Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-X2QC-CMH9-F4HF

Vulnerability from github – Published: 2026-06-17 18:48 – Updated: 2026-06-17 18:48
VLAI
Summary
Deno: Denial of service via non-ASCII bytes in WebSocket response headers
Details

Summary

A Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (0x80-0xFF) caused a panic that aborted the entire Deno process.

Details

When establishing a client WebSocket connection, Deno read the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions headers from the server's 101 Switching Protocols response and converted them to strings without handling the failure case. HeaderValue::to_str() returns an error for any value containing bytes outside the visible-ASCII range, so a header carrying such bytes triggered an unrecoverable error during conversion.

Because the client initiates the outbound connection, the handshake response is fully controlled by the server. A server that returns bytes such as 0xFF 0xFE in either header could therefore crash any client that connected to it.

This is purely an availability issue. There is no information disclosure and no memory-safety impact; the only effect is termination of the current process.

Impact

Remote denial of service. Any Deno application that establishes WebSocket connections to untrusted or potentially-compromised endpoints could be terminated by the remote peer. Exploitation requires the victim application to initiate the outbound WebSocket connection. An attacker who controls the WebSocket endpoint, or who can man-in-the-middle a plaintext ws:// connection, could trigger the crash. The effect is confined to crashing the process that opened the connection.

Patch

The issue is fixed in Deno 2.7.5. The header values are now parsed with graceful fallbacks: values that cannot be represented as ASCII strings are skipped instead of aborting the process. A regression test covers a server that returns non-ASCII bytes in Sec-WebSocket-Protocol.

Users should upgrade to Deno 2.7.5 or later.

Workarounds

Until you can upgrade, only connect to trusted WebSocket endpoints and prefer wss:// (TLS) over ws://, which prevents a network man-in-the-middle from injecting malicious header bytes into the handshake response.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.4"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T18:48:18Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Deno program that opens a client `WebSocket` connection could be crashed by\nthe remote server. While handling the WebSocket handshake response, Deno parsed\nthe `Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` response headers in\na way that assumed their bytes were always printable ASCII. A response header\ncontaining non-visible-ASCII bytes (`0x80`-`0xFF`) caused a panic that aborted\nthe entire Deno process.\n\n## Details\n\nWhen establishing a client WebSocket connection, Deno read the\n`Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` headers from the\nserver\u0027s `101 Switching Protocols` response and converted them to strings\nwithout handling the failure case. `HeaderValue::to_str()` returns an error for\nany value containing bytes outside the visible-ASCII range, so a header carrying\nsuch bytes triggered an unrecoverable error during conversion.\n\nBecause the client initiates the outbound connection, the handshake response is\nfully controlled by the server. A server that returns bytes such as `0xFF 0xFE`\nin either header could therefore crash any client that connected to it.\n\nThis is purely an availability issue. There is no information disclosure and no\nmemory-safety impact; the only effect is termination of the current process.\n\n## Impact\n\nRemote denial of service. Any Deno application that establishes WebSocket\nconnections to untrusted or potentially-compromised endpoints could be\nterminated by the remote peer. Exploitation requires the victim application to\ninitiate the outbound WebSocket connection. An attacker who controls the\nWebSocket endpoint, or who can man-in-the-middle a plaintext `ws://` connection,\ncould trigger the crash. The effect is confined to crashing the process that\nopened the connection.\n\n## Patch\n\nThe issue is fixed in Deno `2.7.5`. The header values are now parsed with\ngraceful fallbacks: values that cannot be represented as ASCII strings are\nskipped instead of aborting the process. A regression test covers a server that\nreturns non-ASCII bytes in `Sec-WebSocket-Protocol`.\n\nUsers should upgrade to Deno `2.7.5` or later.\n\n## Workarounds\n\nUntil you can upgrade, only connect to trusted WebSocket endpoints and prefer\n`wss://` (TLS) over `ws://`, which prevents a network man-in-the-middle from\ninjecting malicious header bytes into the handshake response.",
  "id": "GHSA-x2qc-cmh9-f4hf",
  "modified": "2026-06-17T18:48:18Z",
  "published": "2026-06-17T18:48:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/security/advisories/GHSA-x2qc-cmh9-f4hf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deno: Denial of service via non-ASCII bytes in WebSocket response headers"
}

GHSA-X36P-26R2-96M6

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-16T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.",
  "id": "GHSA-x36p-26r2-96m6",
  "modified": "2022-05-13T01:38:50Z",
  "published": "2022-05-13T01:38:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10363"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X494-MJ8G-CJ27

Vulnerability from github – Published: 2026-05-05 19:24 – Updated: 2026-05-05 19:24
VLAI
Summary
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data
Details

Summary

Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch.

