Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f8bd202bc549 · 2026-01-23T16:57:50.000Z
GHSA-7gcm-g887-7qv7 GHSA-c32p-wcqj-j677 GHSA-hx9q-6w63-j58v
diff --git a/advisories/github-reviewed/2026/01/GHSA-7gcm-g887-7qv7/GHSA-7gcm-g887-7qv7.json b/advisories/github-reviewed/2026/01/GHSA-7gcm-g887-7qv7/GHSA-7gcm-g887-7qv7.json
@@ -1,36 +1,65 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7gcm-g887-7qv7",
-  "modified": "2026-01-23T15:31:35Z",
+  "modified": "2026-01-23T16:56:33Z",
   "published": "2026-01-23T15:31:35Z",
   "aliases": [
     "CVE-2026-0994"
   ],
+  "summary": "protobuf affected by a JSON recursion depth bypass",
   "details": "A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "protobuf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "6.33.4"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0994"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/issues/25070"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/protocolbuffers/protobuf/pull/25239"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/protocolbuffers/protobuf"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-674"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T16:56:33Z",
     "nvd_published_at": "2026-01-23T15:16:06Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/01/GHSA-c32p-wcqj-j677/GHSA-c32p-wcqj-j677.json b/advisories/github-reviewed/2026/01/GHSA-c32p-wcqj-j677/GHSA-c32p-wcqj-j677.json
@@ -0,0 +1,92 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c32p-wcqj-j677",
+  "modified": "2026-01-23T16:56:23Z",
+  "published": "2026-01-23T16:56:23Z",
+  "aliases": [],
+  "summary": "CometBFT has inconsistencies between how commit signatures are verified and how block time is derived",
+  "details": "# CSA-2026-001: Tachyon\n\n## Description\n\n**Name:** CSA-2026-001: Tachyon\n\n**Criticality:** Critical (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\n\n**Affected versions:** All versions of CometBFT\n\n**Affected users:** Validators and protocols relying on block timestamps\n\n## Description\n\nA consensus-level vulnerability was discovered in CometBFT's \"BFT Time\" implementation due to an inconsistency between how commit signatures are verified and how block time is derived.\n\nThis breaks a core BFT Time guarantee: \"A faulty process cannot arbitrarily increase the Time value.\"\n\n## Impact\n\nDownstream impact on chains affects any module, smart contract, or system that relies on the block timestamp.\n\n## Patches\n\nThe new CometBFT releases [v0.38.21](https://github.com/cometbft/cometbft/releases/tag/v0.38.21) and [v0.37.18](https://github.com/cometbft/cometbft/releases/tag/v0.37.18) fix this issue. The `main` unreleased branch is also patched.\n\n## Workarounds\n\nThere are no effective workarounds for this vulnerability. Upgrading to patched versions is required.\n\n## Timeline\n\n- January 8, 2026, 5:27PM UTC: Issue reported to Cosmos Bug Bounty Program\n- January 9, 2026, 4:55AM UTC: Issue triaged and validated by core team\n- January 12, 2026, 10:25PM UTC: Core team completes patch for the issue\n- January 13, 2026 4:41PM UTC: Pre-notification delivered to ecosystem partners\n- January 23, 2026, 3:00PM UTC: Patch made available\n\n## Credits\n\nThis issue was reported to the Cosmos Bug Bounty Program on HackerOne. Credit to SEAL 911 and [QED Audit](https://x.com/QED_Audit) for the discovery and help with the patch.\n\nIf you believe you have found a bug in the Cosmos Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Cosmos security efforts, please reach out to our official communication channel at security@cosmoslabs.io.\n\nA Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/cometbft/cometbft"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.38.0-alpha.1"
+            },
+            {
+              "fixed": "0.38.21"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.38.20"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/cometbft/cometbft"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.37.18"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.37.17"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-c32p-wcqj-j677"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cometbft/cometbft/commit/bf8274fcdbcab2bc652660ae627196a90a6efb97"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/cometbft/cometbft"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cometbft/cometbft/releases/tag/v0.37.18"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.21"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-703"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-23T16:56:23Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-hx9q-6w63-j58v/GHSA-hx9q-6w63-j58v.json b/advisories/github-reviewed/2026/01/GHSA-hx9q-6w63-j58v/GHSA-hx9q-6w63-j58v.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hx9q-6w63-j58v",
-  "modified": "2026-01-22T18:55:43Z",
+  "modified": "2026-01-23T16:56:03Z",
   "published": "2026-01-22T18:30:33Z",
   "aliases": [
     "CVE-2025-67221"
@@ -40,6 +40,14 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67221"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ijl/orjson/issues/620"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kpatsakis/CVE-2025-67221/issues/1"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ijl/orjson"
