Common Weakness Enumeration

CWE-470

Allowed

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Abstraction: Base · Status: Draft

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

112 vulnerabilities reference this CWE, most recent first.

GHSA-59MX-MHM6-4342

Vulnerability from github – Published: 2025-11-07 18:30 – Updated: 2025-11-07 21:31
VLAI
Details

In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat's built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-07T16:15:42Z",
    "severity": "CRITICAL"
  },
  "details": "In pig-mesh Pig versions 3.8.2 and below, when setting up scheduled tasks in the Quartz management function under the system management module, it is possible to execute any Java class with a parameterless constructor and its methods with parameter type String through reflection. At this time, the eval method in Tomcat\u0027s built-in class jakarta.el.ELProcessor can be used to execute commands, leading to a remote code execution vulnerability.",
  "id": "GHSA-59mx-mhm6-4342",
  "modified": "2025-11-07T21:31:20Z",
  "published": "2025-11-07T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pig-mesh/pig/issues/1199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LockeTom/vulnerability/blob/main/md/pig_Remote_Code_Execution_Vulnerability.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5FF5-9FCW-VG88

Vulnerability from github – Published: 2025-10-10 23:41 – Updated: 2025-10-10 23:41
VLAI
Summary
Astro's `X-Forwarded-Host` is reflected without validation
Details

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

  • Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
  • nvm use
  • yarn run build
  • node ./dist/server/entry.mjs
  • curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
  • Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T23:41:29Z",
    "nvd_published_at": "2025-10-10T20:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwarded-Host` header that is reflected when using the recommended `Astro.url` property as there is no validation that the value is safe.\n\n### Details\nAstro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. \n\nIt is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value.\n\nThis could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.\n\nAs this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.\n\nMany other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.\n\n### PoC\n- Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server\n- `nvm use`\n- `yarn run build`\n- `node ./dist/server/entry.mjs`\n- `curl --location \u0027http://localhost:4321/\u0027 --header \u0027X-Forwarded-Host: www.evil.com\u0027 --header \u0027Host: www.example.com\u0027`\n- Observe that the response reflects the malicious `X-Forwarded-Host` header\n\nFor the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above `curl` request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.\n\n### Impact\n\nThis could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.",
  "id": "GHSA-5ff5-9fcw-vg88",
  "modified": "2025-10-10T23:41:29Z",
  "published": "2025-10-10T23:41:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/security/advisories/GHSA-5ff5-9fcw-vg88"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/withastro/astro/commit/6ee63bfac4856f21b4d4633021b3d2ee059e553f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chisnet/minimal_dynamic_astro_server"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/withastro/astro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Astro\u0027s `X-Forwarded-Host` is reflected without validation"
}

GHSA-692M-F288-97HP

Vulnerability from github – Published: 2023-06-06 21:30 – Updated: 2024-04-04 04:36
VLAI
Details

Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T19:15:12Z",
    "severity": "HIGH"
  },
  "details": "Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.",
  "id": "GHSA-692m-f288-97hp",
  "modified": "2024-04-04T04:36:30Z",
  "published": "2023-06-06T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33652"
    },
    {
      "type": "WEB",
      "url": "https://blog.assetnote.io/2023/05/10/sitecore-round-two"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6JJ2-MFWJ-34Q5

Vulnerability from github – Published: 2025-09-03 15:30 – Updated: 2025-09-03 15:30
VLAI
Details

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-03T13:15:49Z",
    "severity": "CRITICAL"
  },
  "details": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) vulnerability in Sitecore Sitecore Experience Manager (XM), Sitecore Experience Platform (XP) allows Cache Poisoning.This issue affects Sitecore Experience Manager (XM): from 9.0 through 9.3, from 10.0 through 10.4; Experience Platform (XP): from 9.0 through 9.3, from 10.0 through 10.4.",
  "id": "GHSA-6jj2-mfwj-34q5",
  "modified": "2025-09-03T15:30:33Z",
  "published": "2025-09-03T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53693"
    },
    {
      "type": "WEB",
      "url": "https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce"
    },
    {
      "type": "WEB",
      "url": "https://support.sitecore.com/kb?id=kb_article_view\u0026sysparm_article=KB1003667"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-77XX-RXVH-Q682