Details

Bug 1: Unchecked array indexing in delta application (CWE-248)

The apply() function in gix-pack/src/data/delta.rs (lines 33-87) reads delta instructions using unchecked data[i] indexing at 7 locations (lines 41, 45, 49, 53, 57, 61, 65). The command byte's bits indicate how many additional bytes follow, but if the delta data is truncated, the index panics:

pub(crate) fn apply(base: &[u8], mut target: &mut [u8], data: &[u8]) -> Result<(), apply::Error> {
    let mut i = 0;
    while let Some(cmd) = data.get(i) {  // first byte: safely checked
        i += 1;
        match cmd {
            cmd if cmd & 0b1000_0000 != 0 => {
                let (mut ofs, mut size): (u32, u32) = (0, 0);
                if cmd & 0b0000_0001 != 0 {
                    ofs = u32::from(data[i]);     // PANIC: no bounds check
                    i += 1;
                }
                // ... 6 more unchecked data[i] at lines 45, 49, 53, 57, 61, 65

Lines 83-84 use assert_eq! (not debug_assert_eq!) that panics in both debug and release builds:

    assert_eq!(i, data.len());
    assert_eq!(target.len(), 0);

A second location in parse_header_info() (gix-pack/src/data/entry/decode.rs:116-129) also panics on truncated input via unchecked data[0] and data[i].

Note: PR #2059 (merged 2025-06-25) fixed the explicit panic!() for command code 0. The unchecked array indexing is a distinct class that remains unfixed.

Bug 2: Uncapped allocation from attacker-controlled size headers (CWE-770)

Pack entry headers and delta headers encode object sizes as LEB128-encoded u64 values. These sizes are used to allocate buffers before validating the actual data, with no upper bound:

bytes_to_entries.rs:109  Vec::with_capacity(entry.decompressed_size as usize)  // UNCAPPED
resolve.rs:461           out.resize(decompressed_len, 0)                       // UNCAPPED
resolve.rs:190           fully_resolved_delta_bytes.resize(result_size as usize, 0)  // UNCAPPED

A 10-byte crafted pack entry can claim decompressed_size = 0xFFFFFFFFFFFF (281 TB). At bytes_to_entries.rs:109, gitoxide calls Vec::with_capacity(281TB) before any decompression occurs. The OS immediately OOM-kills the process. No MAX_SIZE, max_object_size, or equivalent limit exists anywhere in gix-pack.

The allocation at resolve.rs:461 is equally dangerous: decompressed_size from the pack header is cast to usize and passed to Vec::resize(), which allocates and zeroes the full claimed size before the zlib decompressor runs.

PoC

Compiled and executed in Rust 1.94.1 --release mode. All 5 panics confirmed:

[1] delta apply: cmd=0x81, truncated -> PANIC: index out of bounds: len is 1 but index is 1
[2] delta apply: cmd=0xFF, only 3 extra bytes -> PANIC: index out of bounds: len is 4 but index is 4
[3] parse_header_info: empty data -> PANIC: index out of bounds: len is 0 but index is 0
[4] parse_header_info: byte=0x80, truncated -> PANIC: index out of bounds: len is 1 but index is 1
[5] delta apply: assert_eq!(i, data.len()) -> PANIC: assertion failed

For the OOM vector: the allocation path is parse_header_info() -> entry.decompressed_size (u64) -> Vec::with_capacity(size as usize) with no intermediate validation. A minimal pack with a single entry claiming a multi-terabyte size triggers immediate process kill.

