Skip to content

Commit d459bd1

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-3pqc-836w-jgr7 GHSA-7vp9-x248-9vr9 GHSA-ffj4-jq7m-9g6v GHSA-mq3p-rrmp-79jg GHSA-mr7q-c9w9-wh4h GHSA-xg9w-vg3g-6m68
1 parent ffaad11 commit d459bd1

File tree

6 files changed

+496
-0
lines changed

6 files changed

+496
-0
lines changed

advisories/github-reviewed/2026/01/GHSA-3pqc-836w-jgr7/GHSA-3pqc-836w-jgr7.json

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-3pqc-836w-jgr7",
4+
"modified": "2026-01-13T21:53:44Z",
5+
"published": "2026-01-13T21:53:44Z",
6+
"aliases": [
7+
"CVE-2026-22820"
8+
],
9+
"summary": "Outray cli is vulnerable to race conditions in tunnels creation",
10+
"details": "### Summary\n\nA TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan.\n\n### Details\n\nAffected conponent: `apps/web/src/routes/api/tunnel/register.ts`\n- `/tunnel/register` endpoint code-:\n\n```ts\n// Check if tunnel already exists in database\n const [existingTunnel] = await db\n .select()\n .from(tunnels)\n .where(eq(tunnels.url, tunnelUrl));\n\n const isReconnection = !!existingTunnel;\n\n console.log(\n `[TUNNEL LIMIT CHECK] Org: ${organizationId}, Tunnel: ${tunnelId}`,\n );\n console.log(\n `[TUNNEL LIMIT CHECK] Is Reconnection: ${isReconnection}`,\n );\n console.log(\n `[TUNNEL LIMIT CHECK] Plan: ${currentPlan}, Limit: ${tunnelLimit}`,\n );\n\n // Check limits only for NEW tunnels (not reconnections)\n if (!isReconnection) {\n // Count active tunnels from Redis SET\n const activeCount = await redis.scard(setKey);\n console.log(\n `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,\n );\n\n // The current tunnel is NOT yet in the online_tunnels set (added after successful registration)\n // So we check if activeCount >= limit (not >)\n if (activeCount >= tunnelLimit) {\n console.log(\n `[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} >= ${tunnelLimit}`,\n );\n return json(\n {\n error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit > 1 ? \"s\" : \"\"}.`,\n },\n { status: 403 },\n );\n }\n console.log(\n `[TUNNEL LIMIT CHECK] ALLOWED - ${activeCount} < ${tunnelLimit}`,\n );\n } else {\n console.log(`[TUNNEL LIMIT CHECK] SKIPPED - Reconnection detected`);\n }\n\n if (existingTunnel) {\n // Tunnel with this URL already exists, update lastSeenAt\n await db\n .update(tunnels)\n .set({ lastSeenAt: new Date() })\n .where(eq(tunnels.id, existingTunnel.id));\n\n return json({\n success: true,\n tunnelId: existingTunnel.id,\n });\n }\n\n // Create new tunnel record\n const tunnelRecord = {\n id: randomUUID(),\n url: tunnelUrl,\n userId,\n organizationId,\n name: name || null,\n protocol,\n remotePort: remotePort || null,\n lastSeenAt: new Date(),\n createdAt: new Date(),\n updatedAt: new Date(),\n };\n\n await db.insert(tunnels).values(tunnelRecord);\n\n return json({ success: true, tunnelId: tunnelRecord.id });\n } catch (error) {\n console.error(\"Tunnel registration error:\", error);\n return json({ error: \"Internal server error\" }, { status: 500 });\n }\n```\n- It checks if the tunnel exists in the database.\n```ts\n// Check if tunnel already exists in database\n const [existingTunnel] = await db\n .select()\n .from(tunnels)\n .where(eq(tunnels.url, tunnelUrl));\n\n const isReconnection = !!existingTunnel;\n```\n\n- Limit is checked here-:\n```ts\n// Check limits only for NEW tunnels (not reconnections)\n\nif (!isReconnection) {\n\n// Count active tunnels from Redis SET\n\nconst activeCount = await redis.scard(setKey);\n\nconsole.log(\n\n`[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,\n\n);\n```\n- Redis is checked for existing tunnel to check for reconnection.