CWE-1289
AllowedImproper Validation of Unsafe Equivalence in Input
Abstraction: Base · Status: Incomplete
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
52 vulnerabilities reference this CWE, most recent first.
CVE-2024-45308 (GCVE-0-2024-45308)
Vulnerability from cvelistv5 – Published: 2024-09-02 16:40 – Updated: 2024-09-03 14:06- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
| URL | Tags |
|---|---|
| https://github.com/hedgedoc/hedgedoc/security/adv… | x_refsource_CONFIRM |
| https://github.com/hedgedoc/hedgedoc/commit/38058… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hedgedoc:hedgedoc:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hedgedoc",
"vendor": "hedgedoc",
"versions": [
{
"lessThan": "1.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T13:50:09.519694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:06:53.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hedgedoc",
"vendor": "hedgedoc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensitive matching and the lower-cased alias is found first. This issue only affects HedgeDoc instances that use MySQL or MariaDB. Depending on the permission settings of the HedgeDoc instance, the issue can be exploited only by logged-in users or by all (including non-logged-in) users. The exploit requires knowledge of the ID of the target note. Attackers could use this issue to present a manipulated copy of the original note to the user, e.g. by replacing the links with malicious ones. Attackers can also use this issue to prevent access to the original note, causing a denial of service. No data is lost, as the original content of the affected notes is still present in the database. Users are advised to upgrade to version 1.10.0 which addresses this issue. Users unable to upgrade may disable freeURL mode which prevents the exploitation of this issue. The impact can also be limited by restricting freeURL note creation to trusted, logged-in users by enabling `requireFreeURLAuthentication`/`CMD_REQUIRE_FREEURL_AUTHENTICATION`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-02T16:40:31.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pjf2-269h-cx7p"
},
{
"name": "https://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hedgedoc/hedgedoc/commit/380587b7fd65bc1eb71eef51a3aab324f9877650"
}
],
"source": {
"advisory": "GHSA-pjf2-269h-cx7p",
"discovery": "UNKNOWN"
},
"title": "MySQL \u0026 free URL mode allows to hide existing notes in hedgedoc"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45308",
"datePublished": "2024-09-02T16:40:31.855Z",
"dateReserved": "2024-08-26T18:25:35.444Z",
"dateUpdated": "2024-09-03T14:06:53.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12224 (GCVE-0-2024-12224)
Vulnerability from cvelistv5 – Published: 2025-05-30 01:16 – Updated: 2025-05-30 12:46| URL | Tags |
|---|---|
| https://rustsec.org/advisories/RUSTSEC-2024-0421.html | vendor-advisory |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 | issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T12:46:53.443148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T12:46:56.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1887898"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://crates.io/crates/idna",
"defaultStatus": "unaffected",
"packageName": "idna",
"product": "rust-url",
"repo": "https://github.com/servo/rust-url/",
"vendor": "servo",
"versions": [
{
"lessThan": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "rust"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In applications using \u003ccode\u003eidna\u003c/code\u003e (but not in \u003ccode\u003eidna\u003c/code\u003e \nitself) this may be able to lead to privilege escalation when host name \ncomparison is part of a privilege check and the behavior is combined \nwith a client that resolves domains with such labels instead of treating\n them as errors that preclude DNS resolution / URL fetching and with the\n attacker managing to introduce a DNS entry (and TLS certificate) for an\n \u003ccode\u003exn--\u003c/code\u003e-masked name that turns into the name of the target when processed by \u003ccode\u003eidna\u003c/code\u003e 0.5.0 or earlier.\u003cbr\u003e"
}
],
"value": "In applications using idna (but not in idna \nitself) this may be able to lead to privilege escalation when host name \ncomparison is part of a privilege check and the behavior is combined \nwith a client that resolves domains with such labels instead of treating\n them as errors that preclude DNS resolution / URL fetching and with the\n attacker managing to introduce a DNS entry (and TLS certificate) for an\n xn---masked name that turns into the name of the target when processed by idna 0.5.0 or earlier."
}
],
"datePublic": "2024-12-09T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname."