Impact

Any application built on gitoxide that clones or fetches from an untrusted remote can be crashed by a malicious server:

  • Panic DoS: 1-2 bytes of crafted delta data causes an immediate process abort
  • OOM DoS: A single crafted pack entry header causes the process to attempt a multi-terabyte allocation, triggering an immediate OOM kill by the OS

This affects the gix CLI, any application using the gix crate, and CI/CD systems that clone repositories using gitoxide. No fuzz targets exist for gix-pack (issue #703 tracks oss-fuzz integration).

Suggested fix

For panics: replace unchecked data[i] with data.get(i).ok_or(Error::...) and replace assert_eq! with proper error returns.

For OOM: add a configurable maximum object size (similar to git's transfer.maxPackSize) and validate claimed sizes against it before allocating. At minimum, cap allocations to a reasonable default (e.g., 4 GB) and use try_reserve() consistently.

Severity

High. Network vector, no privileges required, user interaction required (clone/fetch). The OOM vector is a single-packet process kill with no recovery.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.68.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "gix-pack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.69.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T19:24:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nMultiple denial-of-service vectors in `gix-pack`: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch.\n\n### Details\n\n**Bug 1: Unchecked array indexing in delta application (CWE-248)**\n\nThe `apply()` function in `gix-pack/src/data/delta.rs` (lines 33-87) reads delta instructions using unchecked `data[i]` indexing at 7 locations (lines 41, 45, 49, 53, 57, 61, 65). The command byte\u0027s bits indicate how many additional bytes follow, but if the delta data is truncated, the index panics:\n\n```rust\npub(crate) fn apply(base: \u0026[u8], mut target: \u0026mut [u8], data: \u0026[u8]) -\u003e Result\u003c(), apply::Error\u003e {\n    let mut i = 0;\n    while let Some(cmd) = data.get(i) {  // first byte: safely checked\n        i += 1;\n        match cmd {\n            cmd if cmd \u0026 0b1000_0000 != 0 =\u003e {\n                let (mut ofs, mut size): (u32, u32) = (0, 0);\n                if cmd \u0026 0b0000_0001 != 0 {\n                    ofs = u32::from(data[i]);     // PANIC: no bounds check\n                    i += 1;\n                }\n                // ... 6 more unchecked data[i] at lines 45, 49, 53, 57, 61, 65\n```\n\nLines 83-84 use `assert_eq!` (not `debug_assert_eq!`) that panics in both debug and release builds:\n\n```rust\n    assert_eq!(i, data.len());\n    assert_eq!(target.len(), 0);\n```\n\nA second location in `parse_header_info()` (`gix-pack/src/data/entry/decode.rs:116-129`) also panics on truncated input via unchecked `data[0]` and `data[i]`.\n\nNote: PR #2059 (merged 2025-06-25) fixed the explicit `panic!()` for command code 0. The unchecked array indexing is a distinct class that remains unfixed.\n\n**Bug 2: Uncapped allocation from attacker-controlled size headers (CWE-770)**\n\nPack entry headers and delta headers encode object sizes as LEB128-encoded u64 values. These sizes are used to allocate buffers before validating the actual data, with no upper bound:\n\n```\nbytes_to_entries.rs:109  Vec::with_capacity(entry.decompressed_size as usize)  // UNCAPPED\nresolve.rs:461           out.resize(decompressed_len, 0)                       // UNCAPPED\nresolve.rs:190           fully_resolved_delta_bytes.resize(result_size as usize, 0)  // UNCAPPED\n```\n\nA 10-byte crafted pack entry can claim `decompressed_size = 0xFFFFFFFFFFFF` (281 TB). At `bytes_to_entries.rs:109`, gitoxide calls `Vec::with_capacity(281TB)` **before any decompression occurs**. The OS immediately OOM-kills the process. No `MAX_SIZE`, `max_object_size`, or equivalent limit exists anywhere in gix-pack.\n\nThe allocation at `resolve.rs:461` is equally dangerous: `decompressed_size` from the pack header is cast to `usize` and passed to `Vec::resize()`, which allocates and zeroes the full claimed size before the zlib decompressor runs.\n\n### PoC\n\nCompiled and executed in Rust 1.94.1 `--release` mode. All 5 panics confirmed:\n\n```\n[1] delta apply: cmd=0x81, truncated -\u003e PANIC: index out of bounds: len is 1 but index is 1\n[2] delta apply: cmd=0xFF, only 3 extra bytes -\u003e PANIC: index out of bounds: len is 4 but index is 4\n[3] parse_header_info: empty data -\u003e PANIC: index out of bounds: len is 0 but index is 0\n[4] parse_header_info: byte=0x80, truncated -\u003e PANIC: index out of bounds: len is 1 but index is 1\n[5] delta apply: assert_eq!(i, data.len()) -\u003e PANIC: assertion failed\n```\n\nFor the OOM vector: the allocation path is `parse_header_info()` -\u003e `entry.decompressed_size` (u64) -\u003e `Vec::with_capacity(size as usize)` with no intermediate validation. A minimal pack with a single entry claiming a multi-terabyte size triggers immediate process kill.\n\n### Impact\n\nAny application built on gitoxide that clones or fetches from an untrusted remote can be crashed by a malicious server:\n\n- **Panic DoS**: 1-2 bytes of crafted delta data causes an immediate process abort\n- **OOM DoS**: A single crafted pack entry header causes the process to attempt a multi-terabyte allocation, triggering an immediate OOM kill by the OS\n\nThis affects the `gix` CLI, any application using the `gix` crate, and CI/CD systems that clone repositories using gitoxide. No fuzz targets exist for gix-pack (issue #703 tracks oss-fuzz integration).\n\n### Suggested fix\n\nFor panics: replace unchecked `data[i]` with `data.get(i).ok_or(Error::...)` and replace `assert_eq!` with proper error returns.\n\nFor OOM: add a configurable maximum object size (similar to git\u0027s `transfer.maxPackSize`) and validate claimed sizes against it before allocating. At minimum, cap allocations to a reasonable default (e.g., 4 GB) and use `try_reserve()` consistently.\n\n### Severity\n\nHigh. Network vector, no privileges required, user interaction required (clone/fetch). The OOM vector is a single-packet process kill with no recovery.",
  "id": "GHSA-x494-mj8g-cj27",
  "modified": "2026-05-05T19:24:15Z",
  "published": "2026-05-05T19:24:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-x494-mj8g-cj27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GitoxideLabs/gitoxide"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data"
}

