Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e2391f603cb2 · 2026-01-21T16:20:27.000Z
GHSA-53wg-r69p-v3r7 GHSA-846p-jg2w-w324 GHSA-9r42-rhw3-2222 GHSA-fphv-w9fq-2525 GHSA-mx8m-v8qm-xwr8
diff --git a/advisories/github-reviewed/2026/01/GHSA-53wg-r69p-v3r7/GHSA-53wg-r69p-v3r7.json b/advisories/github-reviewed/2026/01/GHSA-53wg-r69p-v3r7/GHSA-53wg-r69p-v3r7.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-53wg-r69p-v3r7",
-  "modified": "2026-01-16T21:56:53Z",
+  "modified": "2026-01-21T16:20:01Z",
   "published": "2026-01-16T21:09:08Z",
   "aliases": [
     "CVE-2026-23735"
   ],
   "summary": "GraphQL Modules has a Race Condition issue",
-  "details": "### Summary\nOriginally reported as an issue #2613 but should be elevated to a security issue as the ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs.\n\n### Details\nWhen 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via `@ExecutionContext()`\n\n### PoC\n\nIn a new project/folder, create and install the following `package.json`:\n\n```json\n{\n  \"name\": \"GHSA-53wg-r69p-v3r7\",\n  \"scripts\": {\n    \"test\": \"jest\"\n  },\n  \"dependencies\": {\n    \"graphql-modules\": \"2.4.0\"\n  },\n  \"devDependencies\": {\n    \"@babel/plugin-proposal-class-properties\": \"^7.18.6\",\n    \"@babel/plugin-proposal-decorators\": \"^7.28.6\",\n    \"babel-plugin-parameter-decorator\": \"^1.0.16\",\n    \"jest\": \"^29.7.0\",\n    \"reflect-metadata\": \"^0.2.2\"\n  }\n}\n```\n\nwith:\n\n```\nnpm i\n```\n\nconfigure `babel.config.json` using:\n\n```json\n{\n  \"plugins\": [\n    [\"@babel/plugin-proposal-decorators\", { \"legacy\": true }],\n    \"babel-plugin-parameter-decorator\",\n    \"@babel/plugin-proposal-class-properties\"\n  ]\n}\n```\n\nthen write the following test `GHSA-53wg-r69p-v3r7.spec.ts`:\n\n```js\nrequire(\"reflect-metadata\");\nconst {\n  createApplication,\n  createModule,\n  Injectable,\n  Scope,\n  ExecutionContext,\n  gql,\n  testkit,\n} = require(\"graphql-modules\");\n\ntest(\"accessing a singleton provider context during another asynchronous execution\", async () => {\n  @Injectable({ scope: Scope.Singleton })\n  class IdentifierProvider {\n    @ExecutionContext()\n    context;\n\n    getId() {\n      return this.context.identifier;\n    }\n  }\n\n  const { promise: gettingBefore, resolve: gotBefore } = createDeferred();\n\n  const { promise: waitForGettingAfter, resolve: getAfter } = createDeferred();\n\n  const mod = createModule({\n    id: \"mod\",\n    providers: [IdentifierProvider],\n    typeDefs: gql`\n      type Query {\n        getAsyncIdentifiers: Identifiers!\n      }\n\n      type Identifiers {\n        before: String!\n        after: String!\n      }\n    `,\n    resolvers: {\n      Query: {\n        async getAsyncIdentifiers(_0, _1, context) {\n          const before = context.injector.get(IdentifierProvider).getId();\n          gotBefore();\n          await waitForGettingAfter;\n          const after = context.injector.get(IdentifierProvider).getId();\n          return { before, after };\n        },\n      },\n    },\n  });\n\n  const app = createApplication({\n    modules: [mod],\n  });\n\n  const document = gql`\n    {\n      getAsyncIdentifiers {\n        before\n        after\n      }\n    }\n  `;\n\n  const firstResult$ = testkit.execute(app, {\n    contextValue: {\n      identifier: \"first\",\n    },\n    document,\n  });\n\n  await gettingBefore;\n\n  const secondResult$ = testkit.execute(app, {\n    contextValue: {\n      identifier: \"second\",\n    },\n    document,\n  });\n\n  getAfter();\n\n  await expect(firstResult$).resolves.toEqual({\n    data: {\n      getAsyncIdentifiers: {\n        before: \"first\",\n        after: \"first\",\n      },\n    },\n  });\n\n  await expect(secondResult$).resolves.toEqual({\n    data: {\n      getAsyncIdentifiers: {\n        before: \"second\",\n        after: \"second\",\n      },\n    },\n  });\n});\n\nfunction createDeferred() {\n  let resolve, reject;\n  const promise = new Promise((res, rej) => {\n    resolve = res;\n    reject = rej;\n  });\n  return {\n    promise,\n    resolve,\n    reject,\n  };\n}\n```\n\nand execute using:\n\n```\nnpm test\n```\n\nYour project tree should look like this:\n\n```\nGHSA-53wg-r69p-v3r7\n    package.json\n    package-lock.json\n    babel.config.json\n    GHSA-53wg-r69p-v3r7.spec.js\n```\n\n#### Expected vs. Actual Outcome\n\n```diff\n- Expected  - 1\n+ Received  + 1\n\n  Object {\n    \"data\": Object {\n      \"getAsyncIdentifiers\": Object {\n-       \"after\": \"first\",\n+       \"after\": \"second\",\n        \"before\": \"first\",\n      },\n    },\n  }\n```\n\n### Impact\n\nAny application that uses services that inject the context using `@ExecutionContext()` are at risk. The more traffic an application has, the higher the chance for parallel requests, the higher the risk.",