Vulnerability from github – Published: 2022-10-06 18:52 – Updated: 2023-01-11 22:59
VLAI
Summary
HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
Details

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.hsqldb:hsqldb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T21:16:51Z",
    "nvd_published_at": "2022-10-06T18:17:00Z",
    "severity": "CRITICAL"
  },
  "details": "Those using `java.sql.Statement` or `java.sql.PreparedStatement` in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, `System.setProperty(\"hsqldb.method_class_names\", \"abc\")` or Java argument `-Dhsqldb.method_class_names=\"abc\"` can be used. From version 2.7.1 all classes by default are not accessible except those in `java.lang.Math` and need to be manually enabled.",
  "id": "GHSA-77xx-rxvh-q682",
  "modified": "2023-01-11T22:59:28Z",
  "published": "2022-10-06T18:52:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://sourceforge.net/projects/hsqldb"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5313"
    },
    {
      "type": "WEB",
      "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HyperSQL DataBase vulnerable to remote code execution when processing untrusted input"
}

GHSA-7JX7-3846-M7W7

Vulnerability from github – Published: 2026-02-09 20:36 – Updated: 2026-02-09 22:39
VLAI
Summary
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Details

Relationship to Previously Patched Vulnerability

This vulnerability is in addition to the RCE vulnerability patched in GHSA-255j-qw47-wjh5. That advisory addressed a similar RCE vulnerability that affected two specific routes:

  • /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings
  • /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview

This one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.

The patched vulnerability used a malicious AttributeTypecastBehavior with a wildcard event listener ("on *": "self::beforeSave") and __construct() syntax to trigger RCE via the typecastBeforeSave callback. The fix was implemented in commits: - 6e608a1 - 27f5588 - ec43c49

This vulnerability follows the same attack pattern (behavior injection via "as <behavior>" syntax) but affects a different code path (assembleLayoutFromPost() in Fields.php) that was not patched in those commits. The attack vector uses typecastAfterValidate instead of typecastBeforeSave and does not require the wildcard event listener syntax, demonstrating that multiple entry points exist for this type of vulnerability.


Executive Summary

A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.


Vulnerability Details

Attack Prerequisites

  • Authentication: Admin-level access required
  • Network Access: Access to admin panel (/admin)

Location

  • File: src/services/Fields.php
  • Function: assembleLayoutFromPost() (lines 1125-1143)
  • Root Cause: Missing cleanseConfig() call on user-supplied fieldLayout POST parameter

Vulnerable Code Path

// src/services/Fields.php:1125-1133
public function assembleLayoutFromPost(?string $namespace = null): FieldLayout
{
    $paramPrefix = $namespace ? rtrim($namespace, '.') . '.' : '';
    $request = Craft::$app->getRequest();
    $config = JsonHelper::decode($request->getBodyParam("{$paramPrefix}fieldLayout"));
    // ... additional config values added ...
    $layout = $this->createLayout($config);  // <-- No cleanseConfig() call!
    // ...
}

// src/services/Fields.php:1089-1093
public function createLayout(array $config): FieldLayout
{
    $config['class'] = FieldLayout::class;
    return Craft::createObject($config);  // <-- Untrusted data passed directly
}

Attack Chain

The exploitation leverages Yii2's object configuration system and behavior attachment mechanism:

  1. Behavior Injection: Attacker includes 'as rce' key in the fieldLayout JSON POST parameter
  2. Object Creation: Craft::createObject() processes the config through Yii2's BaseYii::configure()
  3. Behavior Attachment: Yii2's Component::__set() detects the 'as ' prefix and attaches the behavior
  4. RCE Trigger: When validate() is called on the model, EVENT_AFTER_VALIDATE fires
  5. Command Execution: AttributeTypecastBehavior calls the configured typecast function (ConsoleProcessus::execute) with the uid attribute value as the command

RCE Gadget Chain

FieldLayout POST parameter
    → Craft::createObject()
    → Yii2 Component::__set() with 'as rce' key
    → AttributeTypecastBehavior attached
    → Model::validate() called
    → EVENT_AFTER_VALIDATE triggered
    → typecastAfterValidate → typecastAttributes()
    → call_user_func(['Psy\Readline\Hoa\ConsoleProcessus', 'execute'], $command)
    → Shell command execution