GHSA-X6CR-MQ53-CC76

Vulnerability from github – Published: 2026-02-10 14:33 – Updated: 2026-02-10 19:56
VLAI
Summary
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service
Details

Summary

The cookies property in emmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service.

Details

Location: emmett_core/http/wrappers/__init__.py (line 64)

Vulnerable Code:

@cachedprop
def cookies(self) -> SimpleCookie:
    cookies: SimpleCookie = SimpleCookie()
    for cookie in self.headers.get("cookie", "").split(";"):
        cookies.load(cookie)  # No exception handling
    return cookies

PoC

Sending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:/security=test"
Internal error
Time: 0.024363s

After the same error occurs several times, the server cannot process it normally.

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:(security=test"
Internal error
Time: 60.069334s

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:security=test"
Internal error
Time: 60.074031s

This is server log.

[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:
Traceback (most recent call last):
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py", line 70, in dynamic_handler
    http = await self.router.dispatch(request, response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py", line 240, in dispatch
    return await match.dispatch(reqargs, response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 57, in dispatch
    await self._parallel_flow(self.flow_open)
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 17, in _parallel_flow
    raise task.exception()
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/sessions.py", line 102, in open_request
    if self.cookie_name in self.current.request.cookies:
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/utils.py", line 37, in __get__
    obj.__dict__[self.__name__] = rv = self.fget(obj)
                                       ~~~~~~~~~^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/http/wrappers/__init__.py", line 64, in cookies
    cookies.load(cookie)
    ~~~~~~~~~~~~^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 516, in load
    self.__parse_string(rawdata)
    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 580, in __parse_string
    self.__set(key, rval, cval)
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 472, in __set
    M.set(key, real_value, coded_value)
    ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 335, in set
    raise CookieError('Illegal key %r' % (key,))
http.cookies.CookieError: Illegal key '/security'

Impact

This vulnerability allows unauthenticated attackers to cause denial of service and performance degradation by sending malformed Cookie headers. After this vulnerability occurs, we expect it to be difficult to use the normal service.

