Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-9QFM-4G6C-76PF

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31
VLAI
Details

Uncaught exception for some Intel Unison software may allow an authenticated user to potentially enable denial of service via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T19:15:16Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception for some Intel Unison software may allow an authenticated user to potentially enable denial of service via network access.",
  "id": "GHSA-9qfm-4g6c-76pf",
  "modified": "2023-11-14T21:31:01Z",
  "published": "2023-11-14T21:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22290"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00963.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9QRH-QJMC-5W2P

Vulnerability from github – Published: 2022-04-28 20:25 – Updated: 2022-05-03 02:24
VLAI
Summary
Denial-of-Service when binding invalid parameters in sqlite3
Details

Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of sqlite3 v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sqlite3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-28T20:25:23Z",
    "nvd_published_at": "2022-05-01T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of `sqlite3` v5.0.0, v5.0.1 and v5.0.2 are affected by this. This issue is fixed in v5.0.3. All users are recommended to upgrade to v5.0.3 or later. Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters as a workaround.\n",
  "id": "GHSA-9qrh-qjmc-5w2p",
  "modified": "2022-05-03T02:24:25Z",
  "published": "2022-04-28T20:25:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TryGhost/node-sqlite3/issues/1440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TryGhost/node-sqlite3/issues/1449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TryGhost/node-sqlite3"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial-of-Service when binding invalid parameters in sqlite3"
}

GHSA-9RMP-2568-59RV

Vulnerability from github – Published: 2024-12-05 17:30 – Updated: 2025-12-26 16:30
VLAI
Summary
rPGP Panics on Malformed Untrusted Input
Details

During a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.

Impact

When processing malformed input, rpgp can run into Rust panics which halt the program.

This can happen in the following scenarios: * Parsing OpenPGP messages from binary or armor format * Decrypting OpenPGP messages via decrypt_with_password() * Parsing or converting public keys * Parsing signed cleartext messages from armor format * Using malformed private keys to sign or encrypt

Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.

The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.

Versions and Patches

All recent versions are affected by at least some of the above mentioned issues.

The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.

References

The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130",
      "CWE-248",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-05T17:30:52Z",
    "nvd_published_at": "2024-12-05T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data.\n\n### Impact\nWhen processing malformed input, `rpgp` can run into Rust panics which halt the program.\n\nThis can happen in the following scenarios:\n* Parsing OpenPGP messages from binary or armor format\n* Decrypting OpenPGP messages via `decrypt_with_password()`\n* Parsing or converting public keys\n* Parsing signed cleartext messages from armor format\n* Using malformed private keys to sign or encrypt\n\nGiven the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the `rpgp` library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.\n\nThe result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.\n\n### Versions and Patches\nAll recent versions are affected by at least some of the above mentioned issues. \n\nThe vulnerabilities have been fixed with version `0.14.1`. We recommend all users to upgrade to this version.\n\n### References\n\n\nThe security audit was made possible by the [NLnet Foundation NGI Zero Core](https://nlnet.nl/core/) grant program [for rpgp](https://nlnet.nl/project/rPGP-cryptorefresh/).",
  "id": "GHSA-9rmp-2568-59rv",
  "modified": "2025-12-26T16:30:25Z",
  "published": "2024-12-05T17:30:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53856"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rpgp/rpgp"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0447.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rPGP Panics on Malformed Untrusted Input"
}

GHSA-9VGR-8WFF-X9VQ

Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2025-02-05 18:34
VLAI
Details

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.

This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T17:15:24Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.\n\nThis vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\u0026nbsp;\nThis vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.",
  "id": "GHSA-9vgr-8wff-x9vq",
  "modified": "2025-02-05T18:34:45Z",
  "published": "2025-02-05T18:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20173"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C467-VF3V-2G2Q

Vulnerability from github – Published: 2024-02-21 21:30 – Updated: 2024-09-27 18:32
VLAI
Details

Malformed Device Reset Locally Command Class packets can be sent to the controller, causing the controller to assume the end device has left the network. After this, frames sent by the end device will not be acknowledged by the controller. This vulnerability exists in PC Controller v5.54.0, and earlier. 

