Publish Advisories

GHSA-25h7-pfq9-p65f
GHSA-4g4c-mfqg-pj8r
GHSA-g2p6-hh5v-7hfm
GHSA-m4q3-457p-hh2x

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-25h7-pfq9-p65f/GHSA-25h7-pfq9-p65f.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-25h7-pfq9-p65f",
+  "modified": "2026-03-13T15:40:42Z",
+  "published": "2026-03-13T15:40:42Z",
+  "aliases": [
+    "CVE-2026-32141"
+  ],
+  "summary": "flatted vulnerable to unbounded recursion DoS in parse() revive phase",
+  "details": "## Summary\n\nflatted's `parse()` function uses a recursive `revive()` phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential `$` indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process.\n\n## Impact\n\nDenial of Service (DoS). Any application that passes untrusted input to `flatted.parse()` can be crashed by an unauthenticated attacker with a single request.\n\nflatted has ~87M weekly npm downloads and is used as the circular-JSON serialization layer in many caching and logging libraries.\n\n## Proof of Concept\n\n```javascript\nconst flatted = require('flatted');\n\n// Build deeply nested circular reference chain\nconst depth = 20000;\nconst arr = new Array(depth + 1);\narr[0] = '{\"a\":\"1\"}';\nfor (let i = 1; i <= depth; i++) {\n  arr[i] = `{\"a\":\"${i + 1}\"}`;\n}\narr[depth] = '{\"a\":\"leaf\"}';\n\nconst payload = JSON.stringify(arr);\nflatted.parse(payload); // RangeError: Maximum call stack size exceeded\n```\n\n## Fix\n\nThe maintainer has already merged an iterative (non-recursive) implementation in PR #88, converting the recursive `revive()` to a stack-based loop.\n\n## Affected Versions\n\nAll versions prior to the PR #88 fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flatted"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.4.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WebReflection/flatted/security/advisories/GHSA-25h7-pfq9-p65f"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WebReflection/flatted/pull/88"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WebReflection/flatted/commit/7eb65d857e1a40de11c47461cdbc8541449f0606"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WebReflection/flatted"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T15:40:42Z",
+    "nvd_published_at": "2026-03-12T18:16:25Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-4g4c-mfqg-pj8r/GHSA-4g4c-mfqg-pj8r.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4g4c-mfqg-pj8r",
+  "modified": "2026-03-13T15:40:20Z",
+  "published": "2026-03-13T15:40:20Z",
+  "aliases": [
+    "CVE-2026-32116"
+  ],
+  "summary": "Magic Wormhole: \"wormhole receive\" allows arbitrary local file overwrite",
+  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nReceiving a file (`wormhole receive`) from a malicious party could result in overwriting critical local files, including `~/.ssh/authorized_keys` and `.bashrc`. This could be used to compromise the receiver's computer.\n\nOnly the sender of the file (the party who runs `wormhole send`) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe bug has been fixed in magic-wormhole 0.23.0. All users should upgrade to this version.\n\nThe vulnerability first surfaced in the 0.21.0 release on 23-Oct-2025.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nAs a workaround, the receiver can override the sender's filename with the `--output` or `-o` option. For example: `wormhole receive -o shopping-list.txt` will write the file to `shopping-list.txt` in the local directory, regardless of what the sender tries to do. To be effective, this option must be added to every invocation of `wormhole receive` / `wormhole rx`.\n\n### References\n_Are there any links users can visit to find out more?_\n\nIncoming file transfer requests include a `filename`, used to decide where the file contents will be written. Well-behaving senders compute this from the `basename()` of the sent file (which discards all but the last segment of the path). To guard against malicious senders, the receiver also applies `basename()` to the incoming filename. During refactoring in version 0.21.0, this receiver-side check was accidentally dropped. The check was restored in version 0.23.0 along with a unit test.\n\nMany thanks to Ian McKenzie (@ikmckenz) for spotting the bug and reaching out with a fix.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "magic-wormhole"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.21.0"
+            },
+            {
+              "fixed": "0.23.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/magic-wormhole/magic-wormhole/security/advisories/GHSA-4g4c-mfqg-pj8r"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32116"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/magic-wormhole/magic-wormhole"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T15:40:20Z",
+    "nvd_published_at": "2026-03-12T18:16:24Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-g2p6-hh5v-7hfm/GHSA-g2p6-hh5v-7hfm.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g2p6-hh5v-7hfm",
+  "modified": "2026-03-13T15:40:31Z",
+  "published": "2026-03-13T15:40:31Z",
+  "aliases": [
+    "CVE-2026-32129"
+  ],
+  "summary": "Poseidon V1 variable-length input collision via implicit zero-padding",
+  "details": "## Impact\n\nPoseidon V1 (`PoseidonSponge`) accepts variable-length inputs without injective padding. When a caller provides fewer inputs than the sponge rate (`inputs.len() < T - 1`), unused rate positions are implicitly zero-filled. This allows trivial hash collisions: for any input vector `[m1, ..., mk]` hashed with a sponge of rate > k, `hash([m1, ..., mk])` equals `hash([m1, ..., mk, 0])` because both produce identical pre-permutation states.\n\nThis affects any use of `PoseidonSponge` or `poseidon_hash` where the number of inputs is less than `T - 1` (e.g., hashing 1 input with `T=3`).\n\nPoseidon2 (`Poseidon2Sponge`) is **not affected** — it encodes the input length in the capacity element (`IV = input_len << 64`), making different-length inputs produce distinct states.\n\n## Patches\n\nFixed by enforcing `inputs.len() == RATE` in `PoseidonSponge::compute_hash`, matching circom's invariant that `nInputs` always equals `T - 1`. Users should upgrade to the next release containing this fix.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n\n- Ensure callers **always** use `T = inputs.len() + 1` (full-rate), which is how circom uses Poseidon. For example, to hash 2 inputs, use `T=3`; to hash 1 input, use `T=2`. Never use a sponge with more rate capacity than the number of inputs.\n- Alternatively, migrate to `Poseidon2Sponge`, which is safe for variable-length inputs due to its length-encoding IV.\n\n## References\n- [circom Poseidon implementation](https://github.com/iden3/circomlib/blob/master/circuits/poseidon.circom) — reference implementation where `nInputs` determines `T`\n- [Poseidon paper](https://eprint.iacr.org/2019/458) — Section 4 discusses sponge construction and padding requirements",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "soroban-poseidon"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "25.0.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-soroban-poseidon/security/advisories/GHSA-g2p6-hh5v-7hfm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32129"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-soroban-poseidon/pull/10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-soroban-poseidon/commit/ceb20d3593fc4a8a951a7e99d8fa2344f8250a8c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/stellar/rs-soroban-poseidon"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/stellar/rs-soroban-poseidon/releases/tag/v25.0.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-328"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T15:40:31Z",
+    "nvd_published_at": "2026-03-12T18:16:25Z"
+  }
+}