CWE-475
AllowedUndefined Behavior for Input to API
Abstraction: Base · Status: Incomplete
The behavior of this function is undefined unless its control parameter is set to a specific value.
30 vulnerabilities reference this CWE, most recent first.
GHSA-HQXW-F8MX-CPMW
Vulnerability from github – Published: 2023-05-11 20:37 – Updated: 2023-05-11 20:37Impact
Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.
Patches
Upgrade to at least 2.8.2-beta.1 if you are running v2.8.x release. If you use the code from the main branch, update at least to the commit after f55a6552b006a381d9167e328808565dd2bf77dc.
Workarounds
There is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section.
References
/v2/_catalog endpoint accepts a parameter to control the maximum amount of records returned (query string: n).
When not given the default n=100 is used. The server trusts that n has an acceptable value, however when using a
maliciously large value, it allocates an array/slice of n of strings before filling the slice with data.
This behaviour was introduced ~7yrs ago [1].
Recommendation
The /v2/_catalog endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations.
Because of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet.
For more information
If you have any questions or comments about this advisory: * Open an issue in distribution repository * Email us at cncf-distribution-security@lists.cncf.io
[1] faulty commit
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/distribution"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.2-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2253"
],
"database_specific": {
"cwe_ids": [
"CWE-475",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-11T20:37:54Z",
"nvd_published_at": "2023-06-06T20:15:12Z",
"severity": "HIGH"
},
"details": "### Impact\n\nSystems that run `distribution` built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious `/v2/_catalog` API endpoint request. \n\n### Patches\n\nUpgrade to at least 2.8.2-beta.1 if you are running `v2.8.x` release. If you use the code from the main branch, update at least to the commit after [f55a6552b006a381d9167e328808565dd2bf77dc](https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc).\n\n### Workarounds\n\nThere is no way to work around this issue without patching. Restrict access to the affected API endpoint: see the recommendations section.\n\n### References\n\n`/v2/_catalog` endpoint accepts a parameter to control the maximum amount of records returned (query string: `n`).\n\nWhen not given the default `n=100` is used. The server trusts that `n` has an acceptable value, however when using a \nmaliciously large value, it allocates an array/slice of `n` of strings before filling the slice with data.\n\nThis behaviour was introduced ~7yrs ago [1].\n\n### Recommendation\n\nThe `/v2/_catalog` endpoint was designed specifically to do registry syncs with search or other API systems. Such an endpoint would create a lot of load on the backend system, due to overfetch required to serve a request in certain implementations.\n\nBecause of this, we strongly recommend keeping this API endpoint behind heightened privilege and avoiding leaving it exposed to the internet.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [distribution repository](https://github.com/distribution/distribution)\n* Email us at [cncf-distribution-security@lists.cncf.io](mailto:cncf-distribution-security@lists.cncf.io)\n\n[1] [faulty commit](https://github.com/distribution/distribution/blob/b7e26bac741c76cb792f8e14c41a2163b5dae8df/registry/handlers/catalog.go#L45)",
"id": "GHSA-hqxw-f8mx-cpmw",
"modified": "2023-05-11T20:37:54Z",
"published": "2023-05-11T20:37:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/distribution/distribution/security/advisories/GHSA-hqxw-f8mx-cpmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2253"
},
{
"type": "WEB",
"url": "https://github.com/distribution/distribution/commit/f55a6552b006a381d9167e328808565dd2bf77dc"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2189886"
},
{
"type": "PACKAGE",
"url": "https://github.com/distribution/distribution"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00035.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "distribution catalog API endpoint can lead to OOM via malicious user input"
}
GHSA-J6RJ-W66M-7R3C
Vulnerability from github – Published: 2025-06-17 18:31 – Updated: 2025-06-17 18:31A Local File Inclusion vulnerability in a Trend Micro Apex Central widget below version 8.0.6955 could allow an attacker to gain remote code execution on affected installations.
{
"affected": [],
"aliases": [
"CVE-2025-47865"
],
"database_specific": {
"cwe_ids": [
"CWE-475"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T18:15:26Z",
"severity": "HIGH"
},
"details": "A Local File Inclusion vulnerability in a Trend Micro Apex Central widget below version 8.0.6955 could allow an attacker to gain remote code execution on affected installations.",
"id": "GHSA-j6rj-w66m-7r3c",
"modified": "2025-06-17T18:31:37Z",
"published": "2025-06-17T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47865"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/en-US/solution/KA-0019355"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2G8-2VHM-M4CX
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application's own code.
