Common Weakness Enumeration

CWE-158

Allowed

Improper Neutralization of Null Byte or NUL Character

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

44 vulnerabilities reference this CWE, most recent first.

GHSA-935J-38V5-5GWH

Vulnerability from github – Published: 2025-11-26 03:30 – Updated: 2025-12-03 18:30
VLAI
Details

Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The /var/tdf/download_setting.php endpoint constructs file paths by concatenating user-controlled $_GET['filename'] with a forced .tgz extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting filename=../../../../etc/passwd%00, the underlying C functions treat the null byte as a string terminator, ignoring the appended .tgz and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T01:16:09Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files.\nThe `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET[\u0027filename\u0027]` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user.",
  "id": "GHSA-935j-38v5-5gwh",
  "modified": "2025-12-03T18:30:22Z",
  "published": "2025-11-26T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66263"
    },
    {
      "type": "WEB",
      "url": "https://www.abdulmhsblog.com/posts/webfmvulns"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9MQ4-23J6-P23W

Vulnerability from github – Published: 2026-05-04 09:31 – Updated: 2026-05-04 09:31
VLAI
Details

mutt before 2.3.2 does not check for '\0' in url_pct_decode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43861"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-04T07:16:00Z",
    "severity": "LOW"
  },
  "details": "mutt before 2.3.2 does not check for \u0027\\0\u0027 in url_pct_decode.",
  "id": "GHSA-9mq4-23j6-p23w",
  "modified": "2026-05-04T09:31:09Z",
  "published": "2026-05-04T09:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43861"
    },
    {
      "type": "WEB",
      "url": "https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J4XF-75RR-VVRV

Vulnerability from github – Published: 2025-07-10 18:31 – Updated: 2025-10-22 00:33
VLAI
Details

In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T17:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle \u0027\\0\u0027 bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts.",
  "id": "GHSA-j4xf-75rr-vvrv",
  "modified": "2025-10-22T00:33:19Z",
  "published": "2025-07-10T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47812"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-47812"
    },
    {
      "type": "WEB",
      "url": "https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild"
    },
    {
      "type": "WEB",
      "url": "https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server"
    },
    {
      "type": "WEB",
      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server"
    },
    {
      "type": "WEB",
      "url": "https://www.wftpserver.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MH68-QF2J-8C5G

Vulnerability from github – Published: 2022-11-02 19:00 – Updated: 2022-11-04 19:01
VLAI
Details

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158",
      "CWE-74"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-02T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string \"A=B\\x00C=D\" sets the variables \"A=B\" and \"C=D\".",
  "id": "GHSA-mh68-qf2j-8c5g",
  "modified": "2022-11-04T19:01:17Z",
  "published": "2022-11-02T19:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41716"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/446916"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/56284"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/mbHY1UY3BaM/m/hSpmRzk-AgAJ"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1095"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MM89-XRM2-4Q7G

Vulnerability from github – Published: 2026-03-05 09:30 – Updated: 2026-03-06 00:31
VLAI
Details

Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T08:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Out-of-bounds character read vulnerability in Bluetooth.\u00a0Impact: Successful exploitation of this vulnerability may affect service confidentiality.",
  "id": "GHSA-mm89-xrm2-4q7g",
  "modified": "2026-03-06T00:31:31Z",
  "published": "2026-03-05T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28540"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2026/3"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinlaptops/2026/3"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinvision/2026/3"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletinwearables/2026/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9HG-PQ3Q-V9GV

Vulnerability from github – Published: 2026-03-18 20:11 – Updated: 2026-03-20 21:24
VLAI
Summary
free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error
Details

Impact
This is an Improper Input Validation vulnerability with Denial of Service and Injection implications.
- Security Impact: A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks.
- Functional Impact: When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request.
- Affected Parties: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters (e.g., /nudm-sdm/v2/{supi}/am-data).

Patches
Yes, the issue has been patched.
The fix is implemented in PR free5gc/udm#79.
Users should upgrade to the next release of free5GC that includes this commit.