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-21T20:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Malformed Device Reset Locally Command Class packets can be sent to the controller, causing the controller to assume the end device has left the network. After this, frames sent by the end device will not be acknowledged by the controller. This vulnerability exists in PC Controller v5.54.0, and earlier.\u00a0",
  "id": "GHSA-c467-vf3v-2g2q",
  "modified": "2024-09-27T18:32:20Z",
  "published": "2024-02-21T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6533"
    },
    {
      "type": "WEB",
      "url": "https://community.silabs.com/068Vm000001HdNm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4CC-X928-VJW9

Vulnerability from github – Published: 2025-12-08 17:57 – Updated: 2025-12-09 19:17
VLAI
Summary
robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass Digest/Signature validation
Details

Summary

An authentication bypass vulnerability exists due to a flaw in the libxml2 canonicalization process, which is used by xmlseclibs during document transformation. This weakness allows an attacker to generate a valid signature once and reuse it indefinitely. In practice, a signature created during a previous interaction - or through a misconfigured authentication flow - can be replayed to bypass authentication checks.

Details

When libxml2’s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.

https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296

Impact

Digest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.

Signature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.

Suggested remediation

Treat canonicalization failures (exceptions or nil/empty outputs) as fatal and abort validation. Add explicit checks: reject when canonicalize returns nil/empty or raise

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "robrichards/xmlseclibs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T17:57:33Z",
    "nvd_published_at": "2025-12-09T16:18:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn authentication bypass vulnerability exists due to a flaw in the libxml2 canonicalization process, which is used by [xmlseclibs](https://github.com/robrichards/xmlseclibs) during document transformation. This weakness allows an attacker to generate a valid signature once and reuse it indefinitely. In practice, a signature created during a previous interaction - or through a misconfigured authentication flow - can be replayed to bypass authentication checks.\n\n### Details\nWhen libxml2\u2019s canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. [xmlseclibs](https://github.com/robrichards/xmlseclibs) then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded.\n\nhttps://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296\n\n### Impact\nDigest bypass: By crafting input that causes canonicalization to yield an empty string, the attacker can manipulate validation to pass incorrectly.\n\nSignature replay on empty canonical form: If an empty string has been signed once (e.g., in a prior interaction or via a misconfigured flow), that signature can potentially be replayed to bypass authentication.\n\n### Suggested remediation\nTreat canonicalization failures (exceptions or nil/empty outputs) as fatal and abort validation.\nAdd explicit checks: reject when canonicalize returns nil/empty or raise",
  "id": "GHSA-c4cc-x928-vjw9",
  "modified": "2025-12-09T19:17:52Z",
  "published": "2025-12-08T17:57:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robrichards/xmlseclibs/commit/69fd63080bc47a8d51bc101c30b7cb756862d1d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/robrichards/xmlseclibs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "robrichards/xmlseclibs has an Libxml2 Canonicalization error which can bypass Digest/Signature validation"
}

GHSA-C85W-X26Q-CH87

Vulnerability from github – Published: 2025-03-01 00:11 – Updated: 2026-02-18 23:47
VLAI
Summary
Formwork improperly validates input of User role preventing site and panel availability
Details

Summary

Improper validation of select fields allows attackers to craft an input that crashes the system, resulting in a 500 status and making the entire site and administration panel unavailable. This clearly impacts the Availability aspect of the CIA triad (confidentiality, integrity, and availability), although the attack still has certain limitations.

Details

The attack involves injecting any invalid user role value. Doing this will change the users data in a way that prevents users and then the entire site from loading. Even though the actual data change is minimal, the error is unrecoverable until a valid role parameter is restored by direct modification of the user account file. Proper validation of select fields will prevent extraneous valid from being accepted and making the entire site and administration panel unavailable.