+  "details": "### Summary\nOriginally reported as an issue #2613 but should be elevated to a security issue as the ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs.\n\n### Details\nWhen 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via `@ExecutionContext()`\n\n### PoC\n\nIn a new project/folder, create and install the following `package.json`:\n\n```json\n{\n  \"name\": \"GHSA-53wg-r69p-v3r7\",\n  \"scripts\": {\n    \"test\": \"jest\"\n  },\n  \"dependencies\": {\n    \"graphql-modules\": \"2.4.0\"\n  },\n  \"devDependencies\": {\n    \"@babel/plugin-proposal-class-properties\": \"^7.18.6\",\n    \"@babel/plugin-proposal-decorators\": \"^7.28.6\",\n    \"babel-plugin-parameter-decorator\": \"^1.0.16\",\n    \"jest\": \"^29.7.0\",\n    \"reflect-metadata\": \"^0.2.2\"\n  }\n}\n```\n\nwith:\n\n```\nnpm i\n```\n\nconfigure `babel.config.json` using:\n\n```json\n{\n  \"plugins\": [\n    [\"@babel/plugin-proposal-decorators\", { \"legacy\": true }],\n    \"babel-plugin-parameter-decorator\",\n    \"@babel/plugin-proposal-class-properties\"\n  ]\n}\n```\n\nthen write the following test `GHSA-53wg-r69p-v3r7.spec.ts`:\n\n```js\nrequire(\"reflect-metadata\");\nconst {\n  createApplication,\n  createModule,\n  Injectable,\n  Scope,\n  ExecutionContext,\n  gql,\n  testkit,\n} = require(\"graphql-modules\");\n\ntest(\"accessing a singleton provider context during another asynchronous execution\", async () => {\n  @Injectable({ scope: Scope.Singleton })\n  class IdentifierProvider {\n    @ExecutionContext()\n    context;\n\n    getId() {\n      return this.context.identifier;\n    }\n  }\n\n  const { promise: gettingBefore, resolve: gotBefore } = createDeferred();\n\n  const { promise: waitForGettingAfter, resolve: getAfter } = createDeferred();\n\n  const mod = createModule({\n    id: \"mod\",\n    providers: [IdentifierProvider],\n    typeDefs: gql`\n      type Query {\n        getAsyncIdentifiers: Identifiers!\n      }\n\n      type Identifiers {\n        before: String!\n        after: String!\n      }\n    `,\n    resolvers: {\n      Query: {\n        async getAsyncIdentifiers(_0, _1, context) {\n          const before = context.injector.get(IdentifierProvider).getId();\n          gotBefore();\n          await waitForGettingAfter;\n          const after = context.injector.get(IdentifierProvider).getId();\n          return { before, after };\n        },\n      },\n    },\n  });\n\n  const app = createApplication({\n    modules: [mod],\n  });\n\n  const document = gql`\n    {\n      getAsyncIdentifiers {\n        before\n        after\n      }\n    }\n  `;\n\n  const firstResult$ = testkit.execute(app, {\n    contextValue: {\n      identifier: \"first\",\n    },\n    document,\n  });\n\n  await gettingBefore;\n\n  const secondResult$ = testkit.execute(app, {\n    contextValue: {\n      identifier: \"second\",\n    },\n    document,\n  });\n\n  getAfter();\n\n  await expect(firstResult$).resolves.toEqual({\n    data: {\n      getAsyncIdentifiers: {\n        before: \"first\",\n        after: \"first\",\n      },\n    },\n  });\n\n  await expect(secondResult$).resolves.toEqual({\n    data: {\n      getAsyncIdentifiers: {\n        before: \"second\",\n        after: \"second\",\n      },\n    },\n  });\n});\n\nfunction createDeferred() {\n  let resolve, reject;\n  const promise = new Promise((res, rej) => {\n    resolve = res;\n    reject = rej;\n  });\n  return {\n    promise,\n    resolve,\n    reject,\n  };\n}\n```\n\nand execute using:\n\n```\nnpm test\n```\n\nYour project tree should look like this:\n\n```\nGHSA-53wg-r69p-v3r7\n    package.json\n    package-lock.json\n    babel.config.json\n    GHSA-53wg-r69p-v3r7.spec.js\n```\n\n#### Expected vs. Actual Outcome\n\n```diff\n- Expected  - 1\n+ Received  + 1\n\n  Object {\n    \"data\": Object {\n      \"getAsyncIdentifiers\": Object {\n-       \"after\": \"first\",\n+       \"after\": \"second\",\n        \"before\": \"first\",\n      },\n    },\n  }\n```\n\n### Impact\n\nAny application that uses services that inject the context using `@ExecutionContext()` from a singleton provider are at risk. The more traffic an application has, the higher the chance for parallel requests, the higher the risk.",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2026/01/GHSA-846p-jg2w-w324/GHSA-846p-jg2w-w324.json b/advisories/github-reviewed/2026/01/GHSA-846p-jg2w-w324/GHSA-846p-jg2w-w324.json
