CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-G2M5-4HX7-HX76
Vulnerability from github – Published: 2025-02-06 21:32 – Updated: 2025-02-06 21:32Specifically crafted payloads sent to the RFID reader could cause DoS of RFID reader. After the device is restarted, it gets back to fully working state.
{
"affected": [],
"aliases": [
"CVE-2024-13417"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T20:15:39Z",
"severity": "MODERATE"
},
"details": "Specifically crafted payloads sent to the RFID reader could cause DoS of RFID reader. After the device is restarted, it gets back to fully working state.",
"id": "GHSA-g2m5-4hx7-hx76",
"modified": "2025-02-06T21:32:09Z",
"published": "2025-02-06T21:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13417"
},
{
"type": "WEB",
"url": "https://www.2n.com/en-GB/download/cve_2024_1341x_2nos_2_46_v1pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G4W4-PWM7-7RV4
Vulnerability from github – Published: 2023-06-27 15:30 – Updated: 2026-02-23 09:31Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
{
"affected": [],
"aliases": [
"CVE-2023-3405"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-27T15:15:11Z",
"severity": "HIGH"
},
"details": "Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service",
"id": "GHSA-g4w4-pwm7-7rv4",
"modified": "2026-02-23T09:31:18Z",
"published": "2023-06-27T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3405"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2023-3405"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2023-3405"
},
{
"type": "WEB",
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3405"
},
{
"type": "WEB",
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3405-denial-of-service-in-m-files-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5HG-P3PH-G8QG
Vulnerability from github – Published: 2025-06-05 01:09 – Updated: 2025-06-05 01:09Impact
A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.1
Workarounds
None
References
https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://github.com/expressjs/multer/pull/1256
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "multer"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.4-lts.1"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48997"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-05T01:09:35Z",
"nvd_published_at": "2025-06-03T19:15:39Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA vulnerability in Multer versions \u003e=1.4.4-lts.1, \u003c2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.\n\n### Patches\n\nUsers should upgrade to `2.0.1`\n\n### Workarounds\n\nNone\n\n### References\n\nhttps://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9\nhttps://github.com/expressjs/multer/issues/1233\nhttps://github.com/expressjs/multer/pull/1256",
"id": "GHSA-g5hg-p3ph-g8qg",
"modified": "2025-06-05T01:09:35Z",
"published": "2025-06-05T01:09:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48997"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/issues/1233"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/pull/1256"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9"
},
{
"type": "PACKAGE",
"url": "https://github.com/expressjs/multer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Multer vulnerable to Denial of Service via unhandled exception"
}
GHSA-GMFG-PFQM-QMCP
Vulnerability from github – Published: 2024-08-08 12:30 – Updated: 2024-08-08 12:30Vulnerability of uncaught exceptions in the Graphics module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
{
"affected": [],
"aliases": [
"CVE-2024-42037"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-08T10:15:08Z",
"severity": "CRITICAL"
},
"details": "Vulnerability of uncaught exceptions in the Graphics module\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
"id": "GHSA-gmfg-pfqm-qmcp",
"modified": "2024-08-08T12:30:34Z",
"published": "2024-08-08T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42037"
},
{
"type": "WEB",
"url": "https://https://consumer.huawei.com/en/support/bulletin/2024/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPW9-FWM8-7RX7
Vulnerability from github – Published: 2023-07-27 17:13 – Updated: 2023-07-27 21:36Impact
In Sails apps <=v1.5.6, an attacker can send a virtual request that will cause the node process to crash.
Patches
This behavior was fixed in Sails v1.5.7
Workarounds
Disable the sockets hook and remove the sails.io.js client
References
https://github.com/balderdashy/sails/pull/7287
Big thanks to @ThomasRinsma at Codean!
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sails"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38504"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-27T17:13:14Z",
"nvd_published_at": "2023-07-27T19:15:10Z",
"severity": "HIGH"
},
"details": "### Impact\nIn Sails apps \u003c=v1.5.6, an attacker can send a virtual request that will cause the node process to crash. \n\n### Patches\nThis behavior was fixed in Sails [v1.5.7](https://github.com/balderdashy/sails/releases/tag/v1.5.7)\n\n### Workarounds\nDisable the sockets hook and remove the `sails.io.js` client\n\n### References\nhttps://github.com/balderdashy/sails/pull/7287\n\nBig thanks to @ThomasRinsma at [Codean](https://www.linkedin.com/company/codeanio/)!",
"id": "GHSA-gpw9-fwm8-7rx7",
"modified": "2023-07-27T21:36:06Z",
"published": "2023-07-27T17:13:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/security/advisories/GHSA-gpw9-fwm8-7rx7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38504"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/pull/7287"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/commit/4a023dc5095a4b30fdc8535f705ed34cd22d2f7d"
},
{
"type": "PACKAGE",
"url": "https://github.com/balderdashy/sails"
},
{
"type": "WEB",
"url": "https://github.com/balderdashy/sails/releases/tag/v1.5.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "DoS vulnerability for apps with sockets enabled"
}
GHSA-GPX4-37G2-C8PV
Vulnerability from github – Published: 2025-09-30 18:32 – Updated: 2025-10-23 20:29Summary
In the default configuration, webhook.azuredevops.username and webhook.azuredevops.password not set, Argo CD’s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.
