Common Weakness Enumeration

CWE-754

Allowed-with-Review

Improper Check for Unusual or Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

905 vulnerabilities reference this CWE, most recent first.

GHSA-VM6C-8497-PC7J

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

There is an Improper Check for Unusual or Exceptional Conditions Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-02T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Improper Check for Unusual or Exceptional Conditions Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.",
  "id": "GHSA-vm6c-8497-pc7j",
  "modified": "2022-05-24T19:09:31Z",
  "published": "2022-05-24T19:09:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22447"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VMRJ-8QGC-5X6C

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-12 12:33
VLAI
Details

The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-1737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-05-11T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device.",
  "id": "GHSA-vmrj-8qgc-5x6c",
  "modified": "2025-04-12T12:33:32Z",
  "published": "2022-05-13T01:23:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/ef87dbe7614341c2e7bfe8d32fcb7028cc97442c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1094299"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ef87dbe7614341c2e7bfe8d32fcb7028cc97442c"
    },
    {
      "type": "WEB",
      "url": "http://linux.oracle.com/errata/ELSA-2014-0771.html"
    },
    {
      "type": "WEB",
      "url": "http://linux.oracle.com/errata/ELSA-2014-3043.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0800.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0801.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59262"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59309"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59406"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59599"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2926"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2928"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/09/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/67300"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1030474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VVQV-HJV4-6Q76

Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2026-01-22 21:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

tee: optee: Fix kernel panic caused by incorrect error handling

The error path while failing to register devices on the TEE bus has a bug leading to kernel panic as follows:

[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c [ 15.406913] Mem abort info: [ 15.409722] ESR = 0x0000000096000005 [ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits [ 15.418814] SET = 0, FnV = 0 [ 15.421878] EA = 0, S1PTW = 0 [ 15.425031] FSC = 0x05: level 1 translation fault [ 15.429922] Data abort info: [ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000 [ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000 [ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP

Commit 7269cba53d90 ("tee: optee: Fix supplicant based device enumeration") lead to the introduction of this bug. So fix it appropriately.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T13:15:58Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[   15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[   15.406913] Mem abort info:\n[   15.409722]   ESR = 0x0000000096000005\n[   15.413490]   EC = 0x25: DABT (current EL), IL = 32 bits\n[   15.418814]   SET = 0, FnV = 0\n[   15.421878]   EA = 0, S1PTW = 0\n[   15.425031]   FSC = 0x05: level 1 translation fault\n[   15.429922] Data abort info:\n[   15.432813]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[   15.438310]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[   15.443372]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[   15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[   15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[   15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.",
  "id": "GHSA-vvqv-hjv4-6q76",
  "modified": "2026-01-22T21:33:38Z",
  "published": "2024-05-17T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35785"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXPV-C2H6-HQ9V

Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35
VLAI
Details

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-131",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T13:16:05Z",
    "severity": "HIGH"
  },
  "details": "Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox \u003c 149 and Firefox ESR \u003c 140.9.",
  "id": "GHSA-vxpv-c2h6-hq9v",
  "modified": "2026-06-30T03:35:58Z",
  "published": "2026-03-24T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4695"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8286"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8287"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8288"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8289"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8290"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8315"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8427"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8850"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4695"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020030"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450715"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4695.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5930"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5931"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:5932"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6342"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:6917"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7837"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7838"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7839"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7840"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7841"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7842"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7843"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7845"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:7858"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8284"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:8285"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W24R-5266-9C3C

Vulnerability from github – Published: 2026-04-30 18:20 – Updated: 2026-06-09 10:49
VLAI
Summary
Clerk has an authorization bypass when combining organization, billing, or reverification checks
Details

Summary

has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions.

Sessions are not compromised and no existing user can be impersonated. The bypass is limited to the authorization decision returned by the predicate. clerkMiddleware continues to authenticate requests correctly, auth() reflects the real authentication state, and token verification is unaffected.

Who is affected

All apps that combine more than one authorization dimension in a single has() or auth.protect() call should upgrade to the patched versions. Patches are drop-in with no API changes. The information below describes the scope of the bypass and helps developers understand whether their apps are potentially affected, but is not a reason to delay the upgrade.

This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check.

