CWE-1287
AllowedImproper Validation of Specified Type of Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
259 vulnerabilities reference this CWE, most recent first.
GHSA-MG2H-6X62-WPWC
Vulnerability from github – Published: 2025-04-18 15:02 – Updated: 2025-05-29 21:04Impact
In applications that specify different validation strategies for different content types, it's possible to bypass the validation by providing a slightly altered content type such as with different casing or altered whitespacing before ;.
Users using the the following pattern are affected:
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
content: {
'application/json': {
schema: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
},
}
}
}
})
User using the following pattern are not affected:
fastify.post('/', {
handler(request, reply) {
reply.code(200).send(request.body)
},
schema: {
body: {
type: 'object',
properties: {
'foo': {
type: 'string',
}
},
required: ['foo']
}
}
})
Patches
This was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2. Version v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1.
Workarounds
Do not specify multiple content types in the schema.
References
Are there any links users can visit to find out more?
https://hackerone.com/reports/3087928
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.3.1"
},
"package": {
"ecosystem": "npm",
"name": "fastify"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "fastify"
},
"ranges": [
{
"events": [
{
"introduced": "4.29.0"
},
{
"fixed": "4.29.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.29.0"
]
}
],
"aliases": [
"CVE-2025-32442"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-18T15:02:41Z",
"nvd_published_at": "2025-04-18T16:15:23Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn applications that specify different validation strategies for different content types, it\u0027s possible to bypass the validation by providing a _slightly altered_ content type such as with different casing or altered whitespacing before `;`.\n\nUsers using the the following pattern are affected:\n\n```js\nfastify.post(\u0027/\u0027, {\n handler(request, reply) {\n reply.code(200).send(request.body)\n },\n schema: {\n body: {\n content: {\n \u0027application/json\u0027: {\n schema: {\n type: \u0027object\u0027,\n properties: {\n \u0027foo\u0027: {\n type: \u0027string\u0027,\n }\n },\n required: [\u0027foo\u0027]\n }\n },\n }\n }\n }\n})\n```\n\nUser using the following pattern are **not** affected:\n\n```js\nfastify.post(\u0027/\u0027, {\n handler(request, reply) {\n reply.code(200).send(request.body)\n },\n schema: {\n body: {\n type: \u0027object\u0027,\n properties: {\n \u0027foo\u0027: {\n type: \u0027string\u0027,\n }\n },\n required: [\u0027foo\u0027]\n }\n }\n})\n```\n\n### Patches\n\nThis was patched in v5.3.1, but unfortunately it did not cover all problems. This has been fully patched in v5.3.2.\nVersion v4.9.0 was also affected by this issue. This has been fully patched in v4.9.1.\n\n### Workarounds\n\nDo not specify multiple content types in the schema.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://hackerone.com/reports/3087928",
"id": "GHSA-mg2h-6x62-wpwc",
"modified": "2025-05-29T21:04:54Z",
"published": "2025-04-18T15:02:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32442"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/commit/436da4c06dfbbb8c24adee3a64de0c51e4f47418"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/commit/f3d2bcb3963cd570a582e5d39aab01a9ae692fe4"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3087928"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass"
}
GHSA-MH24-4G35-88JP
Vulnerability from github – Published: 2025-03-04 06:30 – Updated: 2025-03-04 06:30Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-47262"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T06:15:29Z",
"severity": "MODERATE"
},
"details": "Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.",
"id": "GHSA-mh24-4g35-88jp",
"modified": "2025-03-04T06:30:34Z",
"published": "2025-03-04T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47262"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/a3/18/6e/cve-2024-47262pdf-en-US-466884.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MP3X-9R34-2HX4
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-02-04 18:30A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2026-20119"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:14Z",
"severity": "HIGH"
},
"details": "A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\n\nThis vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.",
"id": "GHSA-mp3x-9r34-2hx4",
"modified": "2026-02-04T18:30:42Z",
"published": "2026-02-04T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20119"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tce-roomos-dos-9V9jrC2q"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR7P-GV96-XC44
Vulnerability from github – Published: 2023-08-02 03:30 – Updated: 2024-04-04 06:29An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load.
{
"affected": [],
"aliases": [
"CVE-2023-3900"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-02T01:15:09Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid \u0027start_sha\u0027 value on merge requests page may lead to Denial of Service as Changes tab would not load.",
"id": "GHSA-mr7p-gv96-xc44",
"modified": "2024-04-04T06:29:23Z",
"published": "2023-08-02T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3900"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2058514"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/418770"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P628-VP33-7R3F
Vulnerability from github – Published: 2025-09-18 12:30 – Updated: 2025-09-18 12:30Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5.