The slice index [0] is accessed without a length check, causing an index-out-of-range panic.
A single unauthenticated HTTP POST is enough to kill the process.
Details
case azuredevops.GitPushEvent:
// util/webhook/webhook.go -- line ≈147
revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty
change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)
change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)
touchedHead = payload.Resource.RefUpdates[0].Name ==
payload.Resource.Repository.DefaultBranch
If the attacker supplies "refUpdates": [], the slice has length 0.
The webhook code has no recover(), so the panic terminates the entire binary.
PoC
payload-azure-empty.json:
{
"eventType": "git.push",
"resource": {
"refUpdates": [],
"repository": {
"remoteUrl": "https://example.com/dummy",
"defaultBranch": "refs/heads/master"
}
}
}
curl call:
curl -k -X POST https://argocd.example.com/api/webhook \
-H 'X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111' \
-H 'Content-Type: application/json' \
--data-binary @payload-azure-empty.json
Observed crash:
panic: runtime error: index out of range [0] with length 0
goroutine 205 [running]:
github.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo
webhook.go:147 +0x1ea5
...
Mitigation
If you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.
If you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
type: Opaque
data:
+ webhook.azuredevops.username: <your base64-encoded secret here>
+ webhook.azuredevops.password: <your base64-encoded secret here>
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
Credits
Discovered by Jakub Ciolek at AlphaSense.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.14.19"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0-rc1"
},
{
"fixed": "2.14.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0-rc1"
},
{
"fixed": "3.2.0-rc2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2.0-rc1"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0-rc1"
},
{
"fixed": "3.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.18"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-rc1"
},
{
"fixed": "3.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59538"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-30T18:32:31Z",
"nvd_published_at": "2025-10-01T21:16:43Z",
"severity": "HIGH"
},
"details": "### Summary\n\nIn the default configuration, `webhook.azuredevops.username` and `webhook.azuredevops.password` not set, Argo CD\u2019s /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty.\n\nThe slice index [0] is accessed without a length check, causing an index-out-of-range panic.\n\nA single unauthenticated HTTP POST is enough to kill the process.\n\n### Details\n\n```go\ncase azuredevops.GitPushEvent:\n // util/webhook/webhook.go -- line \u2248147\n revision = ParseRevision(payload.Resource.RefUpdates[0].Name) // panics if slice empty\n change.shaAfter = ParseRevision(payload.Resource.RefUpdates[0].NewObjectID)\n change.shaBefore= ParseRevision(payload.Resource.RefUpdates[0].OldObjectID)\n touchedHead = payload.Resource.RefUpdates[0].Name ==\n payload.Resource.Repository.DefaultBranch\n```\n\nIf the attacker supplies \"refUpdates\": [], the slice has length 0.\n\nThe webhook code has no recover(), so the panic terminates the entire binary.\n\n### PoC\n\npayload-azure-empty.json:\n```json\n{\n \"eventType\": \"git.push\",\n \"resource\": {\n \"refUpdates\": [],\n \"repository\": {\n \"remoteUrl\": \"https://example.com/dummy\",\n \"defaultBranch\": \"refs/heads/master\"\n }\n }\n}\n```\n\ncurl call:\n\n```shell\ncurl -k -X POST https://argocd.example.com/api/webhook \\\n -H \u0027X-Vss-ActivityId: 11111111-1111-1111-1111-111111111111\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data-binary @payload-azure-empty.json\n```\n\nObserved crash:\n\n```\npanic: runtime error: index out of range [0] with length 0\n\ngoroutine 205 [running]:\ngithub.com/argoproj/argo-cd/v3/util/webhook.affectedRevisionInfo\n webhook.go:147 +0x1ea5\n...\n```\n\n### Mitigation\n\nIf you use Azure DevOps and need to handle webhook events, configure a webhook secret to ensure only trusted parties can invoke the webhook handler.\n\nIf you do not use Azure DevOps, you can set the webhook secrets to long, random values to effectively disable webhook handling for Azure DevOps payloads.\n\n```diff\napiVersion: v1\nkind: Secret\nmetadata:\n name: argocd-secret\ntype: Opaque\ndata:\n+ webhook.azuredevops.username: \u003cyour base64-encoded secret here\u003e\n+ webhook.azuredevops.password: \u003cyour base64-encoded secret here\u003e\n```\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n### Credits\n\nDiscovered by Jakub Ciolek at AlphaSense.",
"id": "GHSA-gpx4-37g2-c8pv",
"modified": "2025-10-23T20:29:02Z",
"published": "2025-09-30T18:32:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-gpx4-37g2-c8pv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59538"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/1a023f1ca7fe4ec942b4b6696804988d5a632baf"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3995"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook"
}
GHSA-H262-6V4R-HFM3
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30Denial of service (DoS) vulnerability in the AMS module Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-32995"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:37:23Z",
"severity": "MODERATE"
},
"details": "Denial of service (DoS) vulnerability in the AMS module\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-h262-6v4r-hfm3",
"modified": "2024-05-14T18:30:48Z",
"published": "2024-05-14T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32995"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/5"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202405-0000001902628049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H3PQ-WM2X-37WM
Vulnerability from github – Published: 2024-12-02 06:31 – Updated: 2024-12-02 18:31In wlan driver, there is a possible client disconnection due to improper handling of exceptional conditions. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00384543; Issue ID: MSV-1727.