Workarounds
There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158",
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:11:15Z",
    "nvd_published_at": "2026-03-20T08:16:12Z",
    "severity": "HIGH"
  },
  "details": "**Impact**  \nThis is an Improper Input Validation vulnerability with Denial of Service and Injection implications.  \n- **Security Impact**: A remote attacker can inject null bytes (URL-encoded as `%00`) into the `supi` path parameter of the UDM\u0027s Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go\u0027s `net/url` package with the error \"invalid control character in URL\", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks.  \n- **Functional Impact**: When the `supi` parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go\u0027s URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request.  \n- **Affected Parties**: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters (e.g., `/nudm-sdm/v2/{supi}/am-data`).\n\n**Patches**  \nYes, the issue has been patched.  \nThe fix is implemented in PR free5gc/udm#79.  \nUsers should upgrade to the next release of free5GC that includes this commit.\n\n**Workarounds**  \nThere is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.",
  "id": "GHSA-p9hg-pq3q-v9gv",
  "modified": "2026-03-20T21:24:27Z",
  "published": "2026-03-18T20:11:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-p9hg-pq3q-v9gv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udm/pull/79"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udm/commit/88de9fa74a1b3f3522e53b4cfa2d184712ffa4ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/udm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error"
}

GHSA-PGXV-MQXQ-9799

Vulnerability from github – Published: 2025-12-23 12:30 – Updated: 2025-12-23 12:30
VLAI
Details

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in getExtensionForURL() which operates on URL-decoded paths, and appendNormalized() which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-23T10:15:43Z",
    "severity": "CRITICAL"
  },
  "details": "The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.",
  "id": "GHSA-pgxv-mqxq-9799",
  "modified": "2025-12-23T12:30:18Z",
  "published": "2025-12-23T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14388"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3418139"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QVW7-MG6G-QM9M

Vulnerability from github – Published: 2022-05-02 03:26 – Updated: 2026-05-20 18:31
VLAI
Details

Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka "DirectX NULL Byte Overwrite Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-1537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-05-29T18:30:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime media file, as exploited in the wild in May 2009, aka \"DirectX NULL Byte Overwrite Vulnerability.\"",
  "id": "GHSA-qvw7-mg6g-qm9m",
  "modified": "2026-05-20T18:31:27Z",
  "published": "2022-05-02T03:26:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1537"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-028"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6237"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-1537"
    },
    {
      "type": "WEB",
      "url": "http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx"
    },
    {
      "type": "WEB",
      "url": "http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx"
    },
    {
      "type": "WEB",
      "url": "http://isc.sans.org/diary.html?storyid=6481"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/54797"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35268"
    },
    {
      "type": "WEB",
      "url": "http://www.microsoft.com/technet/security/advisory/971778.mspx"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35139"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1022299"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-195A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/1445"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/1886"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6F6-CVQF-H86G

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 15:32
VLAI
Details

If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:16:07Z",
    "severity": "CRITICAL"
  },
  "details": "If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versions; non-default but configurable using the JAVA_AR setting in newer versions), the verification stops at the first NULL byte encountered in the email address referenced in the client certificate. An attacker could bypass configured ACLs by using a specially crafted certificate.",
  "id": "GHSA-r6f6-cvqf-h86g",
  "modified": "2025-09-16T15:32:36Z",
  "published": "2025-09-16T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55113"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441967"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-R7J2-9M2H-FQ95

Vulnerability from github – Published: 2025-10-23 06:31 – Updated: 2025-10-23 06:31
VLAI
Details

LZ4 through 1.10.0 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact when the application processes untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in lib/lz4frame.c mishandles NULL checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-158"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-23T04:17:26Z",
    "severity": "MODERATE"
  },
  "details": "LZ4 through 1.10.0 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact when the application processes untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in lib/lz4frame.c mishandles NULL checks.",
  "id": "GHSA-r7j2-9m2h-fq95",
  "modified": "2025-10-23T06:31:00Z",
  "published": "2025-10-23T06:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lz4/lz4/pull/1593"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation

Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-52: Embedding NULL Bytes

An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).

CAPEC-53: Postfix, Null Terminate, and Backslash

If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.