}
],
"value": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T01:16:47.829Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0421.html"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1887898"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "idna accepts Punycode labels that do not produce any non-ASCII when decoded",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2024-12224",
"datePublished": "2025-05-30T01:16:47.829Z",
"dateReserved": "2024-12-05T02:50:17.716Z",
"dateUpdated": "2025-05-30T12:46:56.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8372 (GCVE-0-2024-8372)
Vulnerability from cvelistv5 – Published: 2024-09-09 14:46 – Updated: 2025-11-03 19:34 Unsupported When Assigned X_Open Source- CWE-1289 - Improper Validation of Unsafe Equivalence in Input
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://codepen.io/herodevs/full/xxoQRNL/0072e627… | technical-descriptionexploit |
| https://security.netapp.com/advisory/ntap-2024112… | |
| https://lists.debian.org/debian-lts-announce/2025… |
| Vendor | Product | Version | |
|---|---|---|---|
| AngularJS |
Affected:
>=1.3.0-rc.4
(semver)
|
||
| angularjs | angular.js |
Affected:
1.3.0-rc.4 , < *
(custom)
cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:angularjs:angular.js:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "angular.js",
"vendor": "angularjs",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.3.0-rc.4",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8372",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-09T15:06:37.579433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-09T15:07:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:34:58.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241122-0002/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "angular",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "\u003e=1.3.0-rc.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper sanitization of the value of the \u0027\u003ctt\u003esrcset\u003c/tt\u003e\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Content_Spoofing\"\u003eContent Spoofing\u003c/a\u003e.\u003cbr\u003e\u003cbr\u003eThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "Improper sanitization of the value of the \u0027srcset\u0027 attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .\n\nThis issue affects AngularJS versions 1.3.0-rc.4 and greater.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
},
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T17:39:48.004Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS improper sanitization in \u0027srcset\u0027 attribute",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2024-8372",
"datePublished": "2024-09-09T14:46:03.134Z",
"dateReserved": "2024-09-02T08:44:11.786Z",
"dateUpdated": "2025-11-03T19:34:58.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0675 (GCVE-0-2022-0675)
Vulnerability from cvelistv5 – Published: 2022-03-02 21:00 – Updated: 2024-08-02 23:40| URL | Tags |
|---|---|
| https://puppet.com/security/cve/CVE-2022-0675 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Puppet | Firewall Module |
Affected:
prior to 3.4.0 , < 3.4.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://puppet.com/security/cve/CVE-2022-0675"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Firewall Module",
"vendor": "Puppet",
"versions": [
{
"lessThan": "3.4.0",
"status": "affected",
"version": "prior to 3.4.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-02T21:00:59.000Z",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "puppet"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://puppet.com/security/cve/CVE-2022-0675"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Puppet Firewall Module May Leave Unmanaged Rules",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@puppet.com",
"ID": "CVE-2022-0675",
"STATE": "PUBLIC",
"TITLE": "Puppet Firewall Module May Leave Unmanaged Rules"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firewall Module",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "prior to 3.4.0",
"version_value": "3.4.0"
}
]
}
}
]
},
"vendor_name": "Puppet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In certain situations it is possible for an unmanaged rule to exist on the target system that has the same comment as the rule specified in the manifest. This could allow for unmanaged rules to exist on the target system and leave the system in an unsafe state."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1289"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://puppet.com/security/cve/CVE-2022-0675",
"refsource": "MISC",
"url": "https://puppet.com/security/cve/CVE-2022-0675"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "puppet",
"cveId": "CVE-2022-0675",
"datePublished": "2022-03-02T21:00:59.000Z",
"dateReserved": "2022-02-17T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:40:03.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-22W3-693W-X895
Vulnerability from github – Published: 2026-05-06 23:31 – Updated: 2026-05-06 23:31Summary
webauthn-rs-core (Relying Party) and webauthn-authenticator-rs (client) checked that an Origin in CollectedClientData is valid for an RP ID with str::ends_with(), without checking for a dot (.) before the RP ID when allowing subdomains.
This check is flawed, and could allow requests from an attacker-controlled domain such as hermit-crab.example to be accepted for the RP ID crab.example (assuming .example was publicly-registerable TLD) when the RP allows authenticating from a subdomain (disabled by default in webauthn-rs-core and webauthn-rs).
- In
webauthn-rs-core, this only applies when: WebauthnCore::allow_subdomains_originistrue(the default isfalse), and- the attacker could register a domain that ends with the RP ID as a raw string, and,
- the client does not implement these checks correctly either
webauthn-rs can set allow_subdomains_origin via WebauthnBuilder::allow_subdomains. Fixing the bug in webauthn-rs-core also fixes it in webauthn-rs.