Affected Controllers

The assembleLayoutFromPost() function is called by multiple admin controllers:

Controller Action Permission Required
TagsController actionSaveTagGroup() Admin
CategoriesController actionSaveGroup() Admin
EntryTypesController actionSave() Admin
GlobalsController actionSaveSet() Admin
VolumesController actionSave() Admin
UsersController actionSaveUserFieldLayout() Admin
AddressesController actionSaveAddressFieldLayout() Admin

References

  • https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748
  • GHSA-255j-qw47-wjh5 - Previously patched RCE vulnerability via behavior injection (affecting different endpoints)
  • CVE-2024-4990 - Related vulnerability that inspired the behavior injection attack pattern
  • Yii2 GHSA-gcmh-9pjj-7fp4 - Original Yii framework report (framework team declined to fix at framework level)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.17"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.16.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25498"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T20:36:43Z",
    "nvd_published_at": "2026-02-09T20:15:58Z",
    "severity": "HIGH"
  },
  "details": "## Relationship to Previously Patched Vulnerability\n\nThis vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vulnerability that affected two specific routes:\n\n- `/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings`\n- `/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview`\n\nThis one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.\n\nThe patched vulnerability used a malicious `AttributeTypecastBehavior` with a wildcard event listener (`\"on *\": \"self::beforeSave\"`) and `__construct()` syntax to trigger RCE via the `typecastBeforeSave` callback. The fix was implemented in commits:\n- [6e608a1](https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef)\n- [27f5588](https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7)\n- [ec43c49](https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593)\n\nThis vulnerability follows the same attack pattern (behavior injection via `\"as \u003cbehavior\u003e\"` syntax) but affects a **different code path** (`assembleLayoutFromPost()` in `Fields.php`) that was **not patched** in those commits. The attack vector uses `typecastAfterValidate` instead of `typecastBeforeSave` and does not require the wildcard event listener syntax, demonstrating that multiple entry points exist for this type of vulnerability.\n\n---\n\n## Executive Summary\n\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.\n\n---\n\n## Vulnerability Details\n\n### Attack Prerequisites\n\n- **Authentication:** Admin-level access required\n- **Network Access:** Access to admin panel (`/admin`)\n\n---\n\n\n### Location\n\n- **File:** `src/services/Fields.php`\n- **Function:** `assembleLayoutFromPost()` (lines 1125-1143)\n- **Root Cause:** Missing `cleanseConfig()` call on user-supplied `fieldLayout` POST parameter\n\n### Vulnerable Code Path\n\n```php\n// src/services/Fields.php:1125-1133\npublic function assembleLayoutFromPost(?string $namespace = null): FieldLayout\n{\n    $paramPrefix = $namespace ? rtrim($namespace, \u0027.\u0027) . \u0027.\u0027 : \u0027\u0027;\n    $request = Craft::$app-\u003egetRequest();\n    $config = JsonHelper::decode($request-\u003egetBodyParam(\"{$paramPrefix}fieldLayout\"));\n    // ... additional config values added ...\n    $layout = $this-\u003ecreateLayout($config);  // \u003c-- No cleanseConfig() call!\n    // ...\n}\n\n// src/services/Fields.php:1089-1093\npublic function createLayout(array $config): FieldLayout\n{\n    $config[\u0027class\u0027] = FieldLayout::class;\n    return Craft::createObject($config);  // \u003c-- Untrusted data passed directly\n}\n```\n---\n\n## Attack Chain\n\nThe exploitation leverages Yii2\u0027s object configuration system and behavior attachment mechanism:\n\n1. **Behavior Injection:** Attacker includes `\u0027as rce\u0027` key in the `fieldLayout` JSON POST parameter\n2. **Object Creation:** `Craft::createObject()` processes the config through Yii2\u0027s `BaseYii::configure()`\n3. **Behavior Attachment:** Yii2\u0027s `Component::__set()` detects the `\u0027as \u0027` prefix and attaches the behavior\n4. **RCE Trigger:** When `validate()` is called on the model, `EVENT_AFTER_VALIDATE` fires\n5. **Command Execution:** `AttributeTypecastBehavior` calls the configured typecast function (`ConsoleProcessus::execute`) with the `uid` attribute value as the command\n\n### RCE Gadget Chain\n\n```\nFieldLayout POST parameter\n    \u2192 Craft::createObject()\n    \u2192 Yii2 Component::__set() with \u0027as rce\u0027 key\n    \u2192 AttributeTypecastBehavior attached\n    \u2192 Model::validate() called\n    \u2192 EVENT_AFTER_VALIDATE triggered\n    \u2192 typecastAfterValidate \u2192 typecastAttributes()\n    \u2192 call_user_func([\u0027Psy\\Readline\\Hoa\\ConsoleProcessus\u0027, \u0027execute\u0027], $command)\n    \u2192 Shell command execution\n```\n\n---\n\n## Affected Controllers\n\nThe `assembleLayoutFromPost()` function is called by multiple admin controllers:\n\n| Controller | Action | Permission Required |\n|------------|--------|---------------------|\n| `TagsController` | `actionSaveTagGroup()` | Admin |\n| `CategoriesController` | `actionSaveGroup()` | Admin |\n| `EntryTypesController` | `actionSave()` | Admin |\n| `GlobalsController` | `actionSaveSet()` | Admin |\n| `VolumesController` | `actionSave()` | Admin |\n| `UsersController` | `actionSaveUserFieldLayout()` | Admin |\n| `AddressesController` | `actionSaveAddressFieldLayout()` | Admin |\n\n---\n## References\n\n- https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748\n- [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5) - Previously patched RCE vulnerability via behavior injection (affecting different endpoints)\n- [CVE-2024-4990](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4990) - Related vulnerability that inspired the behavior injection attack pattern\n- [Yii2 GHSA-gcmh-9pjj-7fp4](https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4) - Original Yii framework report (framework team declined to fix at framework level)\n\n---",
  "id": "GHSA-7jx7-3846-m7w7",
  "modified": "2026-02-09T22:39:16Z",
  "published": "2026-02-09T20:36:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.16.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior"
}