patch

/emmett_core/http/wrappers/__init__.py

- from http.cookies import SimpleCookie 
+ from http.cookies import SimpleCookie, CookieError  # add CookieError
...
...
    @cachedprop
    def cookies(self) -> SimpleCookie:
        cookies: SimpleCookie = SimpleCookie()
        for cookie in self.headers.get("cookie", "").split(";"):
-           cookies.load(cookie)
+           try:
+               cookies.load(cookie)
+            except CookieError:
+                continue
        return cookies
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "emmett-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T14:33:15Z",
    "nvd_published_at": "2026-02-10T18:16:37Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `cookies` property in `emmett_core.http.wrappers.Request` does not handle \n`CookieError` exceptions when parsing malformed Cookie headers. This allows \nunauthenticated attackers to trigger HTTP 500 errors and cause denial of service.\n\n\n### Details\n\n**Location:** `emmett_core/http/wrappers/__init__.py` (line 64)\n\n**Vulnerable Code:**\n```python\n@cachedprop\ndef cookies(self) -\u003e SimpleCookie:\n    cookies: SimpleCookie = SimpleCookie()\n    for cookie in self.headers.get(\"cookie\", \"\").split(\";\"):\n        cookies.load(cookie)  # No exception handling\n    return cookies\n```\n\n### PoC\nSending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.\n```bash\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:/security=test\"\nInternal error\nTime: 0.024363s\n```\nAfter the same error occurs several times, the server cannot process it normally.\n```bash\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:(security=test\"\nInternal error\nTime: 60.069334s\n\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:security=test\"\nInternal error\nTime: 60.074031s\n```\n\nThis is server log.\n```bash\n[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:\nTraceback (most recent call last):\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py\", line 70, in dynamic_handler\n    http = await self.router.dispatch(request, response)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py\", line 240, in dispatch\n    return await match.dispatch(reqargs, response)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py\", line 57, in dispatch\n    await self._parallel_flow(self.flow_open)\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py\", line 17, in _parallel_flow\n    raise task.exception()\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/sessions.py\", line 102, in open_request\n    if self.cookie_name in self.current.request.cookies:\n                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/utils.py\", line 37, in __get__\n    obj.__dict__[self.__name__] = rv = self.fget(obj)\n                                       ~~~~~~~~~^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/http/wrappers/__init__.py\", line 64, in cookies\n    cookies.load(cookie)\n    ~~~~~~~~~~~~^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 516, in load\n    self.__parse_string(rawdata)\n    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 580, in __parse_string\n    self.__set(key, rval, cval)\n    ~~~~~~~~~~^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 472, in __set\n    M.set(key, real_value, coded_value)\n    ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 335, in set\n    raise CookieError(\u0027Illegal key %r\u0027 % (key,))\nhttp.cookies.CookieError: Illegal key \u0027/security\u0027\n```\n\n### Impact\nThis vulnerability allows unauthenticated attackers to cause denial of service \nand performance degradation by sending malformed Cookie headers. \nAfter this vulnerability occurs, we expect it to be difficult to use the normal service.\n\n\n\n### patch \n`/emmett_core/http/wrappers/__init__.py`\n```python\n- from http.cookies import SimpleCookie \n+ from http.cookies import SimpleCookie, CookieError  # add CookieError\n...\n...\n    @cachedprop\n    def cookies(self) -\u003e SimpleCookie:\n        cookies: SimpleCookie = SimpleCookie()\n        for cookie in self.headers.get(\"cookie\", \"\").split(\";\"):\n-           cookies.load(cookie)\n+           try:\n+               cookies.load(cookie)\n+            except CookieError:\n+                continue\n        return cookies\n```",
  "id": "GHSA-x6cr-mq53-cc76",
  "modified": "2026-02-10T19:56:59Z",
  "published": "2026-02-10T14:33:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/commit/c126757133e118119a280b58f3bb345b1c9a8a2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emmett-framework/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emmett-Core: Unhandled CookieError Exception Causing Denial of Service"
}

GHSA-XF76-HPRF-F3VM

Vulnerability from github – Published: 2024-05-22 21:30 – Updated: 2024-05-22 21:30
VLAI
Details