- In
webauthn-authenticator-rs, the flawed check is inWebauthnAuthenticator::do_registration()anddo_authentication().
A conforming Relying Party implementation would reject such requests, but webauthn-rs-core did not.
An application can still provide an incorrect origin parameter to webauthn-authenticator-rs, or use lower-level APIs that bypass these checks entirely, and this is by design.
These issues are a violation of WebAuthn Level 3 §13.4.9, §5.1.3 Step 8 and §5.1.4.1 Step 7.
Details
webauthn-rs-core/src/core.rsline 1213:
https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-rs-core/src/core.rs#L1211-L1216
webauthn-authenticator-rs/src/lib.rsline 274:
https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-authenticator-rs/src/lib.rs#L274-L277
webauthn-authenticator-rs/src/lib.rsline 335:
https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-authenticator-rs/src/lib.rs#L335-L338
str::ends_with() performs a raw string suffix match without enforcing a domain label boundary:
| Origin | RP ID | Expected result | Result with incorrect ends_with check |
|---|---|---|---|
hermit-crab.example |
crab.example |
rejected | accepted (bug!) |
auth.crab.example |
crab.example |
accepted | accepted (subdomain) |
crab.example |
crab.example |
accepted | accepted (exact match) |
hermit-crab.example |
auth.crab.example |
rejected | rejected |
auth.crab.example |
auth.crab.example |
accepted | accepted (exact match) |
Fix
When webauthn-rs-core v0.5.5 checks if an Origin is a valid subdomain of an RP ID, it will check that it ends with the RP ID prefixed with a dot (.{rp_id}). webauthn-rs v0.5.5 will be fixed by depending on webauthn-rs-core v0.5.5.
webauthn-authenticator-rs v0.5.5 now uses webauthn-rs-core's checks in WebauthnAuthenticator.
Regression tests for this bug have been added to both libraries.
Impact
With a both a non-conforming client implementation and vulnerable version of webauthn-rs-core configured to allow subdomains (not the default), this bug would allow an attacker at hermit-crab.example to phish a target's credential for the RP ID crab.example by directly proxying a legitimate navigator.credentials.get() request on the attacker's domain.
However, conforming client implementations (ie: all web browsers) will refuse to process WebAuthn requests for an RP ID that does not match the Origin of the current page and is not a related Origin.
In the scenario above with conforming client-side checks, this would force the attacker to change the request's RP ID to hermit-crab.example (the attacker's Origin). This would also change the RP ID hash, and webauthn-rs-core would reject it (per WebAuthn §7.2 Step 15).
Severity
Per WebAuthn §13.4.9:
The Relying Party MUST NOT accept unexpected values of origin, as doing so could allow a malicious website to obtain valid credentials. Although the scope of WebAuthn credentials prevents their use on domains outside the RP ID they were registered for, the Relying Party’s origin validation serves as an additional layer of protection in case a faulty authenticator fails to enforce credential scope.
Unfortunately, the chain needed to exploit this bug makes it difficult to classify with the CVSS framework. Kanidm came up with anywhere between "low" and "high" depending on the approach, and GitHub only provides one CVSS field for everything.
An attacker could easily bypass a correctly-implemented server-side Origin check, if they can convince a target to use their authenticator with an attacker-controlled client device or buggy/malicious client application. FIDO's Security Reference assumes that "the FIDO user device and applications involved in a FIDO operation are trustworthy agents of the user", and violating that limits the protections FIDO can provide, so it would be ridiculous to describe those bypasses as a "high" severity vulnerability.
However, webauthn-rs-core should take reasonable steps to prevent these sorts of issues where it can, especially when they're part of the WebAuthn specification.
