Details

An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-13T07:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application.",
  "id": "GHSA-f8xj-xxr8-6q36",
  "modified": "2023-12-13T09:30:32Z",
  "published": "2023-12-13T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46713"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-23-256"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G27F-9QJV-22PM

Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31
VLAI
Summary
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers
Details

Summary

In openclaw versions prior to 2026.2.13, OpenClaw logged certain WebSocket request headers (including Origin and User-Agent) without neutralization or length limits on the "closed before connect" path.

If an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.12
  • Fixed: >= 2026.2.13

Details

  • Component: src/gateway/server/ws-connection.ts
  • Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context.

Impact

This issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited.

Fix

Header values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting). - Fix commits: d637a263505448bf4505b85535babbfaacedbaac, e84318e4bcdc948d92e57fda1eb763a65e1774f0 (PR #15592)

Workarounds

  • Upgrade to openclaw@2026.2.13 or later.
  • Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs).
  • Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable.

Thanks @pkerkhofs for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:31:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nIn `openclaw` versions prior to `2026.2.13`, OpenClaw logged certain WebSocket request headers (including `Origin` and `User-Agent`) without neutralization or length limits on the \"closed before connect\" path.\n\nIf an unauthenticated client can reach the gateway and send crafted header values, those values may be written into core logs. Under workflows where logs are later read or interpreted by an LLM (for example via AI-assisted debugging), this can increase the risk of indirect prompt injection (log poisoning).\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.12`\n- Fixed: `\u003e= 2026.2.13`\n\n### Details\n- Component: `src/gateway/server/ws-connection.ts`\n- Trigger: WebSocket connection closes before completing the connect/handshake; header values are included in the log message and structured context.\n\n### Impact\nThis issue is primarily an indirect prompt injection risk and depends on downstream log consumption behavior. If you do not feed logs into an LLM or other automation, impact is limited.\n\n### Fix\nHeader values written to gateway logs are now sanitized and truncated (including removal of control/format characters and length limiting).\n- Fix commits: `d637a263505448bf4505b85535babbfaacedbaac`, `e84318e4bcdc948d92e57fda1eb763a65e1774f0` (PR #15592)\n\n### Workarounds\n- Upgrade to `openclaw@2026.2.13` or later.\n- Treat logs as untrusted input when using AI-assisted debugging (sanitize/escape, and do not auto-execute instructions derived from logs).\n- Restrict gateway network exposure; apply reverse-proxy limits on header size where applicable.\n\nThanks @pkerkhofs for reporting.",
  "id": "GHSA-g27f-9qjv-22pm",
  "modified": "2026-02-17T21:31:39Z",
  "published": "2026-02-17T21:31:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/pull/15592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/d637a263505448bf4505b85535babbfaacedbaac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw log poisoning (indirect prompt injection) via WebSocket headers"
}

GHSA-G5PG-73FC-HJWQ

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 21:02
VLAI
Summary
LiteLLM Reveals Portion of API Key via a Logging File
Details

In berriai/litellm before version 1.44.12, the litellm/litellm_core_utils/litellm_logging.py file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing a significant amount of the secret key. The issue affects version v1.44.9.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litellm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.44.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T21:02:06Z",
    "nvd_published_at": "2025-03-20T10:15:49Z",
    "severity": "HIGH"
  },
  "details": "In berriai/litellm before version 1.44.12, the `litellm/litellm_core_utils/litellm_logging.py` file contains a vulnerability where the API key masking code only masks the first 5 characters of the key. This results in the leakage of almost the entire API key in the logs, exposing a significant amount of the secret key. The issue affects version v1.44.9.",
  "id": "GHSA-g5pg-73fc-hjwq",
  "modified": "2025-03-20T21:02:06Z",
  "published": "2025-03-20T12:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9606"
    },
    {
      "type": "WEB",
      "url": "https://github.com/berriai/litellm/commit/9094071c4782183e84f10630e2450be3db55509a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BerriAI/litellm"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4a03796f-a8d4-4293-84ef-d3959456223a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LiteLLM Reveals Portion of API Key via a Logging File"
}

GHSA-G69V-XR79-FX7W

Vulnerability from github – Published: 2025-04-18 21:31 – Updated: 2025-04-18 21:31
VLAI
Details

In Nessus versions prior to 10.8.4, a non-authenticated attacker could alter Nessus logging entries by manipulating http requests to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-18T20:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In Nessus versions prior to 10.8.4, a non-authenticated attacker could alter Nessus logging entries by manipulating http requests to the application.",
  "id": "GHSA-g69v-xr79-fx7w",
  "modified": "2025-04-18T21:31:21Z",
  "published": "2025-04-18T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36625"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2025-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6HP-QHWQ-P766

Vulnerability from github – Published: 2025-10-07 15:30 – Updated: 2025-10-08 15:32
VLAI
Details

CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-07T14:15:38Z",
    "severity": "HIGH"
  },
  "details": "CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.",
  "id": "GHSA-g6hp-qhwq-p766",
  "modified": "2025-10-08T15:32:26Z",
  "published": "2025-10-07T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prassan10/CubeAPM/blob/main/CVE-2025-57564%3A%20Unauthenticated%20Log%20Injection%20in%20CubeAPM"
    },
    {
      "type": "WEB",
      "url": "https://github.com/prassan10/CubeAPM/blob/main/Unauthenticated-Log_Injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Implementation

Strategy: Output Encoding

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-268: Audit Log Manipulation

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.