Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 92f2236c95e2 · 2025-12-10T21:56:10.000Z
GHSA-mr6f-h57v-rpj5 GHSA-qwcc-2r77-5w2f GHSA-wcgj-f865-c7j7
diff --git a/advisories/github-reviewed/2025/12/GHSA-mr6f-h57v-rpj5/GHSA-mr6f-h57v-rpj5.json b/advisories/github-reviewed/2025/12/GHSA-mr6f-h57v-rpj5/GHSA-mr6f-h57v-rpj5.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mr6f-h57v-rpj5",
-  "modified": "2025-12-10T21:35:58Z",
+  "modified": "2025-12-10T21:55:26Z",
   "published": "2025-12-10T21:35:58Z",
   "aliases": [
     "CVE-2025-67716"
   ],
   "summary": "Improper Validation of Query Parameters in Auth0 Next.js SDK",
-  "details": "### Description\nAn input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters\n\n### Am I Affected?\nYou are affected if you meet the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0\n\n### Affected product and versions\nAuth0/nextjs-auth0 versions >= 4.9.0 and < 4.13.0\n\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.13.0\n\n### Acknowledgements\nOkta would like to thank Joshua Rogers for their discovery and responsible disclosure.",
+  "details": "### Description\nAn input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters\n\n### Am I Affected?\nYou are affected if you meet the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK version prior to 4.13.0\n\n### Affected product and versions\nAuth0/nextjs-auth0 versions >= 4.9.0 and < 4.13.0\n\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.13.0\n\n### Acknowledgements\nOkta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2025/12/GHSA-qwcc-2r77-5w2f/GHSA-qwcc-2r77-5w2f.json b/advisories/github-reviewed/2025/12/GHSA-qwcc-2r77-5w2f/GHSA-qwcc-2r77-5w2f.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qwcc-2r77-5w2f",
-  "modified": "2025-12-10T18:30:26Z",
+  "modified": "2025-12-10T21:55:41Z",
   "published": "2025-12-10T18:30:26Z",
   "aliases": [
     "CVE-2025-65807"
   ],
+  "summary": "sd changes the group ownership of the source file",
   "details": "An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "sd"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,21 +45,17 @@
       "url": "https://gist.github.com/faabbi/827f10e144fdd342e13a3dd838902e83"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/chmln/sd"
-    },
-    {
-      "type": "WEB",
-      "url": "http://sd.com"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-266"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-10T21:55:41Z",
     "nvd_published_at": "2025-12-10T16:16:27Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/12/GHSA-wcgj-f865-c7j7/GHSA-wcgj-f865-c7j7.json b/advisories/github-reviewed/2025/12/GHSA-wcgj-f865-c7j7/GHSA-wcgj-f865-c7j7.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wcgj-f865-c7j7",
-  "modified": "2025-12-10T21:31:24Z",
+  "modified": "2025-12-10T21:54:41Z",
   "published": "2025-12-10T21:31:24Z",
   "aliases": [
     "CVE-2025-67490"
   ],
   "summary": "Improper Request Caching Lookup in the Auth0 Next.js SDK",
-  "details": "### Description\nWhen using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results.\n\n### Am I Affected?\nYou are affected if you meet the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK with a singleton client instance, versions 4.11.0, 4.11.1, and 4.12.0.\n\n### Affected product and versions\nAuth0/nextjs-auth0 v4.11.0, v4.11.1, and v4.12.0.\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.11.2 or v4.12.1\n\n### Acknowledgements\nOkta would like to thank Joshua Rogers for their discovery and responsible disclosure.",
+  "details": "### Description\nWhen using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results.\n\n### Am I Affected?\nYou are affected if you meet the following preconditions:\n- Applications using the auth0/nextjs-auth0 SDK with a singleton client instance, versions 4.11.0, 4.11.1, and 4.12.0.\n\n### Affected product and versions\nAuth0/nextjs-auth0 v4.11.0, v4.11.1, and v4.12.0.\n\n### Resolution\nUpgrade Auth0/nextjs-auth0 version to v4.11.2 or v4.12.1\n\n### Acknowledgements\nOkta would like to thank Joshua Rogers (MegaManSec) for their discovery and responsible disclosure.",
   "severity": [
     {
       "type": "CVSS_V3",