// Reverification combined with role / permission / feature / plan
await auth.protect({ permission: 'org:settings:delete', reverification: 'strict' });
const canAct = has({ role: 'org:admin', reverification: 'strict' });

// Billing (feature / plan) combined with role / permission
const canAct = has({ permission: 'org:admin', feature: 'premium' });

Single-condition checks are not affected and continue to fail closed as expected:

await auth.protect({ permission: 'org:settings:delete' });
has({ reverification: 'strict' });

The callback form of auth.protect is not affected unless the callback itself invokes one of the affected shapes:

await auth.protect(has => has({ permission: 'org:X' }) && has({ reverification: 'strict' }));

App patterns that rely only on single-condition checks, or that combine them via the callback form, are unaffected. Authentication, session state, and token verification continue to work correctly regardless of this bypass.

@clerk/shared is usually not imported directly in application code, but the fix lives there and reaches an app through its framework package. If developers import createCheckAuthorization from @clerk/shared directly, their apps are also affected. Run npm why @clerk/shared (or the app's package manager's equivalent) to check the installed version.

Additional auth.protect() bypass

A second, related bypass lives in @clerk/nextjs: auth.protect() silently discarded authorization params (role, permission, feature, plan, reverification) whenever the same argument object also contained unauthenticatedUrl, unauthorizedUrl, or token.

Recommended actions

Upgrade to the latest patch release of the consuming app's framework package on its current major. Both Core 2 and Core 3 release lines have patches. See the "Affected packages" section above for the exact vulnerable ranges and patched versions per package.

If a consuming app pins @clerk/clerk-js directly, upgrade it to the patched version. Most apps load @clerk/clerk-js from Clerk's CDN through their framework package and will receive the fix automatically, with no upgrade step required.

Workaround

If developers cannot upgrade immediately, split combined has() or auth.protect() calls into sequential single-condition checks:

// Replace
await auth.protect({ permission: 'org:X', reverification: 'strict' });
// With
await auth.protect({ reverification: 'strict' });
await auth.protect({ permission: 'org:X' });

Each single-condition check fails closed as expected, so evaluating them independently and denying if either fails produces the correct result.

Timeline

This issue was reported on 18 APR 2026, patched on 22 APR 2026, and publicly disclosed on 22 APR 2026.