{
"affected": [],
"aliases": [
"CVE-2024-20137"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-02T04:15:06Z",
"severity": "HIGH"
},
"details": "In wlan driver, there is a possible client disconnection due to improper handling of exceptional conditions. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00384543; Issue ID: MSV-1727.",
"id": "GHSA-h3pq-wm2x-37wm",
"modified": "2024-12-02T18:31:55Z",
"published": "2024-12-02T06:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20137"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/December-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H4F5-H82V-5W4R
Vulnerability from github – Published: 2024-11-22 20:11 – Updated: 2024-11-22 20:11The rand::time() function in SurrealQL generates a random time from an optional range of two Unix timestamps. Due to the underlying use of timestamp_opt from the chrono crate, this function could potentially return None in some instances, leading to a panic when unwrap was called on its result in order to return a SurrealQL datetime type to the caller of the function.
Impact
A client that is authorized to run queries in a SurrealDB server would be able to make repeated (in the order of millions) calls to rand::time() in order to reliably trigger a panic. This would crash the server, leading to denial of service.
Patches
The function has been updated in to guarantee that some datetime is returned or that an error is otherwise gracefully handled.
- Version 2.1.0 and later are not affected by this issue.
Workarounds
Affected users who are unable to update may want to limit the ability of untrusted clients to run the rand::time() function in the affected versions of SurrealDB using security capabilities. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
References
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-22T20:11:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The `rand::time()` function in SurrealQL generates a random time from an optional range of two Unix timestamps. Due to the underlying use of `timestamp_opt` from the `chrono` crate, this function could potentially return `None` in some instances, leading to a panic when `unwrap` was called on its result in order to return a SurrealQL `datetime` type to the caller of the function.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server would be able to make repeated (in the order of millions) calls to `rand::time()` in order to reliably trigger a panic. This would crash the server, leading to denial of service.\n\n### Patches\n\nThe function has been updated in to guarantee that some `datetime` is returned or that an error is otherwise gracefully handled.\n\n- Version 2.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nAffected users who are unable to update may want to limit the ability of untrusted clients to run the `rand::time()` function in the affected versions of SurrealDB using security capabilities. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #5126\n- [SurrealQL Documentation - Database Functions (`rand::time`)](https://surrealdb.com/docs/surrealql/functions/database/rand#randtime)\n- [SurrealDB Documentation - Security Capabilities (Functions)](https://surrealdb.com/docs/surrealdb/security/capabilities#functions)",
"id": "GHSA-h4f5-h82v-5w4r",
"modified": "2024-11-22T20:11:38Z",
"published": "2024-11-22T20:11:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-h4f5-h82v-5w4r"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/5126"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB has an Uncaught Exception in Function Generating Random Time"
}
GHSA-H5JV-6XG2-9CV8
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service (DoS) vulnerability in the API for the embeddable chat functionality. An attacker can exploit this vulnerability by sending a malformed JSON payload to the API endpoint, causing a server crash due to an uncaught exception. This issue is fixed in version 1.2.2.
{
"affected": [],
"aliases": [
"CVE-2024-8249"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:41Z",
"severity": "HIGH"
},
"details": "mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service (DoS) vulnerability in the API for the embeddable chat functionality. An attacker can exploit this vulnerability by sending a malformed JSON payload to the API endpoint, causing a server crash due to an uncaught exception. This issue is fixed in version 1.2.2.",
"id": "GHSA-h5jv-6xg2-9cv8",
"modified": "2025-03-20T12:32:48Z",
"published": "2025-03-20T12:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8249"
},
{
"type": "WEB",
"url": "https://github.com/mintplex-labs/anything-llm/commit/548da9ade30368289c5beaf0a8ee2ed2b5c1d81c"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/2fb0c93f-5bc1-4212-bdca-292db7c6951f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.