{
"affected": [],
"aliases": [
"CVE-2024-12390"
],
"database_specific": {
"cwe_ids": [
"CWE-475",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:28Z",
"severity": "HIGH"
},
"details": "A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application\u0027s own code.",
"id": "GHSA-m2g8-2vhm-m4cx",
"modified": "2025-03-20T12:32:43Z",
"published": "2025-03-20T12:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12390"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/1add2b26-460d-4aa5-8fda-ab045d153177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2RV-2GGP-66M7
Vulnerability from github – Published: 2024-04-18 21:30 – Updated: 2024-04-18 21:30A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.
{
"affected": [],
"aliases": [
"CVE-2024-20380"
],
"database_specific": {
"cwe_ids": [
"CWE-475"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-18T20:15:17Z",
"severity": "HIGH"
},
"details": "A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\nThe vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.",
"id": "GHSA-m2rv-2ggp-66m7",
"modified": "2024-04-18T21:30:31Z",
"published": "2024-04-18T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20380"
},
{
"type": "WEB",
"url": "https://blog.clamav.net/2024/04/clamav-131-123-106-patch-versions.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQ6J-35MG-9RJ6
Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2024-08-26 21:30In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-52533"
],
"database_specific": {
"cwe_ids": [
"CWE-391",
"CWE-475"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T03:15:08Z",
"severity": "MODERATE"
},
"details": "In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed",
"id": "GHSA-mq6j-35mg-9rj6",
"modified": "2024-08-26T21:30:32Z",
"published": "2024-04-08T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52533"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1777148475750809602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PQ5V-RWP8-P7GM
Vulnerability from github – Published: 2025-12-02 00:27 – Updated: 2025-12-02 00:27The affected function is unsound due to insufficient checks on public struct field.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "rtvm-interpreter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-475"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T00:27:10Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "The affected function is unsound due to insufficient checks on public struct field.",
"id": "GHSA-pq5v-rwp8-p7gm",
"modified": "2025-12-02T00:27:10Z",
"published": "2025-12-02T00:27:10Z",
"references": [
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0131.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": " rtvm-interpreter lacks sufficient checks in public API"
}
GHSA-Q4R9-2GMR-G75G
Vulnerability from github – Published: 2024-05-22 12:32 – Updated: 2024-05-22 12:32A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user's email and assigning them an 'admin' role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.
{
"affected": [],
"aliases": [
"CVE-2024-4153"
],
"database_specific": {
"cwe_ids": [
"CWE-475"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T10:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user\u0027s email and assigning them an \u0027admin\u0027 role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions.",
"id": "GHSA-q4r9-2gmr-g75g",
"modified": "2024-05-22T12:32:26Z",
"published": "2024-05-22T12:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4153"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/336db0ae-fe33-44b9-ba9d-bf117e0d90c4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9V3-53XG-6F9P
Vulnerability from github – Published: 2023-09-09 15:30 – Updated: 2024-04-04 07:34Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12
{
"affected": [],
"aliases": [
"CVE-2023-4874"
],
"database_specific": {
"cwe_ids": [
"CWE-475",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-09T15:15:34Z",
"severity": "MODERATE"
},
"details": "Null pointer dereference when viewing a specially crafted email in Mutt \u003e1.5.2 \u003c2.2.12",
"id": "GHSA-q9v3-53xg-6f9p",
"modified": "2024-04-04T07:34:33Z",
"published": "2023-09-09T15:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4874"
},
{
"type": "WEB",
"url": "https://gitlab.com/muttmua/mutt/-/commit/452ee330e094bfc7c9a68555e5152b1826534555.patch"
},
{
"type": "WEB",
"url": "https://gitlab.com/muttmua/mutt/-/commit/a4752eb0ae0a521eec02e59e51ae5daedf74fda0.patch"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00021.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5494"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/26/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V8R4-HC5W-5WW3
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-06 00:00Undefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.
{
"affected": [],
"aliases": [
"CVE-2022-2598"
],
"database_specific": {
"cwe_ids": [
"CWE-475",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Undefined Behavior for Input to API in GitHub repository vim/vim prior to 9.0.0100.",
"id": "GHSA-v8r4-hc5w-5ww3",
"modified": "2022-08-06T00:00:53Z",
"published": "2022-08-02T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/4e677b9c40ccbc5f090971b31dc2fe07bf05541d"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2f08363a-47a2-422d-a7de-ce96a89ad08e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V8V4-4V92-48H2
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2024-01-23 18:31Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.
{
"affected": [],
"aliases": [
"CVE-2020-7925"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-475"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-23T15:15:00Z",
"severity": "HIGH"
},
"details": "Incorrect validation of user input in the role name parser may lead to use of uninitialized memory allowing an unauthenticated attacker to use a specially crafted request to cause a denial of service. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc12; v4.2 versions prior to 4.2.9.",
"id": "GHSA-v8v4-4v92-48h2",
"modified": "2024-01-23T18:31:08Z",
"published": "2022-05-24T17:34:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7925"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-49142"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.