Patches

Impact

The condition for this attack is having high privileges or Admin access, which means it could be exploited by an Insider Threat. Alternatively, if an attacker gains access to a privileged user account, they can execute the attack as well. Overall, the attack is relatively difficult to carry out, but if successful, the impact and damage would be significant.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getformwork/formwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.1"
            },
            {
              "fixed": "2.0.0-beta.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1285",
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-01T00:11:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nImproper validation of select fields allows attackers to craft an input that crashes the system, resulting in a 500 status and making the entire site and administration panel unavailable.\nThis clearly impacts the Availability aspect of the CIA triad (confidentiality, integrity, and availability), although the attack still has certain limitations.\n\n### Details\nThe attack involves injecting any invalid user role value. Doing this will change the users data in a way that prevents users and then the entire site from loading. Even though the actual data change is minimal, the error is unrecoverable until a valid role parameter is restored by direct modification of the user account file.\nProper validation of select fields will prevent extraneous valid from being accepted and making the entire site and administration panel unavailable.\n\n### Patches\n- [**Formwork 2.x** (d9f0c1f)](https://github.com/getformwork/formwork/commit/d9f0c1feb3b9855d5bdc8bb189c0aaab2792e7ca) adds proper validation to select fields.\n\n### Impact\nThe condition for this attack is having high privileges or Admin access, which means it could be exploited by an Insider Threat. Alternatively, if an attacker gains access to a privileged user account, they can execute the attack as well.\nOverall, the attack is relatively difficult to carry out, but if successful, the impact and damage would be significant.",
  "id": "GHSA-c85w-x26q-ch87",
  "modified": "2026-02-18T23:47:37Z",
  "published": "2025-03-01T00:11:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-c85w-x26q-ch87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/commit/d9f0c1feb3b9855d5bdc8bb189c0aaab2792e7ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getformwork/formwork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Formwork improperly validates input of User role preventing site and panel availability"
}

GHSA-C8H3-85XM-JXP3

Vulnerability from github – Published: 2024-02-05 21:30 – Updated: 2024-02-12 18:31
VLAI
Details

StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to a crash of the Local Distribution Router (LDR) service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-05T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through \n11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A \nsuccessful exploit could lead to a crash of the Local Distribution \nRouter (LDR) service.\n\n",
  "id": "GHSA-c8h3-85xm-jxp3",
  "modified": "2024-02-12T18:31:07Z",
  "published": "2024-02-05T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27318"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/NTAP-20240202-0012"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8W6-X74F-VMG3

Vulnerability from github – Published: 2026-07-02 19:37 – Updated: 2026-07-02 19:37
VLAI
Summary
zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
Details

Am I affected

You are affected if:

  1. You run zebrad up to and including v4.4.1.
  2. Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled).
  3. An attacker can authenticate to the RPC endpoint. With the default enable_cookie_auth = true, this requires the attacker to read the .cookie file (typically local access). With enable_cookie_auth = false, any network client reaching the RPC port can trigger it.

Summary

The z_listunifiedreceivers RPC handler panics when processing a structurally valid Unified Address whose Sapling receiver carries 43 bytes that fail cryptographic validation (sapling_crypto::PaymentAddress::from_bytes returns None for non-subgroup Jubjub points). The handler calls .expect("using data already decoded as valid") on the fallible result. Because Zebra's release profile sets panic = "abort", the panic terminates the entire node process, not just the RPC task.

Details

zcash_address::unified::Encoding::decode validates only the structural envelope of a Unified Address (F4Jumble, bech32m, typecode ordering, 43-byte length for Sapling). It does not validate that the embedded pk_d is a valid Jubjub subgroup point or that the diversifier produces a valid g_d preimage.

At zebra-rpc/src/methods.rs:2893, the handler calls Address::try_from_sapling(network, data), which delegates to sapling_crypto::PaymentAddress::from_bytes. When from_bytes returns None (most random 32-byte strings fail the subgroup check), the .expect() fires and the process aborts.

The same crate already handles this correctly in try_from_unified at zebra-chain/src/primitives/address.rs:99-110, which returns Err when from_bytes fails. The vulnerable code path bypasses this validated route.

Patches

zebra-rpc 8.0.0 and zebrad 4.5.0.

Replace .expect() with .map_err(|e| ErrorObject::owned(...)) for proper error propagation, or route through the existing try_from_unified path which already handles this case correctly.

Workarounds

  • Disable the RPC server by removing rpc.listen_addr from zebrad.toml.
  • Ensure enable_cookie_auth = true (the default) and restrict filesystem access to the .cookie file.
  • Place a reverse proxy in front of the RPC port that rejects z_listunifiedreceivers calls with untrusted address parameters.

Impact

A single authenticated RPC request terminates the zebrad process. The attack is repeatable on restart (the same request triggers the same abort), allowing an attacker to keep the node down indefinitely until the request is filtered upstream. Operators using lightwalletd backends, Zaino indexers, or mining pool infrastructure that forward RPC calls to zebrad may be exposed if the forwarding path passes through z_listunifiedreceivers.