\n```ts\n// Check limits only for NEW tunnels (not reconnections)\n if (!isReconnection) {\n // Count active tunnels from Redis SET\n const activeCount = await redis.scard(setKey);\n console.log(\n `[TUNNEL LIMIT CHECK] Active count in Redis: ${activeCount}`,\n );\n```\n\n- If the tunnel limit is exceeded, it pops up the tunnel limit error.\n\n```ts\nif (activeCount >= tunnelLimit) {\n console.log(\n `[TUNNEL LIMIT CHECK] REJECTED - ${activeCount} >= ${tunnelLimit}`,\n );\n return json(\n {\n error: `Tunnel limit reached. The ${currentPlan} plan allows ${tunnelLimit} active tunnel${tunnelLimit > 1 ? \"s\" : \"\"}.`,\n },\n { status: 403 },\n );\n```\n- If the limit is not exceeded, it triggers a the `Insert` Statement without locking transactions from other request\n\n```ts\nawait db.insert(tunnels).values(tunnelRecord);\n```\n- If parallel requests are made by the `wshandler` in `/outray/outray-main/apps/tunnel/src/core/WSHandler.ts` from the command line app. A request can work on a non updated row because the `insert` row has not been triggered allowing the user to bypass the limit. It is much explained in the proof of concept. The key takeaway is db transactions should remain locked.\n\n### PoC\n\nUsing this simple bash script, the `outray` binary will be run at the same time in one `tmux` window, demonstrating the race condition and opening 4 tunnels.\n\n```bash\n#!/usr/bin/env bash\n\n# POC for Outray Tunnel Race condition\nSESSION=\"outray-race\"\nPORTS=(8090 4000 5000 6000)\n\n# Create new detached tmux session\ntmux new-session -d -s \"$SESSION\" \"echo '[*] outray race session started'; bash\"\n\n# Split the panes and run outray\nfor i in \"${!PORTS[@]}\"; do\n port=\"${PORTS[$i]}\"\n\n if [ \"$i\" -ne 0 ]; then\n tmux split-window -t \"$SESSION\" -h\n tmux select-layout -t \"$SESSION\" tiled\n fi\n\n tmux send-keys -t \"$SESSION\" \"echo '[*] Running outray on port $port'; outray $port\" C-m\ndone\n\ntmux set-window-option -t \"$SESSION\" synchronize-panes off\n\necho \"[+] tmux session '$SESSION' created\"\necho \"[+] Attach with: tmux attach -t $SESSION\"\n\n```\n\nRunning this\n\n```\nseeker@instance-20260106-20011$ bash kay.sh\n[+] tmux session 'outray-race' created\n[+] Attach with: tmux attach -t outray-race\n\nseeker@instance-20260106-20011$ tmux attach -t outray-race\n```\n\n<img width=\"1909\" height=\"1021\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c234cc94-fc25-4542-abdf-815332493a85\" />\n\n\n<img width=\"1907\" height=\"936\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1c302d7f-1ca6-46af-ab72-60fd01cdfded\" />\n\n### Impact\n\nBy exploiting this TOCTOU race condition in the affected component, the intended limit is bypassed and server resources is used with no extra billing charges on the user.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "outray"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.1.5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/akinloluwami/outray/security/advisories/GHSA-3pqc-836w-jgr7"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/akinloluwami/outray"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-367"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-01-13T21:53:44Z",
59+
"nvd_published_at": null
60+
}
61+
}