{
"affected": [],
"aliases": [
"CVE-2025-10207"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T12:15:38Z",
"severity": "HIGH"
},
"details": "Improper Validation of Specified Type of Input vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5.",
"id": "GHSA-p628-vp33-7r3f",
"modified": "2025-09-18T12:30:27Z",
"published": "2025-09-18T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10207"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7121\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P745-HRR6-RG8C
Vulnerability from github – Published: 2025-05-28 00:30 – Updated: 2025-05-28 15:34Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.
Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.
Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.
{
"affected": [],
"aliases": [
"CVE-2025-40911"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-27T22:15:22Z",
"severity": "MODERATE"
},
"details": "Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.\n\nLeading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.\n\nNet::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.",
"id": "GHSA-p745-hrr6-rg8c",
"modified": "2025-05-28T15:34:29Z",
"published": "2025-05-28T00:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40911"
},
{
"type": "WEB",
"url": "https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch"
},
{
"type": "WEB",
"url": "https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QC7Q-3C5C-F8MV
Vulnerability from github – Published: 2026-01-21 00:31 – Updated: 2026-06-30 03:35Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
{
"affected": [],
"aliases": [
"CVE-2026-21932"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T22:15:55Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).",
"id": "GHSA-qc7q-3c5c-f8mv",
"modified": "2026-06-30T03:35:29Z",
"published": "2026-01-21T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21932"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0849"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0896"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0898"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0900"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1606"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-21932"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429925"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21932.json"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCJ2-99CG-MPPF
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 19:58Jenkins Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions.
Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices.
This allows attackers with Item/Build permission to inject arbitrary values into Git parameters.
Git Parameter Plugin 444.vca_b_84d3703c2 validates that the Git parameter value submitted to the build matches one of the offered choices.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.tools:git-parameter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "444.vca"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53652"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T20:47:01Z",
"nvd_published_at": "2025-07-09T16:15:24Z",
"severity": "MODERATE"
},
"details": "Jenkins Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM\u2019s branches, tags, pull requests, and revisions.\n\nGit Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices.\n\nThis allows attackers with Item/Build permission to inject arbitrary values into Git parameters.\n\nGit Parameter Plugin 444.vca_b_84d3703c2 validates that the Git parameter value submitted to the build matches one of the offered choices.",
"id": "GHSA-qcj2-99cg-mppf",
"modified": "2025-11-05T19:58:56Z",
"published": "2025-07-09T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53652"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/git-parameter-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3419"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Git Parameter Plugin vulnerable to code injection due to inexhaustive parameter check"
}
GHSA-QM95-PGCG-QQFQ
Vulnerability from github – Published: 2022-10-26 12:00 – Updated: 2022-11-14 20:01Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
Example:
const decoder = new Decoder();
decoder.on("decoded", (packet) => {
console.log(packet.data); // prints [ 'hello', [Function: splice] ]
})
decoder.add('51-["hello",{"_placeholder":true,"num":"splice"}]');
decoder.add(Buffer.from("world"));
This bubbles up in the socket.io package:
io.on("connection", (socket) => {
socket.on("hello", (val) => {
// here, "val" could be a function instead of a buffer
});
});
:warning: IMPORTANT NOTE :warning:
You need to make sure that the payload that you received from the client is actually a Buffer object:
io.on("connection", (socket) => {
socket.on("hello", (val) => {
if (!Buffer.isBuffer(val)) {
socket.disconnect();
return;
}
// ...
});
});
If that's already the case, then you are not impacted by this issue, and there is no way an attacker could make your server crash (or escalate privileges, ...).