Credit

Reported by @robustfengbin via a private GitHub Security Advisory submission.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-rpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248",
      "CWE-617",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T19:37:58Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Am I affected\n\nYou are affected if:\n\n1. You run `zebrad` up to and including `v4.4.1`.\n2. Your `zebrad.toml` sets `rpc.listen_addr` to a TCP address (RPC server is enabled).\n3. An attacker can authenticate to the RPC endpoint. With the default `enable_cookie_auth = true`, this requires the attacker to read the `.cookie` file (typically local access). With `enable_cookie_auth = false`, any network client reaching the RPC port can trigger it.\n\n### Summary\n\nThe `z_listunifiedreceivers` RPC handler panics when processing a structurally valid Unified Address whose Sapling receiver carries 43 bytes that fail cryptographic validation (`sapling_crypto::PaymentAddress::from_bytes` returns `None` for non-subgroup Jubjub points). The handler calls `.expect(\"using data already decoded as valid\")` on the fallible result. Because Zebra\u0027s release profile sets `panic = \"abort\"`, the panic terminates the entire node process, not just the RPC task.\n\n### Details\n\n`zcash_address::unified::Encoding::decode` validates only the structural envelope of a Unified Address (F4Jumble, bech32m, typecode ordering, 43-byte length for Sapling). It does not validate that the embedded `pk_d` is a valid Jubjub subgroup point or that the diversifier produces a valid `g_d` preimage.\n\nAt `zebra-rpc/src/methods.rs:2893`, the handler calls `Address::try_from_sapling(network, data)`, which delegates to `sapling_crypto::PaymentAddress::from_bytes`. When `from_bytes` returns `None` (most random 32-byte strings fail the subgroup check), the `.expect()` fires and the process aborts.\n\nThe same crate already handles this correctly in `try_from_unified` at `zebra-chain/src/primitives/address.rs:99-110`, which returns `Err` when `from_bytes` fails. The vulnerable code path bypasses this validated route.\n\n### Patches\n\nzebra-rpc 8.0.0 and zebrad 4.5.0.\n\nReplace `.expect()` with `.map_err(|e| ErrorObject::owned(...))` for proper error propagation, or route through the existing `try_from_unified` path which already handles this case correctly.\n\n### Workarounds\n\n- Disable the RPC server by removing `rpc.listen_addr` from `zebrad.toml`.\n- Ensure `enable_cookie_auth = true` (the default) and restrict filesystem access to the `.cookie` file.\n- Place a reverse proxy in front of the RPC port that rejects `z_listunifiedreceivers` calls with untrusted address parameters.\n\n### Impact\n\nA single authenticated RPC request terminates the `zebrad` process. The attack is repeatable on restart (the same request triggers the same abort), allowing an attacker to keep the node down indefinitely until the request is filtered upstream. Operators using `lightwalletd` backends, Zaino indexers, or mining pool infrastructure that forward RPC calls to `zebrad` may be exposed if the forwarding path passes through `z_listunifiedreceivers`.\n\n### Credit\n\nReported by `@robustfengbin` via a private GitHub Security Advisory submission.",
  "id": "GHSA-c8w6-x74f-vmg3",
  "modified": "2026-07-02T19:37:58Z",
  "published": "2026-07-02T19:37:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-c8w6-x74f-vmg3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/Cargo.toml#L305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/blob/d4cd662c716382f6397d2a730148025a1ca79fec/zebra-rpc/src/methods.rs#L2867-L2914"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers"
}

GHSA-C948-477J-77C3

Vulnerability from github – Published: 2023-12-15 18:30 – Updated: 2023-12-15 18:30
VLAI
Details

A denial of service vulnerability exists in all Silicon Labs Z-Wave controller and endpoint devices running Z-Wave SDK v7.20.3 (Gecko SDK v4.3.3) and earlier. This attack can be carried out only by devices on the network sending a stream of packets to the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-15T16:15:46Z",
    "severity": "MODERATE"
  },
  "details": "\nA denial of service vulnerability exists in all Silicon Labs Z-Wave controller and endpoint devices running Z-Wave SDK v7.20.3 (Gecko SDK v4.3.3) and earlier. This attack can be carried out only by devices on the network sending a stream of packets to the device.\n\n",
  "id": "GHSA-c948-477j-77c3",
  "modified": "2023-12-15T18:30:28Z",
  "published": "2023-12-15T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SiliconLabs/gecko_sdk/releases"
    },
    {
      "type": "WEB",
      "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm0000005E7EIAU?%20operationContext=S1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.