GHSA-7RMP-3G9F-CVQ8

Vulnerability from github – Published: 2025-04-04 14:06 – Updated: 2025-04-04 14:06
VLAI
Summary
generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework
Details

Summary

CWE-470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') when having Javers selected as Entity Audit Framework

Details

In the following two occurences, user input directly leads to class loading without checking against e.g. a whitelist of allowed classes. This is also known as CWE-470 https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/package/web/rest/JaversEntityAuditResource.java.ejs#L88 https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/package/web/rest/JaversEntityAuditResource.java.ejs#L124

So, if an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution.

PoC

  1. Place an arbitrary class with the right package name (starting with JHIpster applications path name) and make it available in class path
  2. Gain access to view entity's audit changelogs (Role: ADMIN)
  3. pass in the malicious class name part as entityType (first mentioned part) // qualifiedName (second mentioned occurence)
  4. class gets loaded and static code blocks in there get executed

--> Should be limited to the already existing whitelist of classes (see first method in that mentioned class)

Impact

Remote Code execution. You need to have some access to place malicious classes into the class path and you need to have a user with ADMIN role on the system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "generator-jhipster-entity-audit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T14:06:35Z",
    "nvd_published_at": "2025-04-03T20:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nCWE-470 (Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027) when having Javers selected as Entity Audit Framework\n\n### Details\nIn the following two occurences, user input directly leads to class loading without checking against e.g. a whitelist of allowed classes. This is also known as CWE-470\nhttps://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88\nhttps://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L124\n\nSo, if an attacker manages to place some malicious classes into the classpath and also has access to these REST interface for calling the mentioned REST endpoints, using these lines of code can lead to unintended remote code execution.\n\n### PoC\n\n1. Place an arbitrary class with the right package name (starting with JHIpster applications path name) and make it available in class path\n2. Gain access to view entity\u0027s audit changelogs (Role: ADMIN)\n3. pass in the malicious class name part as `entityType` (first mentioned part) // `qualifiedName` (second mentioned occurence)\n4. class gets loaded and static code blocks in there get executed\n\n--\u003e Should be limited to the already existing whitelist of classes (see first method in that mentioned class)\n\n### Impact\nRemote Code execution. You need to have some access to place malicious classes into the class path and you need to have a user with ADMIN role on the system.",
  "id": "GHSA-7rmp-3g9f-cvq8",
  "modified": "2025-04-04T14:06:35Z",
  "published": "2025-04-04T14:06:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jhipster/generator-jhipster-entity-audit/security/advisories/GHSA-7rmp-3g9f-cvq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31119"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jhipster/generator-jhipster-entity-audit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jhipster/generator-jhipster-entity-audit/blob/e21e83135d10c77d92203c89cb0b0063914e8fe0/generators/spring-boot-javers/templates/src/main/java/_package_/web/rest/JaversEntityAuditResource.java.ejs#L88"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework"
}