advisories/github-reviewed/2026/01/GHSA-7vp9-x248-9vr9/GHSA-7vp9-x248-9vr9.json

Lines changed: 168 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7vp9-x248-9vr9",
4+
"modified": "2026-01-13T21:54:06Z",
5+
"published": "2026-01-13T21:54:06Z",
6+
"aliases": [
7+
"CVE-2026-0859"
8+
],
9+
"summary": "TYPO3 CMS Allows Insecure Deserialization via Mailer File Spool",
10+
"details": "### Problem\nLocal platform users who can write to TYPO3’s mail‑file spool directory can craft a file that the system will automatically deserialize without any class restrictions. This flaw allows an attacker to inject and execute arbitrary PHP code in the public scope of the web server.\n\nThe vulnerability is triggered when TYPO3 is configured with `$GLOBALS['TYPO3_CONF_VARS']['MAIL']['transport_spool_type'] = 'file';` and a scheduler task or cron job runs the command `mailer:spool:send`. The spool‑send operation performs the insecure deserialization that is at the core of this issue.\n\n### Solution\nUpdate to TYPO3 versions 10.4.55 ELTS, 11.5.49 ELTS, 12.4.41 LTS, 13.4.23 LTS, 14.0.2 that fix the problem described.\n\n### Credits\nThanks to Vitaly Simonovich for reporting this issue, and to TYPO3 security team members Elias Häußler and Oliver Hader for fixing it.\n\n### References\n* [TYPO3-CORE-SA-2026-004](https://typo3.org/security/advisory/typo3-core-sa-2026-004)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "typo3/cms-core"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "14.0.0"
29+
},
30+
{
31+
"fixed": "14.0.2"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 14.0.1"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Packagist",
43+
"name": "typo3/cms-core"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "13.0.0"
51+
},
52+
{
53+
"fixed": "13.4.23"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 13.4.22"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "Packagist",
65+
"name": "typo3/cms-core"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "12.0.0"
73+
},
74+
{
75+
"fixed": "12.4.41"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 12.4.40"
82+
}
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Packagist",
87+
"name": "typo3/cms-core"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "11.0.0"
95+
},
96+
{
97+
"fixed": "11.5.49"
98+
}
99+
]
100+
}
101+
],
102+
"database_specific": {
103+
"last_known_affected_version_range": "<= 11.5.48"
104+
}
105+
},
106+
{
107+
"package": {
108+
"ecosystem": "Packagist",
109+
"name": "typo3/cms-core"
110+
},
111+
"ranges": [
112+
{
113+
"type": "ECOSYSTEM",
114+
"events": [
115+
{
116+
"introduced": "10.0.0"
117+
},
118+
{
119+
"fixed": "10.4.55"
120+
}
121+
]
122+
}
123+
],
124+
"database_specific": {
125+
"last_known_affected_version_range": "<= 10.4.54"
126+
}
127+
}
128+
],
129+
"references": [
130+
{
131+
"type": "WEB",
132+
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-7vp9-x248-9vr9"
133+
},
134+
{
135+
"type": "ADVISORY",
136+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0859"
137+
},
138+
{
139+
"type": "WEB",
140+
"url": "https://github.com/TYPO3/typo3/commit/3225d705080a1bde57a66689621c947da5a4782f"
141+
},
142+
{
143+
"type": "WEB",
144+
"url": "https://github.com/TYPO3/typo3/commit/722bf71c118b0a8e4f2c2494854437d846799a13"
145+
},
146+
{
147+
"type": "WEB",
148+
"url": "https://github.com/TYPO3/typo3/commit/e0f0ceee480c203fbb60b87454f5f193e541d27f"
149+
},
150+
{
151+
"type": "PACKAGE",
152+
"url": "https://github.com/TYPO3/typo3"
153+
},
154+
{
155+
"type": "WEB",
156+
"url": "https://typo3.org/security/advisory/typo3-core-sa-2026-004"
157+
}
158+
],
159+
"database_specific": {
160+
"cwe_ids": [
161+
"CWE-502"
162+
],
163+
"severity": "MODERATE",
164+
"github_reviewed": true,
165+
"github_reviewed_at": "2026-01-13T21:54:06Z",
166+
"nvd_published_at": "2026-01-13T12:15:50Z"
167+
}
168+
}