Due to the complex preconditions and non-default configuration required to execute a successful attack, and that it is not exploitable in popular web browsers, Kanidm considers this a low severity issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.4"
},
"package": {
"ecosystem": "crates.io",
"name": "webauthn-rs-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "webauthn-authenticator-rs"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0-dev"
},
{
"fixed": "0.6.1-dev"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.0-dev"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "webauthn-rs-core"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0-dev"
},
{
"fixed": "0.6.1-dev"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.0-dev"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.4"
},
"package": {
"ecosystem": "crates.io",
"name": "webauthn-authenticator-rs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T23:31:27Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\n`webauthn-rs-core` ([Relying Party][rp]) and `webauthn-authenticator-rs` ([client][]) checked that [an `Origin` in `CollectedClientData`][origin] is valid for [an RP ID][rpid] with [`str::ends_with()`][ends-with], [without checking for a dot (`.`) before the RP ID when allowing subdomains][registerable-suffix].\n\nThis check is flawed, and could allow requests from an attacker-controlled domain such as `hermit-crab.example` to be accepted for the RP ID `crab.example` (assuming `.example` was publicly-registerable TLD) when the RP allows authenticating from a subdomain (disabled by default in `webauthn-rs-core` and `webauthn-rs`).\n\n[registerable-suffix]: https://html.spec.whatwg.org/multipage/browsers.html#is-a-registrable-domain-suffix-of-or-is-equal-to\n[ends-with]: https://doc.rust-lang.org/stable/std/primitive.str.html#method.ends_with\n[client]: https://www.w3.org/TR/webauthn-3/#client\n[rp]: https://www.w3.org/TR/webauthn-3/#relying-party\n[rpid]: https://www.w3.org/TR/webauthn-3/#rp-id\n[origin]: https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-origin\n\n* In `webauthn-rs-core`, this **only** applies when:\n * [`WebauthnCore::allow_subdomains_origin`](https://docs.rs/webauthn-rs-core/0.5.4/webauthn_rs_core/struct.WebauthnCore.html#method.new_unsafe_experts_only) is `true` (the default is `false`), *and*\n * the attacker could register a domain that ends with the RP ID as a raw string, *and*,\n * the client does not implement these checks correctly either\n\n `webauthn-rs` can set `allow_subdomains_origin` via [`WebauthnBuilder::allow_subdomains`](https://docs.rs/webauthn-rs/0.5.4/webauthn_rs/struct.WebauthnBuilder.html#method.allow_subdomains). Fixing the bug in `webauthn-rs-core` also fixes it in `webauthn-rs`.\n\n* In `webauthn-authenticator-rs`, the flawed check is in [`WebauthnAuthenticator::do_registration()`](https://docs.rs/webauthn-authenticator-rs/0.5.4/webauthn_authenticator_rs/struct.WebauthnAuthenticator.html#method.do_registration) and [`do_authentication()`](https://docs.rs/webauthn-authenticator-rs/0.5.4/webauthn_authenticator_rs/struct.WebauthnAuthenticator.html#method.do_registration). \n\n A conforming [Relying Party][rp] implementation would reject such requests, but `webauthn-rs-core` did not.\n\n An application can still provide an incorrect `origin` parameter to `webauthn-authenticator-rs`, or use lower-level APIs that bypass these checks entirely, and this is by design.\n\nThese issues are a violation of [WebAuthn Level 3 \u00a713.4.9](https://www.w3.org/TR/webauthn-3/#sctn-validating-origin), [\u00a75.1.3 Step 8](https://www.w3.org/TR/webauthn-3/#CreateCred-DetermineRpId) and [\u00a75.1.4.1 Step 7](https://www.w3.org/TR/webauthn-3/#GetAssn-DetermineRpId).\n\n### Details\n\n* `webauthn-rs-core/src/core.rs` line 1213:\n\n https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-rs-core/src/core.rs#L1211-L1216\n\n* `webauthn-authenticator-rs/src/lib.rs` line 274:\n\n https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-authenticator-rs/src/lib.rs#L274-L277\n\n* `webauthn-authenticator-rs/src/lib.rs` line 335:\n\n https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-authenticator-rs/src/lib.rs#L335-L338\n\n[`str::ends_with()`][ends-with] performs a raw string suffix match _without_ [enforcing a domain label boundary][registerable-suffix]:\n\nOrigin | RP ID | Expected result | Result with incorrect `ends_with` check\n-- | -- | -- | --\n`hermit-crab.example` | `crab.example` | rejected | accepted **(bug!)**\n`auth.crab.example` | `crab.example` | accepted | accepted (subdomain)\n`crab.example` | `crab.example` | accepted | accepted (exact match)\n`hermit-crab.example` | `auth.crab.example` | rejected | rejected\n`auth.crab.example` | `auth.crab.example` | accepted | accepted (exact match)\n\n### Fix\n\nWhen `webauthn-rs-core` v0.5.5 checks if an `Origin` is a valid subdomain of an RP ID, it will check that it ends with the RP ID prefixed with a dot (`.