Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 891ced1ae636 · 2025-12-09T14:26:22.000Z
GHSA-4rmq-mc2c-r495 GHSA-8jcj-g9f4-qx42 GHSA-8p44-g572-557h GHSA-hxp3-63hc-5366 GHSA-mg56-wc4q-rw4w GHSA-qgjp-5g5x-vhq2
diff --git a/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json b/advisories/github-reviewed/2025/12/GHSA-4rmq-mc2c-r495/GHSA-4rmq-mc2c-r495.json
@@ -0,0 +1,116 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4rmq-mc2c-r495",
+  "modified": "2025-12-09T14:25:03Z",
+  "published": "2025-12-09T14:25:03Z",
+  "aliases": [],
+  "summary": "Babylon Incorrect FP inactive accounting in costaking creates “phantom stake” that earns rewards after BTC unbond",
+  "details": "### Summary\n\nA state consistency bug in `x/costaking` can leave a BTC delegator with non-zero `ActiveSatoshis` (Phatom Stake) even after they have fully unbonded their BTC delegation, if their Finality Provider (FP) drops out of the active set in the exact same babylon block height. This creates a “phantom stake”: the delegator’s BTC capital is withdrawn, the FP is inactive, but costaking continues to treat the delegation as active BTC stake allowing ongoing rewards accrual without backing BTC.\n\n### Impact\n\nAn address can keep earning costaking rewards with zero BTC staked.\n\nReported by @BottyBott.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/babylonlabs-io/babylon/v4"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.2.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/babylonlabs-io/babylon/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "3.0.0-snapshot.250805a"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/babylonlabs-io/babylon/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.3.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/babylonlabs-io/babylon"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-4rmq-mc2c-r495"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/babylonlabs-io/babylon/commit/e65c3a55a398a403103f1b089cf76f0d4befc7a0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/babylonlabs-io/babylon"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-459"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T14:25:03Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-8jcj-g9f4-qx42/GHSA-8jcj-g9f4-qx42.json b/advisories/github-reviewed/2025/12/GHSA-8jcj-g9f4-qx42/GHSA-8jcj-g9f4-qx42.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8jcj-g9f4-qx42",
-  "modified": "2025-12-08T18:30:42Z",
+  "modified": "2025-12-09T14:25:29Z",
   "published": "2025-12-08T18:30:42Z",
   "aliases": [
     "CVE-2025-65796"
   ],
+  "summary": "memos vulnerability allows arbitrarily reactions deletion",
   "details": "Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/usememos/memos"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.25.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/usememos/memos/pull/5217"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/usememos/memos/commit/769dcd0cf9be83d472829f6e7903b201e42f6b3c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/usememos/memos"
+    },
     {
       "type": "WEB",
       "url": "https://herolab.usd.de/security-advisories/usd-2025-0060"
@@ -41,8 +70,8 @@
       "CWE-284"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T14:25:29Z",
     "nvd_published_at": "2025-12-08T16:15:53Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/12/GHSA-8p44-g572-557h/GHSA-8p44-g572-557h.json b/advisories/github-reviewed/2025/12/GHSA-8p44-g572-557h/GHSA-8p44-g572-557h.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8p44-g572-557h",
-  "modified": "2025-12-08T18:30:42Z",
+  "modified": "2025-12-09T14:25:35Z",
   "published": "2025-12-08T18:30:42Z",
   "aliases": [
     "CVE-2025-65798"
   ],
+  "summary": "memos vulnerability allows arbitrarily modification or deletion of attachments",
   "details": "Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/usememos/memos"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.25.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/usememos/memos/pull/5217"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/usememos/memos/commit/769dcd0cf9be83d472829f6e7903b201e42f6b3c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/usememos/memos"
+    },
     {
       "type": "WEB",
       "url": "https://herolab.usd.de/security-advisories/usd-2025-0059"
@@ -41,8 +70,8 @@
       "CWE-284"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T14:25:35Z",
     "nvd_published_at": "2025-12-08T16:15:53Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/12/GHSA-hxp3-63hc-5366/GHSA-hxp3-63hc-5366.json b/advisories/github-reviewed/2025/12/GHSA-hxp3-63hc-5366/GHSA-hxp3-63hc-5366.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hxp3-63hc-5366",
+  "modified": "2025-12-09T14:25:16Z",
+  "published": "2025-12-09T14:25:15Z",
+  "aliases": [