advisories/github-reviewed/2026/01/GHSA-ffj4-jq7m-9g6v/GHSA-ffj4-jq7m-9g6v.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-ffj4-jq7m-9g6v",
4+
"modified": "2026-01-13T21:54:42Z",
5+
"published": "2026-01-13T21:54:41Z",
6+
"aliases": [
7+
"CVE-2026-22870"
8+
],
9+
"summary": "GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS",
10+
"details": "## Summary\n\nGuardDog's `safe_extract()` function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data.\n\n## Vulnerability Details\n\n**Affected Component:** `guarddog/utils/archives.py` - `safe_extract()` function \n**Vulnerability Type:** CWE-409 - Improper Handling of Highly Compressed Data (Zip Bomb) \n**Severity:** HIGH (CVSS ~8) \n**Attack Vector:** Network (malicious package uploaded to PyPI/npm) or local\n\n### Root Cause\n\nThe `safe_extract()` function handles TAR files securely using the `tarsafe` library, but ZIP file extraction has no size validation:\n```python\nelif zipfile.is_zipfile(source_archive):\n with zipfile.ZipFile(source_archive, \"r\") as zip:\n for file in zip.namelist():\n zip.extract(file, path=os.path.join(target_directory, file))\n```\n\n**Missing protections:**\n- ❌ No decompressed size limit\n- ❌ No compression ratio validation \n- ❌ No file count limits\n- ❌ No total extracted size validation\n\n## Impact\n\n### Denial of Service Scenarios\n\n**1. CI/CD Pipeline Disruption**\n- Attacker publishes malicious package to PyPI\n- Developer adds package to requirements.txt\n- CI/CD runs GuardDog scan\n- Disk fills (GitHub Actions: standard 14GB limit)\n- All deployments blocked\n\n**2. Resource Exhaustion**\n- Local development environments\n- Security scanning infrastructure \n- Automated scanning systems\n- Docker containers with limited disk\n\n**3. Supply Chain Attack Amplification**\n- Single malicious package blocks security scanning\n- Prevents detection of other malicious packages\n- Forces manual intervention\n- Increases security team workload\n\n## Recommended Fix\n\nAdd size validation for ZIP files similar to what `tarsafe` provides for TAR files\n\n### Configuration Options\n\nMake limits configurable via environment variables or config file\n\n## Additional Improvements\n\n1. **Add warning logs** when archives approach limits\n2. **Provide clear error messages** for users\n3. **Document limits** in user-facing documentation\n4. **Add tests** for zip bomb detection\n5. **Consider using a safe ZIP library** (similar to tarsafe)\n\n## Credit\n\nReported by: Charbel (dwbruijn)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "guarddog"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.7.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22870"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/DataDog/guarddog"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-409"
59+
],
60+
"severity": "HIGH",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-01-13T21:54:41Z",
63+
"nvd_published_at": "2026-01-13T21:15:55Z"
64+
}
65+
}

advisories/github-reviewed/2026/01/GHSA-mq3p-rrmp-79jg/GHSA-mq3p-rrmp-79jg.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mq3p-rrmp-79jg",
4+
"modified": "2026-01-13T21:55:29Z",
5+
"published": "2026-01-13T21:55:29Z",
6+
"aliases": [
7+
"CVE-2026-22868"
8+
],
9+
"summary": "go-ethereum is vulnerable to high CPU usage leading to DoS via malicious p2p message",
10+
"details": "**Impact**\n\nAn attacker can cause high CPU usage by sending a specially crafted p2p message.\nMore details to be released later.\n\n**Credit**\n\nThis issue was reported to the Ethereum Foundation Bug Bounty Program by @Yenya030",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/ethereum/go-ethereum"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.16.8"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.16.7"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg"
45+
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22868"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/ethereum/go-ethereum"
57+
}
58+
],
59+
"database_specific": {
60+
"cwe_ids": [
61+
"CWE-20",
62+
"CWE-400"
63+
],
64+
"severity": "HIGH",
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-01-13T21:55:29Z",
67+
"nvd_published_at": "2026-01-13T21:15:54Z"
68+
}
69+
}

0 commit comments

Comments
 (0)