{rp_id}`). `webauthn-rs` v0.5.5 will be fixed by depending on `webauthn-rs-core` v0.5.5.\n\n`webauthn-authenticator-rs` v0.5.5 now uses `webauthn-rs-core`\u0027s checks in `WebauthnAuthenticator`.\n\nRegression tests for this bug have been added to both libraries.\n\n### Impact\n\nWith a **both** a non-conforming [client][] implementation and vulnerable version of `webauthn-rs-core` configured to allow subdomains (not the default), this bug would allow an attacker at `hermit-crab.example` to phish a target\u0027s credential for the RP ID `crab.example` by directly proxying a legitimate `navigator.credentials.get()` request on the attacker\u0027s domain.\n\nHowever, _conforming_ [client implementations][client] (ie: all web browsers) will refuse to process WebAuthn requests for an RP ID that does not match the `Origin` of the current page and is not [a related `Origin`](https://www.w3.org/TR/webauthn-3/#sctn-related-origins).\n\nIn the scenario above with _conforming_ client-side checks, this would force the attacker to change the request\u0027s RP ID to `hermit-crab.example` (the attacker\u0027s `Origin`). This would also change the RP ID hash, [and `webauthn-rs-core` would reject it](https://github.com/kanidm/webauthn-rs/blob/197cddf8487a2dbdd5d374e50d80aa1e4682f3ab/webauthn-rs-core/src/core.rs#L825-L840) (per [WebAuthn \u00a77.2 Step 15](https://www.w3.org/TR/webauthn-3/#rp-op-verifying-assertion-step-rpid-hash)).\n\n### Severity\n\nPer [WebAuthn \u00a713.4.9](https://www.w3.org/TR/webauthn-3/#sctn-validating-origin):\n\n\u003e The [Relying Party](https://www.w3.org/TR/webauthn-3/#relying-party) MUST NOT accept unexpected values of [origin](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-origin), as doing so could allow a malicious website to obtain valid [credentials](https://www.w3.org/TR/credential-management-1/#concept-credential). Although the [scope](https://www.w3.org/TR/webauthn-3/#scope) of WebAuthn credentials prevents their use on domains outside the [RP ID](https://www.w3.org/TR/webauthn-3/#rp-id) they were registered for, the [Relying Party](https://www.w3.org/TR/webauthn-3/#relying-party)\u2019s origin validation serves as an additional layer of protection in case a faulty [authenticator](https://www.w3.org/TR/webauthn-3/#authenticator) fails to enforce credential [scope](https://www.w3.org/TR/webauthn-3/#scope).\n\nUnfortunately, [the chain needed to exploit this bug makes it difficult to classify with the CVSS framework](https://www.first.org/cvss/v4.0/user-guide#Vulnerability-Chaining). Kanidm came up with anywhere between \"low\" and \"high\" depending on the approach, and GitHub only provides one CVSS field for everything.\n\nAn attacker could easily bypass a _correctly-implemented_ server-side `Origin` check, if they can convince a target to use their authenticator with [an attacker-controlled client device](https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html#dfn-t-1.3.2) or [buggy/malicious client application](https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html#dfn-t-1.3.1). FIDO\u0027s Security Reference [assumes that \"the FIDO user device and applications involved in a FIDO operation are trustworthy agents of the user\"](https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html#dfn-sa-4), and violating that [limits the protections FIDO can provide](https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html#discussion), so it would be ridiculous to describe those bypasses as a \"high\" severity vulnerability.\n\nHowever, `webauthn-rs-core` should take reasonable steps to prevent these sorts of issues where it can, especially when they\u0027re part of the WebAuthn specification.\n\nDue to the complex preconditions and non-default configuration required to execute a successful attack, and that it is *not exploitable* in popular web browsers, Kanidm considers this a **low severity** issue.",
"id": "GHSA-22w3-693w-x895",
"modified": "2026-05-06T23:31:27Z",
"published": "2026-05-06T23:31:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kanidm/webauthn-rs/security/advisories/GHSA-22w3-693w-x895"
},
{
"type": "PACKAGE",
"url": "https://github.com/kanidm/webauthn-rs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "webauthn-rs-core/webauthn-authenticator-rs: Origin validation mismatch possible when subdomains are allowed"
}
GHSA-2V34-3HGH-5VVX
Vulnerability from github – Published: 2024-10-09 06:30 – Updated: 2024-10-09 15:32An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data (e.g., the city parameter). The OS command injection vulnerability in the script settimezone.pml or setdatetime.pml (e.g., via the year parameter) requires an administrative user for the C-MOR web interface. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges.