Thanks to AISafe for the responsible disclosure of this vulnerability.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.47.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/shared"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.47.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.8.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/shared"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.33.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.39.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/nextjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.39.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.2.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/nextjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.125.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/clerk-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.22.0"
            },
            {
              "fixed": "5.125.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.7.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/clerk-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.61.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/clerk-react"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.9.0"
            },
            {
              "fixed": "5.61.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/react"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.20"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/vue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.17.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.15"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/vue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.17.10"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.17.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.13.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.13.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.19.35"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/clerk-expo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.11"
            },
            {
              "fixed": "2.19.36"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/expo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.12"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/react-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1"
            },
            {
              "fixed": "2.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/react-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.29.10"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/tanstack-react-start"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.1"
            },
            {
              "fixed": "0.29.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/tanstack-react-start"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.9.14"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/chrome-extension"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.5"
            },
            {
              "fixed": "2.9.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.14"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/chrome-extension"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.6.30"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/fastify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.42"
            },
            {
              "fixed": "2.6.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.15"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/fastify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.7.78"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "1.7.79"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/express"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.15"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@clerk/hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.2"
            },
            {
              "fixed": "0.1.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T18:20:02Z",
    "nvd_published_at": "2026-05-11T17:16:33Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`has()`, `auth.protect()`, and related authorization predicates in `@clerk/shared`, `@clerk/nextjs`, `@clerk/backend`, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions.\n\nSessions are not compromised and no existing user can be impersonated. The bypass is limited to the authorization decision returned by the predicate. `clerkMiddleware` continues to authenticate requests correctly, `auth()` reflects the real authentication state, and token verification is unaffected.\n\n### Who is affected\n\nAll apps that combine more than one authorization dimension in a single `has()` or `auth.protect()` call should upgrade to the patched versions. Patches are drop-in with no API changes. The information below describes the scope of the bypass and helps developers understand whether their apps are potentially affected, but is not a reason to delay the upgrade.\n\nThis call shape can be bypassed if certain conditions are met: a `has()` or `auth.protect()` call that combines a `reverification` check with any of `role`, `permission`, `feature`, or `plan`, or that combines a billing check (`feature` or `plan`) with a role or permission check.\n\n\n```ts\n// Reverification combined with role / permission / feature / plan\nawait auth.protect({ permission: \u0027org:settings:delete\u0027, reverification: \u0027strict\u0027 });\nconst canAct = has({ role: \u0027org:admin\u0027, reverification: \u0027strict\u0027 });\n\n// Billing (feature / plan) combined with role / permission\nconst canAct = has({ permission: \u0027org:admin\u0027, feature: \u0027premium\u0027 });\n```\n\nSingle-condition checks are not affected and continue to fail closed as expected:\n\n```ts\nawait auth.protect({ permission: \u0027org:settings:delete\u0027 });\nhas({ reverification: \u0027strict\u0027 });\n```\n\nThe callback form of `auth.protect` is not affected unless the callback itself invokes one of the affected shapes:\n\n```ts\nawait auth.protect(has =\u003e has({ permission: \u0027org:X\u0027 }) \u0026\u0026 has({ reverification: \u0027strict\u0027 }));\n```\n\nApp patterns that rely only on single-condition checks, or that combine them via the callback form, are unaffected. Authentication, session state, and token verification continue to work correctly regardless of this bypass.\n\n`@clerk/shared` is usually not imported directly in application code, but the fix lives there and reaches an app through its framework package. If developers import `createCheckAuthorization` from `@clerk/shared` directly, their apps are also affected. Run `npm why @clerk/shared` (or the app\u0027s package manager\u0027s equivalent) to check the installed version.\n\n### Additional `auth.protect()` bypass\n\nA second, related bypass lives in `@clerk/nextjs`: `auth.protect()` silently discarded authorization params (`role`, `permission`, `feature`, `plan`, `reverification`) whenever the same argument object also contained `unauthenticatedUrl`, `unauthorizedUrl`, or `token`.\n\n### Recommended actions\n\nUpgrade to the latest patch release of the consuming app\u0027s framework package on its current major. Both Core 2 and Core 3 release lines have patches. See the \"Affected packages\" section above for the exact vulnerable ranges and patched versions per package.\n\nIf a consuming app pins `@clerk/clerk-js` directly, upgrade it to the patched version. Most apps load `@clerk/clerk-js` from Clerk\u0027s CDN through their framework package and will receive the fix automatically, with no upgrade step required.\n\n### Workaround\n\nIf developers cannot upgrade immediately, split combined `has()` or `auth.protect()` calls into sequential single-condition checks:\n\n```ts\n// Replace\nawait auth.protect({ permission: \u0027org:X\u0027, reverification: \u0027strict\u0027 });\n// With\nawait auth.protect({ reverification: \u0027strict\u0027 });\nawait auth.protect({ permission: \u0027org:X\u0027 });\n```\n\nEach single-condition check fails closed as expected, so evaluating them independently and denying if either fails produces the correct result.\n\n### Timeline\n\nThis issue was reported on 18 APR 2026, patched on 22 APR 2026, and publicly disclosed on 22 APR 2026.\n\nThanks to AISafe for the responsible disclosure of this vulnerability.",
  "id": "GHSA-w24r-5266-9c3c",
  "modified": "2026-06-09T10:49:55Z",
  "published": "2026-04-30T18:20:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42349"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/clerk/javascript"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Clerk has an authorization bypass when combining organization, billing, or reverification checks"
}

GHSA-W2XF-42W4-QQRC

Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32
VLAI
Details

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).

If an SRX Series device receives specific valid traffic destined to the device, it will cause the PFE to crash and restart. Continued receipt and processing of this traffic will create a sustained DoS condition.

This issue affects Junos OS on SRX Series:

  • 21.4 versions before 21.4R3-S7.9,
  • 22.1 versions before 22.1R3-S5.3,
  • 22.2 versions before 22.2R3-S4.11,
  • 22.3 versions before 22.3R3,
  • 22.4 versions before 22.4R3.

Junos OS versions prior to 21.4R1 are not affected by this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T17:15:05Z",
    "severity": "HIGH"
  },
  "details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nIf an SRX Series device receives specific valid traffic destined to the device, it will cause the PFE to crash and restart.  Continued receipt and processing of this traffic will create a sustained DoS condition.\n\nThis issue affects Junos OS on SRX Series:\n\n  *  21.4 versions before 21.4R3-S7.9,\n  *  22.1 versions before 22.1R3-S5.3,\n  *  22.2 versions before 22.2R3-S4.11,\n  *  22.3 versions before 22.3R3,\n  *  22.4 versions before 22.4R3.\n\n\n\n\nJunos OS versions prior to 21.4R1 are not affected by this issue.",
  "id": "GHSA-w2xf-42w4-qqrc",
  "modified": "2024-07-01T18:32:40Z",
  "published": "2024-07-01T18:32:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21586"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA83195"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W364-3J6V-CP76

