Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-84R8-W725-7J27

Vulnerability from github – Published: 2022-11-25 15:30 – Updated: 2022-11-30 21:30
VLAI
Details

In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-25T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.",
  "id": "GHSA-84r8-w725-7j27",
  "modified": "2022-11-30T21:30:22Z",
  "published": "2022-11-25T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38166"
    },
    {
      "type": "WEB",
      "url": "https://www.f-secure.com/en/home/support/security-advisories/cve-2022-38166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-877P-G3P3-329R

Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-07 21:30
VLAI
Details

An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-37554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T16:16:31Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser\u0027s catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.",
  "id": "GHSA-877p-g3p3-329r",
  "modified": "2026-05-07T21:30:24Z",
  "published": "2026-05-01T18:31:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza/security/advisories/GHSA-44qj-vh8c-5354"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37554"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza"
    },
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-87MF-GV2C-C62C

Vulnerability from github – Published: 2026-06-19 06:31 – Updated: 2026-06-19 21:41
VLAI
Summary
ts-deepmerge: Prototype Method Override leads to DoS
Details

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ts-deepmerge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-12644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:41:52Z",
    "nvd_published_at": "2026-06-19T06:17:01Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken \u2014 any string context operation throws a TypeError, crashing the application.",
  "id": "GHSA-87mf-gv2c-c62c",
  "modified": "2026-06-19T21:41:52Z",
  "published": "2026-06-19T06:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/voodoocreation/ts-deepmerge/commit/305a05831a462fb2c353d3cbbff55a0733286f8c"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/igorg1312/775fa00114c4d47df6ae0551779ab407"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/voodoocreation/ts-deepmerge"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-17339141"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ts-deepmerge: Prototype Method Override leads to DoS"
}

GHSA-8C5G-69WP-X3WV

Vulnerability from github – Published: 2025-06-06 09:30 – Updated: 2025-06-06 09:30
VLAI
Details

Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T07:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Deserialization vulnerability in the IPC module\nImpact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-8c5g-69wp-x3wv",
  "modified": "2025-06-06T09:30:24Z",
  "published": "2025-06-06T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48907"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8GV7-MMCH-W6H8

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30
VLAI
Details

Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T21:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.",
  "id": "GHSA-8gv7-mmch-w6h8",
  "modified": "2024-11-13T21:30:36Z",
  "published": "2024-11-13T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29076"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8R4G-CG4M-X23C

Vulnerability from github – Published: 2021-09-22 18:22 – Updated: 2025-10-03 18:27
VLAI
Summary
Denial of Service in node-static
Details

All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-static"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.7.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-22T18:21:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access `http://host/%00` and crash the server.",
  "id": "GHSA-8r4g-cg4m-x23c",
  "modified": "2025-10-03T18:27:42Z",
  "published": "2021-09-22T18:22:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudhead/node-static/pull/213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/6248"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudhead/node-static"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudhead/node-static/blob/643a528ec7bbd05a59c4030655d94810570afb3f/CHANGES.md#-unreleased"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Denial of Service in node-static"
}

GHSA-8RF5-92JH-3VC9

Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2021-04-06 21:46
VLAI
Summary
Uncaught Exception leading to Denial of Service in json-sanitizer
Details

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.mikesamuel:json-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T21:46:21Z",
    "nvd_published_at": "2021-01-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.",
  "id": "GHSA-8rf5-92jh-3vc9",
  "modified": "2021-04-06T21:46:21Z",
  "published": "2021-05-13T22:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception leading to Denial of Service in json-sanitizer"
}

GHSA-8RJ5-2857-877J

Vulnerability from github – Published: 2023-08-23 13:19 – Updated: 2024-09-27 15:46
VLAI
Summary
json2xml Uncaught Exception vulnerability
Details

The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "json2xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-23T13:19:55Z",
    "nvd_published_at": "2023-08-22T19:16:22Z",
    "severity": "HIGH"
  },
  "details": "The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.",
  "id": "GHSA-8rj5-2857-877j",
  "modified": "2024-09-27T15:46:25Z",
  "published": "2023-08-23T13:19:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25024"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/issues/106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/pull/107"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/pull/107/files"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vinitkumar/json2xml"
    },
    {
      "type": "WEB",
      "url": "https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "json2xml Uncaught Exception vulnerability"
}

GHSA-8RVJ-6HP5-GF5X

Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 18:31
VLAI
Details

On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-14T16:15:59Z",
    "severity": "MODERATE"
  },
  "details": "On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153",
  "id": "GHSA-8rvj-6hp5-gf5x",
  "modified": "2025-11-14T18:31:39Z",
  "published": "2025-11-14T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8870"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22811-security-advisory-0125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8XFF-473H-F863

Vulnerability from github – Published: 2024-02-21 00:00 – Updated: 2024-02-21 00:00
VLAI
Summary
Uncaught Exception Handling Parsing Errors on Line Terminators
Details

The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.

Impact

A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.

Patches

  • Version 1.2.1 and later are not affected by this issue.

Workarounds

Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.

References

  • 3527

  • https://github.com/StarlaneStudios/Surrealist/issues/177
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T00:00:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.2.1 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3527\n- https://github.com/StarlaneStudios/Surrealist/issues/177",
  "id": "GHSA-8xff-473h-f863",
  "modified": "2024-02-21T00:00:54Z",
  "published": "2024-02-21T00:00:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-8xff-473h-f863"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarlaneStudios/Surrealist/issues/177"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception Handling Parsing Errors on Line Terminators"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.