+    "CVE-2025-66645"
+  ],
+  "summary": "NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read",
+  "details": "### Summary\n\nA directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem.\n\n### Details\n\nHello, I am Seungbin Yang, a university student studying cybersecurity. \nWhile reviewing the source code of the repository, I discovered a potential vulnerability and successfully verified it with a PoC.\n\nThe `App.add_media_files(url_path, local_directory)` method allows users to serve media files. However, the implementation lacks proper path validation.\n\n```python\ndef add_media_files(self, url_path: str, local_directory: Union[str, Path]) -> None:\n    @self.get(url_path.rstrip('/') + '/{filename:path}')\n    def read_item(request: Request, filename: str, nicegui_chunk_size: int = 8192) -> Response:\n        filepath = Path(local_directory) / filename\n        if not filepath.is_file():\n            raise HTTPException(status_code=404, detail='Not Found')\n        return get_range_response(filepath, request, chunk_size=nicegui_chunk_size)\n```\nRoot Cause:\n1. The `{filename:path}` parameter accepts full paths, including traversal sequences like `../`.\n2. The code simply joins local_directory and filename without checking if the result is still inside the local_directory.\n3. There is no path sanitization or boundary check.\n\nConsequence:\nAn attacker can use `..` to access files outside the intended directory. If the application has permission, sensitive files (e.g., /etc/hosts, source code, config files) can be exposed.\n\n### POC\n1. Create `poc.py`:\n```python\n# poc.py\nfrom pathlib import Path\nfrom nicegui import app, ui\n\nMEDIA_DIR = Path(__file__).parent / 'media'\nMEDIA_DIR.mkdir(exist_ok=True)\n\n# Expose local \"media\" directory at /media\napp.add_media_files('/media', MEDIA_DIR)\n\n@ui.page('/')\ndef index():\n    ui.label('NiceGUI media PoC')\n\nui.run(port=8080, reload=False)\n```\n\n2. Run the application: `python3 poc.py`\n\n3. Exploit with curl: Use URL-encoded dots (`%2e`) to bypass client-side checks.\n```curl -v \"http://localhost:8080/media/%2e%2e/%2e%2e/%2e%2e/etc/hosts\"```\n\n\n### Result:\nThe HTTP status is 200 OK, and the response body contains the contents of the server’s /etc/hosts file.\n\nI have attached a screenshot of the successful exploitation below. As shown in the image, the content of /etc/hosts displayed via cat matches the output received from the curl request perfectly.\n\n<img width=\"1728\" height=\"1078\" alt=\"POC screenshot\" src=\"https://github.com/user-attachments/assets/6c1be75b-6be2-4372-90df-55042c1e4775\" />\n\n### Impact\n\nAny NiceGUI application that calls app.add_media_files() on a URL path reachable by an attacker is affected. An unauthenticated remote attacker can read sensitive files outside the intended media directory, potentially exposing:\n\n•Application source code and configuration files\n•Credentials, API keys, and secrets\n•Operating system configuration files (e.g., /etc/passwd, /etc/hosts)\n\nThis is my first github vulnerability report, so I would appreciate your understanding regarding any potential shortcomings. If you require any further information or clarification, please feel free to contact me at y4rvin@naver.com.\n\nThank you.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "nicegui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.4.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/zauberzeug/nicegui"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T14:25:15Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-mg56-wc4q-rw4w/GHSA-mg56-wc4q-rw4w.json b/advisories/github-reviewed/2025/12/GHSA-mg56-wc4q-rw4w/GHSA-mg56-wc4q-rw4w.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mg56-wc4q-rw4w",
-  "modified": "2025-12-08T18:30:44Z",
+  "modified": "2025-12-09T14:25:51Z",
   "published": "2025-12-08T18:30:44Z",
   "aliases": [
     "CVE-2025-65795"
   ],
+  "summary": "memos vulnerability allows the creation of arbitrary accounts",
   "details": "Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/usememos/memos"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.25.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/usememos/memos/pull/5217"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/usememos/memos/commit/769dcd0cf9be83d472829f6e7903b201e42f6b3c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/usememos/memos"
+    },
     {
       "type": "WEB",
       "url": "https://herolab.usd.de/usd-2025-0058"
@@ -41,8 +70,8 @@
       "CWE-284"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T14:25:51Z",
     "nvd_published_at": "2025-12-08T17:16:21Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/12/GHSA-qgjp-5g5x-vhq2/GHSA-qgjp-5g5x-vhq2.json b/advisories/github-reviewed/2025/12/GHSA-qgjp-5g5x-vhq2/GHSA-qgjp-5g5x-vhq2.json