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 through 12.0.12.0 integration nodes could allow an authenticated user to cause a denial of service due to an uncaught exception. IBM X-Force ID: 289647.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T19:15:09Z",
    "severity": "MODERATE"
  },
  "details": "IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 through 12.0.12.0 integration nodes could allow an authenticated user to cause a denial of service due to an uncaught exception.  IBM X-Force ID:  289647.",
  "id": "GHSA-xf76-hprf-f3vm",
  "modified": "2024-05-22T21:30:35Z",
  "published": "2024-05-22T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31904"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/289647"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7154607"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFJG-GCVP-VW7P

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught exception. Although a valid JWT is required to exploit this vulnerability, LibreChat allows open registration, enabling unauthenticated attackers to create an account and perform the attack. The issue is fixed in version 0.7.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:24Z",
    "severity": "MODERATE"
  },
  "details": "An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, leading to a full denial of service. This issue occurs when certain API endpoints receive malformed input, resulting in an uncaught exception. Although a valid JWT is required to exploit this vulnerability, LibreChat allows open registration, enabling unauthenticated attackers to create an account and perform the attack. The issue is fixed in version 0.7.6.",
  "id": "GHSA-xfjg-gcvp-vw7p",
  "modified": "2025-03-20T12:32:42Z",
  "published": "2025-03-20T12:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danny-avila/librechat/commit/95a212534f1c5991bd1231a34ac3668b4b592cc3"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4cebf926-c17f-4836-868b-e1de86221cec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFV8-X383-6F9Q

Vulnerability from github – Published: 2026-02-10 06:30 – Updated: 2026-02-10 06:30
VLAI
Details

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T06:15:54Z",
    "severity": "MODERATE"
  },
  "details": "A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with.",
  "id": "GHSA-xfv8-x383-6f9q",
  "modified": "2026-02-10T06:30:39Z",
  "published": "2026-02-10T06:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13064"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/a9/9e/94/cve-2025-13064pdf-en-US-519290.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPH3-R2JF-4VP3

Vulnerability from github – Published: 2026-04-01 22:56 – Updated: 2026-04-06 17:32
VLAI
Summary
Haraka affected by DoS via `__proto__` email header
Details

Summary

Sending an email with __proto__: as a header name crashes the Haraka worker process.

Details

The header parser at node_modules/haraka-email-message/lib/header.js:215-218 stores headers in a plain {} object:

_add_header(key, value, method) {
    this.headers[key] ??= []          // line 216
    this.headers[key][method](value)  // line 217
}

When key is __proto__: 1. this.headers['__proto__'] returns Object.prototype (the prototype getter) 2. Object.prototype is not null/undefined, so ??= is skipped 3. Object.prototype.push(value) throws TypeError: not a function

The TypeError reaches the global uncaughtException handler at haraka.js:26-33, which calls process.exit(1):

process.on('uncaughtException', (err) => {
    if (err.stack) {
        err.stack.split('\n').forEach((line) => logger.crit(line))
    } else {
        logger.crit(`Caught exception: ${JSON.stringify(err)}`)
    }
    logger.dump_and_exit(1)
})

PoC

import socket, time

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect(("127.0.0.1", 2525))
sock.recv(4096)
sock.sendall(b"EHLO evil\r\n"); sock.recv(4096)
sock.sendall(b"MAIL FROM:<x@x.com>\r\n"); sock.recv(4096)
sock.sendall(b"RCPT TO:<user@haraka.local>\r\n"); sock.recv(4096)
sock.sendall(b"DATA\r\n"); sock.recv(4096)
# Crash payload
sock.sendall(b"From: x@x.com\r\n__proto__: crash\r\n\r\nbody\r\n.\r\n")

