Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 60e4323f9711 · 2025-10-22T19:40:17.000Z
GHSA-45p5-v273-3qqr GHSA-8mf9-rmgw-33qc GHSA-ghfh-fmx4-26h8 GHSA-h5fg-jpgr-rv9c
diff --git a/advisories/github-reviewed/2025/10/GHSA-45p5-v273-3qqr/GHSA-45p5-v273-3qqr.json b/advisories/github-reviewed/2025/10/GHSA-45p5-v273-3qqr/GHSA-45p5-v273-3qqr.json
@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-45p5-v273-3qqr",
+  "modified": "2025-10-22T19:38:11Z",
+  "published": "2025-10-22T19:38:11Z",
+  "aliases": [
+    "CVE-2025-11966"
+  ],
+  "summary": "Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names",
+  "details": "# Description\n\n- In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping.\n- As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.\n- Affected Code:\n    - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java`\n    - Lines:\n        - 709–713: `normalizedDir` is constructed without escaping\n        - 714–731: `<li><a ...>` elements insert file names directly into attributes and body without escaping\n        - 744: parent directory name construction\n        - 746–751: `{directory}`, `{parent}`, and `{files}` are inserted into the HTML template without escaping\n\n# Reproduction Steps\n\n1. Prerequisites:\n    - Directory listing is enabled using `StaticHandler`  \n      (e.g., `StaticHandler.create(\"public\").setDirectoryListing(true)`)\n    - The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)\n\n2. Create a malicious file name (example for Unix-based OS):\n    - Create an empty file in `public/` with one of the following names:\n      - `<img src=x onerror=alert('XSS')>.txt`\n      - Or attribute injection: `evil\" onmouseover=\"alert('XSS')\".txt`\n    - Example:\n      ```bash\n      mkdir -p public\n      printf 'test' > \"public/<img src=x onerror=alert('XSS')>.txt\"\n      ```\n\n3. Start the server (example):\n    - Routing: `router.route(\"/public/*\").handler(StaticHandler.create(\"public\").setDirectoryListing(true));`\n    - Server: `vertx.createHttpServer().requestHandler(router).listen(8890);`\n\n4. Verification request (raw HTTP):\n    ```\n    GET /public/ HTTP/1.1\n    Host: 127.0.0.1:8890\n    Accept: text/html\n    Connection: close\n    ```\n\n5. Example response excerpt:\n    ```html\n    <ul id=\"files\">\n      <li>\n        <a href=\"/public/<img src=x onerror=alert('XSS')>.txt\"\n           title=\"<img src=x onerror=alert('XSS')>.txt\">\n           <img src=x onerror=alert('XSS')>.txt\n        </a>\n      </li>\n      ...\n    </ul>\n    ```\n\n- When accessing `/public/` in a browser, the unescaped file name is interpreted as HTML, and event handlers such as `onerror` are executed.\n\n# Potential Impact\n\n- **Stored XSS**\n    - Arbitrary JavaScript executes in the browser context of users viewing the listing page\n    - Possible consequences:\n        - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens\n        - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)\n        - Watering hole attacks, including malware distribution or malicious script injection to other pages\n\n- **Common Conditions That Make Exploitation Easier**\n    - Uploaded files are served directly under a publicly accessible directory\n    - Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed\n    - ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments\n\n# Similar CVEs Previously Reported\n\n- CVE‑2024‑32966  \n- CVE‑2019‑15603",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.vertx:vertx-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.5.22"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.vertx:vertx-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.0.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.0.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-45p5-v273-3qqr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vert-x3/vertx-web"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T19:38:11Z",
+    "nvd_published_at": "2025-10-22T15:15:31Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-8mf9-rmgw-33qc/GHSA-8mf9-rmgw-33qc.json b/advisories/github-reviewed/2025/10/GHSA-8mf9-rmgw-33qc/GHSA-8mf9-rmgw-33qc.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8mf9-rmgw-33qc",
-  "modified": "2025-10-22T15:31:12Z",
+  "modified": "2025-10-22T19:38:34Z",
   "published": "2025-10-22T15:31:11Z",
   "aliases": [
     "CVE-2025-11844"
   ],
+  "summary": "Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function",
   "details": "Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "smolagents"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.22.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/huggingface/smolagents/commit/f570ed5e17999d4cf7d5e79c2830fbaefab8a794"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/huggingface/smolagents"
+    },
     {
       "type": "WEB",
       "url": "https://huntr.com/bounties/01ab4405-9bca-4b26-b7a3-5ca1863a69b4"
@@ -33,8 +58,8 @@
       "CWE-643"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T19:38:34Z",
     "nvd_published_at": "2025-10-22T14:15:49Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-ghfh-fmx4-26h8/GHSA-ghfh-fmx4-26h8.json b/advisories/github-reviewed/2025/10/GHSA-ghfh-fmx4-26h8/GHSA-ghfh-fmx4-26h8.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ghfh-fmx4-26h8",
+  "modified": "2025-10-22T19:37:53Z",
+  "published": "2025-10-22T19:37:53Z",