{
"affected": [],
"aliases": [
"CVE-2024-45179"
],
"database_specific": {
"cwe_ids": [
"CWE-1289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T04:15:09Z",
"severity": "HIGH"
},
"details": "An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. It was found out that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates, or setting the time zone. These OS command injection vulnerabilities in the script generatesslreq.pml can be exploited as a low-privileged authenticated user to execute commands in the context of the Linux user www-data via shell metacharacters in HTTP POST data (e.g., the city parameter). The OS command injection vulnerability in the script settimezone.pml or setdatetime.pml (e.g., via the year parameter) requires an administrative user for the C-MOR web interface. By also exploiting a privilege-escalation vulnerability, it is possible to execute commands on the C-MOR system with root privileges.",
"id": "GHSA-2v34-3hgh-5vvx",
"modified": "2024-10-09T15:32:18Z",
"published": "2024-10-09T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45179"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2XF4-CG6J-VHGQ
Vulnerability from github – Published: 2026-05-28 19:52 – Updated: 2026-05-28 19:52Description
symfony/polyfill-intl-idn provides a userland implementation of idn_to_utf8() and idn_to_ascii() for runtimes that lack the intl extension. Its Idn::process() method decodes labels prefixed with xn-- using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point.
As a consequence, xn-- labels whose Punycode payload is empty (xn--) or decodes to a string made of only ASCII code points (e.g. xn--kc1zs4-) are accepted by the polyfill while PHP's native ext-intl rejects them with IDNA_ERROR_INVALID_ACE_LABEL. Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224).
Example with IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII:
| Input | Polyfill output | Native ext-intl output |
|---|---|---|
poc.xn--kc1zs4-.com |
poc.kc1zs4.com |
false (errors=1024) |
poc.kc1zs4.xn-- |
poc.kc1zs4. |
false (errors=1024) |
Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency.
Resolution
Idn::process() now records IDNA_ERROR_INVALID_ACE_LABEL when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native ext-intl behaviour and UTS #46 revision 33.
The patch for this issue is available here for branch 1.x.
Credits
Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/polyfill"
},
"ranges": [
{
"events": [
{
"introduced": "1.17.1"
},
{
"fixed": "1.38.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/polyfill-intl-idn"
},
"ranges": [
{
"events": [
{
"introduced": "1.17.1"
},
{
"fixed": "1.38.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46644"
],
"database_specific": {
"cwe_ids": [
"CWE-1289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T19:52:36Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`symfony/polyfill-intl-idn` provides a userland implementation of `idn_to_utf8()` and `idn_to_ascii()` for runtimes that lack the `intl` extension. Its `Idn::process()` method decodes labels prefixed with `xn--` using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point.\n\nAs a consequence, `xn--` labels whose Punycode payload is empty (`xn--`) or decodes to a string made of only ASCII code points (e.g. `xn--kc1zs4-`) are accepted by the polyfill while PHP\u0027s native `ext-intl` rejects them with `IDNA_ERROR_INVALID_ACE_LABEL`. Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224).\n\nExample with `IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII`:\n\n| Input | Polyfill output | Native `ext-intl` output |\n| --- | --- | --- |\n| `poc.xn--kc1zs4-.com` | `poc.kc1zs4.com` | `false` (`errors=1024`) |\n| `poc.kc1zs4.xn--` | `poc.kc1zs4.` | `false` (`errors=1024`) |\n\nApplications using the polyfill to canonicalise or compare hostnames inherit the inconsistency.\n\n### Resolution\n\n`Idn::process()` now records `IDNA_ERROR_INVALID_ACE_LABEL` when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native `ext-intl` behaviour and UTS #46 revision 33.\n\nThe patch for this issue is available [here](https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec) for branch 1.x.\n\n### Credits\n\nSymfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.",
"id": "GHSA-2xf4-cg6j-vhgq",
"modified": "2026-05-28T19:52:36Z",
"published": "2026-05-28T19:52:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq"
},
{
"type": "WEB",
"url": "https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill-intl-idn/CVE-2026-46644.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill/CVE-2026-46644.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/polyfill"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-46644"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form"
}
GHSA-4MQ7-PVJG-XP2R
Vulnerability from github – Published: 2026-03-20 20:51 – Updated: 2026-03-27 20:59Description
Ory Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The oauth2_introspection authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server.