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:10
VLAI
Details

IrfanView 4.53 allows a Exception Handler Chain to be Corrupted starting at EXR!ReadEXR+0x000000000002af80.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-08T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IrfanView 4.53 allows a Exception Handler Chain to be Corrupted starting at EXR!ReadEXR+0x000000000002af80.",
  "id": "GHSA-w364-3j6v-cp76",
  "modified": "2024-04-04T02:10:32Z",
  "published": "2022-05-24T16:58:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17257"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linhlhq/research/blob/master/README.md"
    },
    {
      "type": "WEB",
      "url": "https://www.irfanview.com/main_history.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W36C-PPC4-PWGG

Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/tdx: Fix "in-kernel MMIO" check

TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not.

However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO.

Ensure that the target MMIO address is within the kernel before decoding instruction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T13:15:02Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/tdx: Fix \"in-kernel MMIO\" check\n\nTDX only supports kernel-initiated MMIO operations. The handle_mmio()\nfunction checks if the #VE exception occurred in the kernel and rejects\nthe operation if it did not.\n\nHowever, userspace can deceive the kernel into performing MMIO on its\nbehalf. For example, if userspace can point a syscall to an MMIO address,\nsyscall does get_user() or put_user() on it, triggering MMIO #VE. The\nkernel will treat the #VE as in-kernel MMIO.\n\nEnsure that the target MMIO address is within the kernel before decoding\ninstruction.",
  "id": "GHSA-w36c-ppc4-pwgg",
  "modified": "2025-11-04T00:31:37Z",
  "published": "2024-10-21T15:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47727"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18ecd5b74682839e7cdafb7cd1ec106df7baa18c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25703a3c980e21548774eea8c8a87a75c5c8f58c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c0c5dcb5471de5fc8f0a1c4980e5815339e1cee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bca2e29f7e26ce7c3522f8b324c0bd85612f68e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4fc4d01471528da8a9797a065982e05090e1d81"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W3XV-9MXW-3WV4

Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2025-05-14 21:31
VLAI
Details

Uncaptured exceptions in the home screen module. Successful exploitation of this vulnerability may affect stability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-14T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Uncaptured exceptions in the home screen module. Successful exploitation of this vulnerability may affect stability.",
  "id": "GHSA-w3xv-9mxw-3wv4",
  "modified": "2025-05-14T21:31:09Z",
  "published": "2022-10-14T19:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41587"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W42R-PH9F-9X66

Vulnerability from github – Published: 2026-01-27 18:32 – Updated: 2026-05-12 15:31
VLAI
Details

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69420"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T16:16:34Z",
    "severity": "HIGH"
  },
  "details": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response\nverification code where an ASN1_TYPE union member is accessed without first\nvalidating the type, causing an invalid or NULL pointer dereference when\nprocessing a malformed TimeStamp Response file.\n\nImpact summary: An application calling TS_RESP_verify_response() with a\nmalformed TimeStamp Response can be caused to dereference an invalid or\nNULL pointer when reading, resulting in a Denial of Service.\n\nThe functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2()\naccess the signing cert attribute value without validating its type.\nWhen the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory\nthrough the ASN1_TYPE union, causing a crash.\n\nExploiting this vulnerability requires an attacker to provide a malformed\nTimeStamp Response to an application that verifies timestamp responses. The\nTimeStamp protocol (RFC 3161) is not widely used and the impact of the\nexploit is just a Denial of Service. For these reasons the issue was\nassessed as Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the TimeStamp Response implementation is outside the OpenSSL FIPS module\nboundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.",
  "id": "GHSA-w42r-ph9f-9x66",
  "modified": "2026-05-12T15:31:14Z",
  "published": "2026-01-27T18:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69420"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/27c7012c91cc986a598d7540f3079dfde2416eb9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/564fd9c73787f25693bf9e75faf7bf6bb1305d4e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/5eb0770ffcf11b785cf374ff3c19196245e54f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/a99349ebfc519999edc50620abe24d599b9eb085"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20260127.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is expected.

Mitigation
Implementation

If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
Architecture and Design Implementation

If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

Mitigation
Architecture and Design

Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

No CAPEC attack patterns related to this CWE.