+  "aliases": [
+    "CVE-2025-62513"
+  ],
+  "summary": "OpenBao leaks HTTPRawBody in Audit Logs",
+  "details": "### Impact\n\nOpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd).  This impacted the following subsystems:\n\n - When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked in the audit logs.\n - When using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs.\n\nThird-party plugins may be affected.\n\n### Patches\n\nOpenBao v2.4.2 will patch this issue.\n\n### Workarounds\n\nIf users do not use the above functionality, they are not impacted. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/openbao/openbao"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.0.0-20241114205727-b1235e585db7"
+            },
+            {
+              "fixed": "0.0.0-20251022165510-cc2c476bac66"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openbao/openbao"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-532"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T19:37:53Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-h5fg-jpgr-rv9c/GHSA-h5fg-jpgr-rv9c.json b/advisories/github-reviewed/2025/10/GHSA-h5fg-jpgr-rv9c/GHSA-h5fg-jpgr-rv9c.json
@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h5fg-jpgr-rv9c",
+  "modified": "2025-10-22T19:38:04Z",
+  "published": "2025-10-22T19:38:04Z",
+  "aliases": [
+    "CVE-2025-11965"
+  ],
+  "summary": "Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories",
+  "details": "# Description\n\nThere is a flaw in the hidden file protection feature of Vert.x Web’s `StaticHandler` when `setIncludeHidden(false)` is configured.\n\nIn the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (`.`) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:\n\n- **Files under hidden directories**: For example, `/.secret/config.txt` — although `.secret` is a hidden directory, the file `config.txt` itself does not start with a dot, so it gets served.\n- **Real-world impact**: Sensitive files placed in hidden directories like `.git`, `.env`, `.aws` may become publicly accessible.\n\nAs a result, the behavior does not meet the expectations set by the `includeHidden=false` configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.\n\n# Steps to Reproduce\n\n```bash\n1. Prepare test environment\n\n# Create directory structure\nmkdir -p src/test/resources/webroot/.secret\nmkdir -p src/test/resources/webroot/.git\n\n# Place test files\necho \"This is a visible file\" > src/test/resources/webroot/visible.txt\necho \"This is a hidden file\" > src/test/resources/webroot/.hidden.txt\necho \"SECRET DATA: API_KEY=abc123\" > src/test/resources/webroot/.secret/config.txt\necho \"Git config data\" > src/test/resources/webroot/.git/config\n```\n\n```java\n2. Implement test server\n\nimport io.vertx.core.AbstractVerticle;\nimport io.vertx.core.Vertx;\nimport io.vertx.ext.web.Router;\nimport io.vertx.ext.web.handler.StaticHandler;\n\npublic class StaticHandlerTestServer extends AbstractVerticle {\n  @Override\n  public void start() {\n    Router router = Router.router(vertx);\n\n    // Configure to not serve hidden files\n    StaticHandler staticHandler = StaticHandler.create(\"src/test/resources/webroot\")\n      .setIncludeHidden(false)\n      .setDirectoryListing(false);\n\n    router.route(\"/*\").handler(staticHandler);\n\n    vertx.createHttpServer()\n      .requestHandler(router)\n      .listen(8082);\n  }\n\n  public static void main(String[] args) {\n    Vertx vertx = Vertx.vertx();\n    vertx.deployVerticle(new StaticHandlerTestServer());\n  }\n}\n```\n\n```bash\n3. Confirm the vulnerability\n\n# Normal file (accessible)\ncurl http://localhost:8082/visible.txt\n# Result: 200 OK\n\n# Hidden file (correctly blocked)\ncurl http://localhost:8082/.git\n# Result: 404 Not Found\n\n# File under hidden directory (vulnerable)\ncurl http://localhost:8082/.git/config\n# Result: 200 OK - Returns contents of Git config\n```\n\n# Potential Impact\n\n## 1. Information Disclosure\n\nExamples of sensitive files that could be exposed:\n\n- `.git/config`: Git repository settings (e.g., remote URL, credentials)\n- `.env/*`: Environment variables (API keys, DB credentials)\n- `.aws/credentials`: AWS access keys\n- `.ssh/known_hosts`: SSH host trust info\n- `.docker/config.json`: Docker registry credentials\n\n## 2. Attack Scenarios\n\n- Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.\n- Especially dangerous for `.git/HEAD`, `.git/config`, `.git/objects/*` — which may allow full reconstruction of source code.\n\n## 3. Affected Scope\n\n- **Affected version**: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)\n- **Environments**: All OSes (Windows, Linux, macOS)\n- **Configurations**: All applications using `StaticHandler.setIncludeHidden(false)`",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.vertx:vertx-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.5.22"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.vertx:vertx-web"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.0.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.0.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-h5fg-jpgr-rv9c"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vert-x3/vertx-web"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-552"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-22T19:38:04Z",
+    "nvd_published_at": "2025-10-22T15:15:31Z"
+  }
+}