Preconditions
Ory Oathkeeper has to be configured with multiple oauth2_introspection authenticator servers, each accepting different tokens. The authenticators also must be configured to use caching. An attacker has to have a way to gain a valid token for one of the configured introspection servers.
Mitigation
Ory Oathkeeper now includes the introspection server URL in the cache key, preventing confusion of tokens.
Update to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for oauth2_introspection authenticators.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ory/oathkeeper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.40.10-0.20260320084801-198a2bc82a99"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33496"
],
"database_specific": {
"cwe_ids": [
"CWE-1289",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:51:07Z",
"nvd_published_at": "2026-03-26T18:16:30Z",
"severity": "HIGH"
},
"details": "## Description\n\nOry Oathkeeper is vulnerable to authentication bypass due to cache key confusion. The `oauth2_introspection` authenticator cache does not distinguish tokens that were validated with different introspection URLs. An attacker can therefore legitimately use a token to prime the cache, and subsequently use the same token for rules that use a different introspection server.\n\n## Preconditions\n\nOry Oathkeeper has to be configured with multiple `oauth2_introspection` authenticator servers, each accepting different tokens. The authenticators also must be [configured to use caching](https://www.ory.com/docs/oathkeeper/pipeline/authn#oauth2_introspection-configuration). An attacker has to have a way to gain a valid token for one of the configured introspection servers.\n\n## Mitigation\n\nOry Oathkeeper now includes the introspection server URL in the cache key, preventing confusion of tokens.\n\nUpdate to the patched version of Ory Oathkeeper. If that is not immediately possible, disable caching for `oauth2_introspection` authenticators.",
"id": "GHSA-4mq7-pvjg-xp2r",
"modified": "2026-03-27T20:59:10Z",
"published": "2026-03-20T20:51:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/security/advisories/GHSA-4mq7-pvjg-xp2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33496"
},
{
"type": "WEB",
"url": "https://github.com/ory/oathkeeper/commit/198a2bc82a99e0a77bd0ffe290cbdd5285a1b17c"
},
{
"type": "PACKAGE",
"url": "https://github.com/ory/oathkeeper"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ory Oathkeeper has an authentication bypass by cache key confusion"
}
GHSA-5VF8-328M-MXJ5
Vulnerability from github – Published: 2026-05-10 21:30 – Updated: 2026-05-12 15:31Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.
Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.
Example:
my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true
See also CVE-2026-45191.
{
"affected": [],
"aliases": [
"CVE-2026-45190"
],
"database_specific": {
"cwe_ids": [
"CWE-1289"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-10T21:16:29Z",
"severity": "MODERATE"
},
"details": "Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass.\n\nInputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result.\n\nExample:\n\n my $cidr = Net::CIDR::Lite-\u003enew();\n $cidr-\u003eadd(\"::1\\n/128\");\n $cidr-\u003efind(\"::1a\"); # incorrectly returns true\n\nSee also CVE-2026-45191.",
"id": "GHSA-5vf8-328m-mxj5",
"modified": "2026-05-12T15:31:27Z",
"published": "2026-05-10T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45190"
},
{
"type": "WEB",
"url": "https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6C87-G9PW-78FX
Vulnerability from github – Published: 2026-07-01 18:43 – Updated: 2026-07-01 18:43Summary
Config.registryFor selected a per-registry credential / CA / mirror block by checking strings.HasSuffix(name, fqdn) after stripping a single trailing dot.
The match has no boundary between the configured FQDN and any preceding characters in the request hostname.
A registry configured as [registries."ghcr.io."] is therefore also applied to any image pulled from a host whose name happens to end in the literal byte sequence ghcr.io,
including attacker-registered domains such as evilghcr.io.
The imagepuller would then send the configured Authorization header (basic auth, registry token, or identity token), trust the configured custom CA bundle,
follow the configured mirror, or honour insecure-skip-verify, on requests to that hostname.