@@ -0,0 +1,81 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-846p-jg2w-w324",
+  "modified": "2026-01-21T16:19:28Z",
+  "published": "2026-01-21T16:19:28Z",
+  "aliases": [
+    "CVE-2026-23991"
+  ],
+  "summary": "go-tuf affected by client DoS via malformed server response",
+  "details": "# Security Disclosure: Client DoS via malformed server response\n\n## Summary\n\nIf the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic _during parsing_, causing a DoS. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key.\n\n## Impact \n\nClient crashes upon receiving and parsing malformed TUF metadata. This can cause long running services to enter an restart/crash loop.\n\n## Workarounds\n\nNone currently. \n\n## Affected code\n\nThe `metadata.checkType` function did not properly type assert the (untrusted) input causing it to panic on malformed data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/theupdateframework/go-tuf/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/theupdateframework/go-tuf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.7.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/theupdateframework/go-tuf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617",
+      "CWE-754"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T16:19:28Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-9r42-rhw3-2222/GHSA-9r42-rhw3-2222.json b/advisories/github-reviewed/2026/01/GHSA-9r42-rhw3-2222/GHSA-9r42-rhw3-2222.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9r42-rhw3-2222",
-  "modified": "2026-01-16T20:54:02Z",
+  "modified": "2026-01-21T16:18:50Z",
   "published": "2026-01-16T09:31:21Z",
   "aliases": [
     "CVE-2025-14822"
@@ -37,25 +37,6 @@
         "last_known_affected_version_range": "<= 10.11.8"
       }
     },
-    {
-      "package": {
-        "ecosystem": "Go",
-        "name": "github.com/mattermost/mattermost/server/v8"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "0"
-            },
-            {
-              "fixed": "8.0.0-20251201064648-4d86263f5430"
-            }
-          ]
-        }
-      ]
-    },
     {
       "package": {
         "ecosystem": "Go",
diff --git a/advisories/github-reviewed/2026/01/GHSA-fphv-w9fq-2525/GHSA-fphv-w9fq-2525.json b/advisories/github-reviewed/2026/01/GHSA-fphv-w9fq-2525/GHSA-fphv-w9fq-2525.json
@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fphv-w9fq-2525",
+  "modified": "2026-01-21T16:19:32Z",
+  "published": "2026-01-21T16:19:32Z",
+  "aliases": [
+    "CVE-2026-23992"
+  ],
+  "summary": "go-tuf improperly validates the configured threshold for delegations",
+  "details": "# Security Disclosure: Improper validation of configured threshold for delegations\n\n## Summary\n\nA compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. \n\n## Impact\n\nUnathorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made.\n\n## Patches\n\nUpgrade to v2.3.1\n\n## Workarounds\n\nAlways make sure that the TUF metadata roles are configured with a threshold of at least 1.\n\n## Affected code:\n\nThe `metadata.VerifyDelegate` did not verify the configured threshold prior to comparison. This means that a misconfigured TUF repository could disable the signature verification by setting the threshold to 0, or a negative value (and so always make the signature threshold computation to pass).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/theupdateframework/go-tuf/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/theupdateframework/go-tuf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.7.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/theupdateframework/go-tuf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T16:19:32Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-mx8m-v8qm-xwr8/GHSA-mx8m-v8qm-xwr8.json b/advisories/github-reviewed/2026/01/GHSA-mx8m-v8qm-xwr8/GHSA-mx8m-v8qm-xwr8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mx8m-v8qm-xwr8",
-  "modified": "2026-01-16T20:58:33Z",
+  "modified": "2026-01-21T16:19:03Z",
   "published": "2026-01-16T12:30:25Z",
   "aliases": [
     "CVE-2025-14435"
@@ -80,25 +80,6 @@
       "database_specific": {
         "last_known_affected_version_range": "<= 11.0.6"
       }
-    },
-    {
-      "package": {
-        "ecosystem": "Go",
-        "name": "github.com/mattermost/mattermost/server/v8"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "0"
-            },
-            {
-              "fixed": "8.0.0-20251210072417-cc6b77b27132"
-            }
-          ]
-        }
-      ]
     }
   ],
   "references": [