GHSA-7WQ2-32H4-9HC9

Vulnerability from github – Published: 2025-11-13 22:22 – Updated: 2026-05-06 23:24
VLAI
Summary
AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance
Details

Description of Vulnerability:

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

We recommend customers upgrade to the following versions: AWS Go Wrapper to 2025-10-17

Source of Vulnerability Report:

Allistair Ishmael Hakim allistair.hakim@gmail.com

Affected products & versions:

AWS Go Wrapper < 2025-10-17

Platforms:

MacOS/Windows/Linux

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/awssql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/auth-helpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/aws-secrets-manager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/federated-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/iam"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/mysql-driver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/okta"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/otlp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/pgx-driver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-advanced-go-wrapper/xray"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:22:34Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Description of Vulnerability: \nAn issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.\n\nWe recommend customers upgrade to the following versions:  AWS Go Wrapper to 2025-10-17\n\n\n### Source of Vulnerability Report: \nAllistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com)\n\n\n### Affected products \u0026 versions: \nAWS Go Wrapper \u003c 2025-10-17\n\n\n### Platforms:\n MacOS/Windows/Linux",
  "id": "GHSA-7wq2-32h4-9hc9",
  "modified": "2026-05-06T23:24:24Z",
  "published": "2025-11-13T22:22:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-7wq2-32h4-9hc9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-advanced-go-wrapper/pull/270"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-advanced-go-wrapper/commit/7b405f95fe71db644cd8336ba5fa28b41e89d03e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-advanced-go-wrapper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance"
}

GHSA-7XW4-G7MM-R4HH

Vulnerability from github – Published: 2025-11-13 22:22 – Updated: 2025-11-13 22:22
VLAI
Summary
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
Details

Description of Vulnerability:

An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

AWS recommends for customers to upgrade to the following versions: AWS JDBC Wrapper to v2.6.5 or greater.

Source of Vulnerability Report:

Allistair Ishmael Hakim allistair.hakim@gmail.com

Affected products & versions:

AWS JDBC Wrapper < 2.6.5

Platforms:

MacOS/Windows/Linux

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.6.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "software.amazon.jdbc:aws-advanced-jdbc-wrapper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:22:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Description of Vulnerability:\nAn issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.\n\nAWS recommends for customers to upgrade to the following versions: AWS JDBC Wrapper to v2.6.5 or greater.\n\n\n### Source of Vulnerability Report: \nAllistair Ishmael Hakim [allistair.hakim@gmail.com](mailto:allistair.hakim@gmail.com)\n\n\n### Affected products \u0026 versions: \nAWS JDBC Wrapper \u003c 2.6.5\n\n### Platforms: \nMacOS/Windows/Linux",
  "id": "GHSA-7xw4-g7mm-r4hh",
  "modified": "2025-11-13T22:22:28Z",
  "published": "2025-11-13T22:22:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-7xw4-g7mm-r4hh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-advanced-jdbc-wrapper/commit/b62183b851fa46f891f9fe9c861e9ac2fb7d8b62"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-advanced-jdbc-wrapper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/2.6.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance"
}

GHSA-86H2-2G4G-29QX

Vulnerability from github – Published: 2023-06-06 16:46 – Updated: 2024-06-25 16:56
VLAI
Summary
avo possible unsafe reflection / partial DoS vulnerability
Details

Summary

The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record.

Details

After reviewing the polymorphic field implementation and performing some black box approaches, we identified a potential security issue related to the use of safe_constantize / constantize. This Rails functionality is capable of searching for classes within the Rails context and returning the class for further use. Because Avo does not validate user input when updating or creating a new polymorphic resource, it is possible to create database entries with completely different or invalid class names than the preselected ones. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution.