Prerequisites
For this to be applicable, an image or layer must be pulled from a "sibling" domain ending in one of the FQDNs configured in the imagepuller config. This may occur due to malicious intent or coincidentally.
Impact
- Authentication header leaks to the sibling registry.
- If
insecure-skip-verifyis set on an FQDN, TLS will also not be verified for the sibling registry. - Mirrors configured for an FQDN will also be used with the sibling registry.
Not impacted
Image integrity is not impacted. Image bytes remain pinned by digest in the policy and are validated after the pull. This advisory does not allow code substitution.
Workaround
- If possible, configure explicit subdomains in the imagepuller config. A configuration for
[registries.".example.registry"]is unaffected, only[registries."example.registry"]is potentially affected. - Audit images and layers configured in the deployment for the existence of sibling domains.
Patches
After this patch, registry matches are determined by exact label equality instead of suffix matching.
Each .-separated part of the FQDN must be an exact match with the corresponding label in the image reference.
Severity
AV:Nbecause the leak is over the network to a registry under the attacker's control.AC:Hbecause exploitation requires the operator to have configured a registry FQDN without a leading.AND the attacker to control a sibling-suffix domain that the deployment will pull from.PR:Nfor the eventual recipient.S:Ubecause impact stays in the imagepuller.C:Lfor credential leak (no integrity / availability impact).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.20.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/edgelesssys/contrast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.21.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1289"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T18:43:55Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "# Summary\n\n`Config.registryFor` selected a per-registry credential / CA / mirror block by checking `strings.HasSuffix(name, fqdn)` after stripping a single trailing dot.\u00a0\nThe match has no boundary between the configured FQDN and any preceding characters in the request hostname.\nA registry configured as `[registries.\"ghcr.io.\"]` is therefore also applied to any image pulled from a host whose name happens to end in the literal byte sequence `ghcr.io`,\u00a0\nincluding attacker-registered domains such as `evilghcr.io.`\u00a0\nThe imagepuller would then send the configured `Authorization` header (basic auth, registry token, or identity token), trust the configured custom CA bundle,\nfollow the configured mirror, or honour `insecure-skip-verify`, on requests to that hostname.\n\n# Prerequisites\n\nFor this to be applicable, an image or layer must be pulled from a \"sibling\" domain ending in one of the FQDNs configured in the imagepuller config.\nThis may occur due to malicious intent or coincidentally.\n\n# Impact\n\n- Authentication header leaks to the sibling registry.\n- If `insecure-skip-verify` is set on an FQDN, TLS will also not be verified for the sibling registry.\n- Mirrors configured for an FQDN will also be used with the sibling registry.\n\n## Not impacted\n\nImage integrity is **not** impacted. Image bytes remain pinned by digest in the policy and are validated after the pull.\nThis advisory does not allow code substitution.\n\n# Workaround\n\n- If possible, configure explicit subdomains in the imagepuller config. A configuration for `[registries.\".example.registry\"]` is unaffected, only `[registries.\"example.registry\"]` is potentially affected.\n- Audit images and layers configured in the deployment for the existence of sibling domains.\n\n# Patches\n\nAfter this patch, registry matches are determined by exact label equality instead of suffix matching.\nEach `.`-separated part of the FQDN must be an exact match with the corresponding label in the image reference.\n\n# Severity\n\n- `AV:N` because the leak is over the network to a registry under the attacker\u0027s control.\u00a0\n- `AC:H` because exploitation requires the operator to have configured a registry FQDN without a leading `.` AND the attacker to control a sibling-suffix domain that the deployment will pull from.\n- `PR:N` for the eventual recipient.\u00a0\n- `S:U` because impact stays in the imagepuller.\u00a0\n- `C:L` for credential leak (no integrity / availability impact).",
"id": "GHSA-6c87-g9pw-78fx",
"modified": "2026-07-01T18:43:56Z",
"published": "2026-07-01T18:43:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/security/advisories/GHSA-6c87-g9pw-78fx"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/commit/10826b1d82613025767fb094e8aa51a7dcfbd2a1"
},
{
"type": "PACKAGE",
"url": "https://github.com/edgelesssys/contrast"
},
{
"type": "WEB",
"url": "https://github.com/edgelesssys/contrast/releases/tag/v1.21.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Contrast\u0027s Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.