Example of values that could be sent by a malicious user:
- a number that is out of bounds
Sample packet: 451-["hello",{"_placeholder":true,"num":10}]
io.on("connection", (socket) => {
socket.on("hello", (val) => {
// val is `undefined`
});
});
- a value that is not a number, like
undefined
Sample packet: 451-["hello",{"_placeholder":true,"num":undefined}]
io.on("connection", (socket) => {
socket.on("hello", (val) => {
// val is `undefined`
});
});
- a string that is part of the prototype of
Array, like "push"
Sample packet: 451-["hello",{"_placeholder":true,"num":"push"}]
io.on("connection", (socket) => {
socket.on("hello", (val) => {
// val is a reference to the "push" function
});
});
- a string that is part of the prototype of
Object, like "hasOwnProperty"
Sample packet: 451-["hello",{"_placeholder":true,"num":"hasOwnProperty"}]
io.on("connection", (socket) => {
socket.on("hello", (val) => {
// val is a reference to the "hasOwnProperty" function
});
});
This should be fixed by:
- https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050, included in
socket.io-parser@4.2.1 - https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4, included in
socket.io-parser@4.0.5 - https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14, included in
socket.io-parser@3.4.2 - https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983, included in
socket.io-parser@3.3.3
Dependency analysis for the socket.io package
socket.io version |
socket.io-parser version |
Covered? |
|---|---|---|
4.5.2...latest |
~4.2.0 (ref) |
Yes :heavy_check_mark: |
4.1.3...4.5.1 |
~4.0.4 (ref) |
Yes :heavy_check_mark: |
3.0.5...4.1.2 |
~4.0.3 (ref) |
Yes :heavy_check_mark: |
3.0.0...3.0.4 |
~4.0.1 (ref) |
Yes :heavy_check_mark: |
2.3.0...2.5.0 |
~3.4.0 (ref) |
Yes :heavy_check_mark: |
Dependency analysis for the socket.io-client package
socket.io-client version |
socket.io-parser version |
Covered? |
|---|---|---|
4.5.0...latest |
~4.2.0 (ref) |
Yes :heavy_check_mark: |
4.3.0...4.4.1 |
~4.1.1 (ref) |
No, but the impact is very limited |
3.1.0...4.2.0 |
~4.0.4 (ref) |
Yes :heavy_check_mark: |
3.0.5 |
~4.0.3 (ref) |
Yes :heavy_check_mark: |
3.0.0...3.0.4 |
~4.0.1 (ref) |
Yes :heavy_check_mark: |
2.2.0...2.5.0 |
~3.3.0 (ref) |
Yes :heavy_check_mark: |
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "socket.io-parser"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "socket.io-parser"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "socket.io-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "socket.io-parser"
},
"ranges": [
{
"events": [
{
"introduced": "3.4.0"
},
{
"fixed": "3.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2421"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-20",
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-28T20:19:04Z",
"nvd_published_at": "2022-10-26T10:15:00Z",
"severity": "CRITICAL"
},
"details": "Due to improper type validation in the `socket.io-parser` library (which is used by the `socket.io` and `socket.io-client` packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.\n\nExample:\n\n```js\nconst decoder = new Decoder();\n\ndecoder.on(\"decoded\", (packet) =\u003e {\n console.log(packet.data); // prints [ \u0027hello\u0027, [Function: splice] ]\n})\n\ndecoder.add(\u002751-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]\u0027);\ndecoder.add(Buffer.from(\"world\"));\n```\n\nThis bubbles up in the `socket.io` package:\n\n```js\nio.on(\"connection\", (socket) =\u003e {\n socket.on(\"hello\", (val) =\u003e {\n // here, \"val\" could be a function instead of a buffer\n });\n});\n```\n\n:warning: IMPORTANT NOTE :warning:\n\nYou need to make sure that the payload that you received from the client is actually a `Buffer` object:\n\n```js\nio.on(\"connection\", (socket) =\u003e {\n socket.on(\"hello\", (val) =\u003e {\n if (!Buffer.isBuffer(val)) {\n socket.disconnect();\n return;\n }\n // ...\n });\n});\n```\n\n**If that\u0027s already the case, then you are not impacted by this issue, and there is no way an attacker could make your server crash (or escalate privileges, ...).**\n\nExample of values that could be sent by a malicious user:\n\n- a number that is out of bounds\n\nSample packet: `451-[\"hello\",{\"_placeholder\":true,\"num\":10}]`\n\n```js\nio.on(\"connection\", (socket) =\u003e {\n socket.on(\"hello\", (val) =\u003e {\n // val is `undefined`\n });\n});\n```\n\n- a value that is not a number, like `undefined`\n\nSample packet: `451-[\"hello\",{\"_placeholder\":true,\"num\":undefined}]`\n\n```js\nio.on(\"connection\", (socket) =\u003e {\n socket.on(\"hello\", (val) =\u003e {\n // val is `undefined`\n });\n});\n```\n\n- a string that is part of the prototype of `Array`, like \"push\"\n\nSample packet: `451-[\"hello\",{\"_placeholder\":true,\"num\":\"push\"}]`\n\n```js\nio.on(\"connection\", (socket) =\u003e {\n socket.on(\"hello\", (val) =\u003e {\n // val is a reference to the \"push\" function\n });\n});\n```\n\n- a string that is part of the prototype of `Object`, like \"hasOwnProperty\"\n\nSample packet: `451-[\"hello\",{\"_placeholder\":true,\"num\":\"hasOwnProperty\"}]`\n\n```js\nio.on(\"connection\", (socket) =\u003e {\n socket.on(\"hello\", (val) =\u003e {\n // val is a reference to the \"hasOwnProperty\" function\n });\n});\n```\n\nThis should be fixed by:\n\n- https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050, included in `socket.io-parser@4.2.1`\n- https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4, included in `socket.io-parser@4.0.5`\n- https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14, included in `socket.io-parser@3.4.2`\n- https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983, included