PoC

image In the test scenario we choose the demo app and the review resource which has a polymorphic reviewable field.

image Intercepting the request and switching the review[reviewable_type] from “Fish” to “File” which is a real class inside Rails

image Corrupting the database with unusable classes will cause a crash at the application while viewing the new record or the index view (partial DoS)

image Manual delete the corrupted resource in order to recover the applications functionality

image Of course it is possible to use other class names or namespaces. The local development environment displays the backend error message when visiting a corrupted record. Avo is trying to apply a scope to this class that does not exist.

image Specifying an invalid class name in the parameter will cause the application to crash again while trying constanize the provided string

Impact

The final exploitation of this vulnerability requires more time than is provided in this assessment, but initial testing of the post request shows the potential critical risk. The classes could be instantiated at any point in the code and this could also lead to code execution.

Recommendation

Avo should be configured to never trust user-supplied input, especially when defining classes for records. In this particular case, Avo can evaluate the options list given for the polymorphic field and only allow strings from that list. With this white-list approach, an attacker cannot supply unintended classes.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.33.2"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "avo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "avo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.pre1"
            },
            {
              "last_affected": "3.0.0.pre12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T16:46:57Z",
    "nvd_published_at": "2023-06-05T23:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. \n\n### Details\nAfter reviewing the polymorphic field implementation and performing some black box approaches, we identified a potential security issue related to the use of safe_constantize / constantize. This Rails functionality is capable of searching for classes within the Rails context and returning the class for further use. Because Avo does not validate user input when updating or creating a new polymorphic resource, it is possible to create database entries with completely different or invalid class names than the preselected ones. Avo assumes that the class specified by the user request is a valid one and attempts to work with it, which may result in dangerous behavior and code execution.\n\n### PoC\n![image](https://user-images.githubusercontent.com/26464774/243437854-933d94c8-4ae0-43fe-b2da-35b103e28796.png)\n_In the test scenario we choose the demo app and the review resource which has a polymorphic reviewable field._\n\n![image](https://user-images.githubusercontent.com/26464774/243437954-2d947c6d-4e97-4e91-a442-405e553dd047.png)\n_Intercepting the request and switching the review[reviewable_type] from \u201cFish\u201d to \u201cFile\u201d which is a real class inside Rails_\n\n![image](https://user-images.githubusercontent.com/26464774/243438031-109de6d0-9370-4318-b18e-c5bcea61cf54.png)\n_Corrupting the database with unusable classes will cause a crash at the application while viewing the new record or the index view (partial DoS)_\n\n![image](https://user-images.githubusercontent.com/26464774/243438104-80df5aae-86de-40fc-870d-689a03cae389.png)\n_Manual delete the corrupted resource in order to recover the applications functionality_\n\n![image](https://user-images.githubusercontent.com/26464774/243438182-1e7eef54-73ba-47d0-b5df-4bad14859af3.png)\n_Of course it is possible to use other class names or namespaces. The local development environment displays the backend error message when visiting a corrupted record. Avo is trying to apply a scope to this class that does not exist._\n\n![image](https://user-images.githubusercontent.com/26464774/243438257-dbb59153-58a8-4421-b796-f2a0f2c20083.png)\n_Specifying an invalid class name in the parameter will cause the application to crash again while trying constanize the provided string_\n\n### Impact\nThe final exploitation of this vulnerability requires more time than is provided in this assessment, but initial testing of the post request shows the potential critical risk. The classes could be instantiated at any point in the code and this could also lead to code execution.\n\n### Recommendation\nAvo should be configured to never trust user-supplied input, especially when defining classes for records. In this particular case, Avo can evaluate the options list given for the polymorphic field and only allow strings from that list. With this white-list approach, an attacker cannot supply unintended classes.\n",
  "id": "GHSA-86h2-2g4g-29qx",
  "modified": "2024-06-25T16:56:30Z",
  "published": "2023-06-06T16:46:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/avo-hq/avo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/avo-hq/avo/releases/tag/v2.33.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/avo/CVE-2023-34102.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "avo possible unsafe reflection / partial DoS vulnerability"
}

Mitigation
Architecture and Design

Refactor your code to avoid using reflection.

Mitigation
Architecture and Design

Do not use user-controlled inputs to select and load classes or code.

Mitigation
Implementation

Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.

CAPEC-138: Reflection Injection

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.