CWE-134
AllowedUse of Externally-Controlled Format String
Abstraction: Base · Status: Draft
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
500 vulnerabilities reference this CWE, most recent first.
GHSA-66PM-V32J-JMPG
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The undocumented shell command "prompt" sets the (user controlled) shell's prompt value, which is used as a format string input to printf, resulting in an information leak of memory addresses.
{
"affected": [],
"aliases": [
"CVE-2019-7711"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-26T01:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the Interpeak IPCOMShell TELNET server on Green Hills INTEGRITY RTOS 5.0.4. The undocumented shell command \"prompt\" sets the (user controlled) shell\u0027s prompt value, which is used as a format string input to printf, resulting in an information leak of memory addresses.",
"id": "GHSA-66pm-v32j-jmpg",
"modified": "2022-05-13T01:22:53Z",
"published": "2022-05-13T01:22:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7711"
},
{
"type": "WEB",
"url": "https://github.com/bl4ckic3/GHS-Bugs"
},
{
"type": "WEB",
"url": "https://www.ghs.com/products/rtos/integrity.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6785-8CF2-MMJ4
Vulnerability from github – Published: 2022-05-14 04:00 – Updated: 2022-05-14 04:00Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.
{
"affected": [],
"aliases": [
"CVE-2012-0809"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-02-01T00:55:00Z",
"severity": "HIGH"
},
"details": "Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo.",
"id": "GHSA-6785-8cf2-mmj4",
"modified": "2022-05-14T04:00:10Z",
"published": "2022-05-14T04:00:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0809"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2012-01/0591.html"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2012-01/att-0591/advisory_sudo.txt"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201203-06.xml"
},
{
"type": "WEB",
"url": "http://www.sudo.ws/sudo/alerts/sudo_debug.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-67QQ-PVR4-M3RJ
Vulnerability from github – Published: 2022-05-01 18:27 – Updated: 2022-05-01 18:27Format string vulnerability in CellFactor Revolution 1.03 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a malformed nickname.
{
"affected": [],
"aliases": [
"CVE-2007-4832"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-09-12T19:17:00Z",
"severity": "HIGH"
},
"details": "Format string vulnerability in CellFactor Revolution 1.03 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a malformed nickname.",
"id": "GHSA-67qq-pvr4-m3rj",
"modified": "2022-05-01T18:27:41Z",
"published": "2022-05-01T18:27:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4832"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36506"
},
{
"type": "WEB",
"url": "http://aluigi.altervista.org/adv/cellfucktor-adv.txt"
},
{
"type": "WEB",
"url": "http://osvdb.org/40503"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26765"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/3130"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/25625"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/3109"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-67W6-7R3Q-87W7
Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2022-05-13 01:41In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.
{
"affected": [],
"aliases": [
"CVE-2017-10685"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-29T23:29:00Z",
"severity": "CRITICAL"
},
"details": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
"id": "GHSA-67w6-7r3q-87w7",
"modified": "2022-05-13T01:41:57Z",
"published": "2022-05-13T01:41:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1464692"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201804-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68QP-CW46-FHVQ
Vulnerability from github – Published: 2022-05-13 01:29 – Updated: 2022-05-13 01:29Format String vulnerability in KeepKey version 4.0.0 allows attackers to trigger information display (of information that should not be accessible), related to text containing characters that the device's font lacks.
{
"affected": [],
"aliases": [
"CVE-2018-6875"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T13:29:00Z",
"severity": "HIGH"
},
"details": "Format String vulnerability in KeepKey version 4.0.0 allows attackers to trigger information display (of information that should not be accessible), related to text containing characters that the device\u0027s font lacks.",
"id": "GHSA-68qp-cw46-fhvq",
"modified": "2022-05-13T01:29:05Z",
"published": "2022-05-13T01:29:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6875"
},
{
"type": "WEB",
"url": "https://www.keepkey.com/2018/03/09/security-updates-responsible-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6C72-QMMH-6499
Vulnerability from github – Published: 2025-07-21 15:30 – Updated: 2025-07-24 21:30An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint /admin/_conf.jsp, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
{
"affected": [],
"aliases": [
"CVE-2025-46121"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T15:15:28Z",
"severity": "HIGH"
},
"details": "An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.",
"id": "GHSA-6c72-qmmh-6499",
"modified": "2025-07-24T21:30:39Z",
"published": "2025-07-21T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46121"
},
{
"type": "WEB",
"url": "https://sector7.computest.nl/post/2025-07-ruckus-unleashed"
},
{
"type": "WEB",
"url": "https://support.ruckuswireless.com/security_bulletins/330"
},
{
"type": "WEB",
"url": "http://commscope.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6GFH-WRQ3-9F83
Vulnerability from github – Published: 2022-05-14 03:45 – Updated: 2022-05-14 03:45Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.
{
"affected": [],
"aliases": [
"CVE-2018-5704"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-16T09:29:00Z",
"severity": "CRITICAL"
},
"details": "Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use HTTP POST for sending data to 127.0.0.1 port 4444, which allows remote attackers to conduct cross-protocol scripting attacks, and consequently execute arbitrary commands, via a crafted web site.",
"id": "GHSA-6gfh-wrq3-9f83",
"modified": "2022-05-14T03:45:28Z",
"published": "2022-05-14T03:45:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5704"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00027.html"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/openocd/mailman/message/36188041"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4093"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JGQ-CPPP-PVM8
Vulnerability from github – Published: 2022-05-17 02:09 – Updated: 2022-05-17 02:09The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string.
{
"affected": [],
"aliases": [
"CVE-2008-7159"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-09-10T21:30:00Z",
"severity": "MODERATE"
},
"details": "The silc_asn1_encoder function in lib/silcasn1/silcasn1_encode.c in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.8 allows remote attackers to overwrite a stack location and possibly execute arbitrary code via a crafted OID value, related to incorrect use of a %lu format string.",
"id": "GHSA-6jgq-cppp-pvm8",
"modified": "2022-05-17T02:09:15Z",
"published": "2022-05-17T02:09:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-7159"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53477"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36614"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36625"
},
{
"type": "WEB",
"url": "http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.8"
},
{
"type": "WEB",
"url": "http://silcnet.org/general/news/news_toolkit.php"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2009/dsa-1879"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:234"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/08/31/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/09/03/5"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/36192"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6MFV-H538-GWVR
Vulnerability from github – Published: 2024-02-20 03:30 – Updated: 2025-01-21 21:30A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, and USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the “deviceid” daemon by sending a crafted hostname to an affected device if it has the “Device Insight” feature enabled.
{
"affected": [],
"aliases": [
"CVE-2023-6399"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T02:15:49Z",
"severity": "MODERATE"
},
"details": "A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, and USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the \u201cdeviceid\u201d daemon by sending a crafted hostname to an affected device if it has the \u201cDevice Insight\u201d feature enabled.",
"id": "GHSA-6mfv-h538-gwvr",
"modified": "2025-01-21T21:30:45Z",
"published": "2024-02-20T03:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6399"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6R76-9F7G-6W9V
Vulnerability from github – Published: 2023-10-19 12:30 – Updated: 2024-04-04 08:47A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
{
"affected": [],
"aliases": [
"CVE-2022-26941"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-19T10:15:09Z",
"severity": "HIGH"
},
"details": "A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.",
"id": "GHSA-6r76-9f7g-6w9v",
"modified": "2024-04-04T08:47:31Z",
"published": "2023-10-19T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26941"
},
{
"type": "WEB",
"url": "https://tetraburst.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Choose a language that is not subject to this flaw.
Mitigation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.