in `socket.io-parser@3.3.3`\n\n### Dependency analysis for the `socket.io` package\n\n| `socket.io` version | `socket.io-parser` version | Covered? |\n|---------------------|---------------------------------------------------------------------------------------------------------|------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | Yes :heavy_check_mark: |\n| `4.1.3...4.5.1` | `~4.0.4` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Yes :heavy_check_mark: |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Yes :heavy_check_mark: |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Yes :heavy_check_mark: |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | Yes :heavy_check_mark: |\n\n\n### Dependency analysis for the `socket.io-client` package\n\n| `socket.io-client` version | `socket.io-parser` version | Covered? |\n|----------------------------|----------------------------------------------------------------------------------------------------------------|------------------------------------|\n| `4.5.0...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io-client/commit/b862924b7f1720979e5db2f0154906b305d420e3)) | Yes :heavy_check_mark: |\n| `4.3.0...4.4.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io-client/commit/91b948b8607166fcc79f028a6428819277214188)) | No, but the impact is very limited |\n| `3.1.0...4.2.0` | `~4.0.4` ([ref](https://github.com/socketio/socket.io-client/commit/5d9b4eb42b1f5778e6f033096694acb331b132c4)) | Yes :heavy_check_mark: |\n| `3.0.5` | `~4.0.3` ([ref](https://github.com/socketio/socket.io-client/commit/cf9fc358365cc15a41260a51dc186c881bf086ca)) | Yes :heavy_check_mark: |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io-client/commit/b7e07ba633ceb9c1dc94cc894c10b9bfca536c7a)) | Yes :heavy_check_mark: |\n| `2.2.0...2.5.0` | `~3.3.0` ([ref](https://github.com/socketio/socket.io-client/commit/06e9a4ca2621176c30c352b2ba8b34fa42b8d0ba)) | Yes :heavy_check_mark: |\n",
"id": "GHSA-qm95-pgcg-qqfq",
"modified": "2022-11-14T20:01:32Z",
"published": "2022-10-26T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2421"
},
{
"type": "WEB",
"url": "https://github.com/socketio/socket.io-parser/commit/04d23cecafe1b859fb03e0cbf6ba3b74dff56d14"
},
{
"type": "WEB",
"url": "https://github.com/socketio/socket.io-parser/commit/b559f050ee02bd90bd853b9823f8de7fa94a80d4"
},
{
"type": "WEB",
"url": "https://github.com/socketio/socket.io-parser/commit/b5d0cb7dc56a0601a09b056beaeeb0e43b160050"
},
{
"type": "WEB",
"url": "https://github.com/socketio/socket.io-parser/commit/fb21e422fc193b34347395a33e0f625bebc09983"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2022-2421"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2022-00045"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/cases/DIVD-2022-00045"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/cves/CVE-2022-2421"
},
{
"type": "PACKAGE",
"url": "https://github.com/socketio/socket.io-parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insufficient validation when decoding a Socket.IO packet"
}
GHSA-QW3H-8VXV-JF6C
Vulnerability from github – Published: 2026-02-12 15:32 – Updated: 2026-06-30 03:35Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
{
"affected": [],
"aliases": [
"CVE-2026-2004"
],
"database_specific": {
"cwe_ids": [
"CWE-1287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-12T14:16:02Z",
"severity": "HIGH"
},
"details": "Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.",
"id": "GHSA-qw3h-8vxv-jf6c",
"modified": "2026-06-30T03:35:35Z",
"published": "2026-02-12T15:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2004"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19009"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4509"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4515"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4516"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4518"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4524"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4528"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4544"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4546"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4547"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4548"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4943"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8756"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-2004"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439325"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2004.json"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/support/security/CVE-2026-2004"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19010"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3730"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3887"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3896"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4024"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4059"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4063"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4064"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4074"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4075"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4110"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4254"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4441"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4475"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4504"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4505"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:4506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.