Impact

In single-process mode (nodes=0), the entire server goes down. In cluster mode, the master restarts the worker, but all sessions are lost.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "Haraka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T22:56:09Z",
    "nvd_published_at": "2026-04-02T19:21:33Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nSending an email with `__proto__:` as a header name crashes the Haraka worker process. \n\n### Details\n\nThe header parser at `node_modules/haraka-email-message/lib/header.js:215-218` stores headers in a plain `{}` object:\n\n```javascript\n_add_header(key, value, method) {\n    this.headers[key] ??= []          // line 216\n    this.headers[key][method](value)  // line 217\n}\n```\n\nWhen `key` is `__proto__`:\n1. `this.headers[\u0027__proto__\u0027]` returns `Object.prototype` (the prototype getter)\n2. `Object.prototype` is not null/undefined, so `??=` is skipped\n3. `Object.prototype.push(value)` throws `TypeError: not a function`\n\nThe TypeError reaches the global `uncaughtException` handler at `haraka.js:26-33`, which calls `process.exit(1)`:\n\n```js\nprocess.on(\u0027uncaughtException\u0027, (err) =\u003e {\n    if (err.stack) {\n        err.stack.split(\u0027\\n\u0027).forEach((line) =\u003e logger.crit(line))\n    } else {\n        logger.crit(`Caught exception: ${JSON.stringify(err)}`)\n    }\n    logger.dump_and_exit(1)\n})\n```\n\n### PoC\n\n```python\nimport socket, time\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(5)\nsock.connect((\"127.0.0.1\", 2525))\nsock.recv(4096)\nsock.sendall(b\"EHLO evil\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"MAIL FROM:\u003cx@x.com\u003e\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"RCPT TO:\u003cuser@haraka.local\u003e\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"DATA\\r\\n\"); sock.recv(4096)\n# Crash payload\nsock.sendall(b\"From: x@x.com\\r\\n__proto__: crash\\r\\n\\r\\nbody\\r\\n.\\r\\n\")\n```\n\n### Impact\n\nIn single-process mode (`nodes=0`), the entire server goes down. In cluster mode, the master restarts the worker, but all sessions are lost.",
  "id": "GHSA-xph3-r2jf-4vp3",
  "modified": "2026-04-06T17:32:41Z",
  "published": "2026-04-01T22:56:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34752"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haraka/Haraka"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haraka/Haraka/releases/tag/v3.1.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Haraka affected by DoS via `__proto__` email header"
}

GHSA-XRCQ-533Q-8RXW

Vulnerability from github – Published: 2025-09-09 09:31 – Updated: 2025-09-09 20:10
VLAI
Summary
TYPO3 Bookmark Toolbar vulnerable to denial of service
Details

An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level backend users trigger a denial‑of‑service condition in the backend user interface by saving manipulated data in the bookmark toolbar.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 11.5.48"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.4.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T20:10:26Z",
    "nvd_published_at": "2025-09-09T09:15:39Z",
    "severity": "MODERATE"
  },
  "details": "An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0\u201311.5.47, 12.0.0\u201312.4.36, and 13.0.0\u201313.4.17 lets administrator\u2011level backend users trigger a denial\u2011of\u2011service condition in the backend user interface by saving manipulated data in the bookmark toolbar.",
  "id": "GHSA-xrcq-533q-8rxw",
  "modified": "2025-09-09T20:10:26Z",
  "published": "2025-09-09T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59014"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/backend/commit/04db7e25de1d3bb2d082ba68f7f974ccd917cc3f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/backend"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TYPO3 Bookmark Toolbar vulnerable to denial of service"
}

GHSA-XVCG-2Q82-R87J

Vulnerability from github – Published: 2022-01-06 22:18 – Updated: 2026-01-23 22:33
VLAI
Summary
Panic mishandled in libpulse-binding
Details

An issue was discovered in the libpulse-binding crate before 2.6.0 for Rust. It mishandles a panic that crosses a Foreign Function Interface (FFI) boundary.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libpulse-binding"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-25055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T18:18:40Z",
    "nvd_published_at": "2021-12-27T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the libpulse-binding crate before 2.6.0 for Rust. It mishandles a panic that crosses a Foreign Function Interface (FFI) boundary.",
  "id": "GHSA-xvcg-2q82-r87j",
  "modified": "2026-01-23T22:33:12Z",
  "published": "2022-01-06T22:18:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25055"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jnqnfe/pulse-binding-rust/commit/7fd282aef7787577c385aed88cb25d004b85f494"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jnqnfe/pulse-binding-rust"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/libpulse-binding/RUSTSEC-2019-0038.md"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2019-0038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Panic mishandled in libpulse-binding"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.