Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c363ba85117f · 2025-11-15T03:19:09.000Z
GHSA-f3f8-vx3w-hp5q GHSA-fpm5-2wcj-vfr7 GHSA-w2vj-39qv-7vh7
diff --git a/advisories/github-reviewed/2024/11/GHSA-f3f8-vx3w-hp5q/GHSA-f3f8-vx3w-hp5q.json b/advisories/github-reviewed/2024/11/GHSA-f3f8-vx3w-hp5q/GHSA-f3f8-vx3w-hp5q.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f3f8-vx3w-hp5q",
-  "modified": "2025-04-08T17:52:08Z",
+  "modified": "2025-11-15T03:17:05Z",
   "published": "2024-11-06T15:57:08Z",
   "aliases": [
     "CVE-2024-10081"
@@ -36,10 +36,7 @@
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 6.24.1"
-      }
+      ]
     }
   ],
   "references": [
diff --git a/advisories/github-reviewed/2024/11/GHSA-fpm5-2wcj-vfr7/GHSA-fpm5-2wcj-vfr7.json b/advisories/github-reviewed/2024/11/GHSA-fpm5-2wcj-vfr7/GHSA-fpm5-2wcj-vfr7.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fpm5-2wcj-vfr7",
-  "modified": "2025-01-21T17:59:36Z",
+  "modified": "2025-11-15T03:17:21Z",
   "published": "2024-11-06T15:57:57Z",
   "aliases": [
     "CVE-2024-10082"
   ],
   "summary": "codechecker authentication method confusion vulnerability allows logging in as the built-in root user from an external service",
-  "details": "### Summary\nAuthentication method confusion allows logging in as the built-in root user from an external service. The built-in root user is generated in a weak manner, cannot be disabled, and has universal access. \n\n### Details\nUntil CodeChecker version 6.24.1 there was an auto-generated super-user account that could not be disabled.\nThe attacker needs to know only the username of the root user.\n\nThis root user is unconditionally assigned superuser permissions.\n\nWhich means that if any user via any service logs in with the root user's username, they will unconditionally have superuser permissions on the CodeChecker instance.\n\nThe name of the user name can be found in `root.user` file in the CodeChecker configuration directory.\nYou can check if you are impacted by checking the existence of this user in the external authentication services (e.g. LDAP, PAM etc.).\n\n### Impact\nThis vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control everything that can be controlled via the web interface.\nThe attacker needs to acquire the username of the root user to be successful.\n",
+  "details": "### Summary\nAuthentication method confusion allows logging in as the built-in root user from an external service. The built-in root user is generated in a weak manner, cannot be disabled, and has universal access. \n\n### Details\nUntil CodeChecker version 6.24.1 there was an auto-generated super-user account that could not be disabled.\nThe attacker needs to know only the username of the root user.\n\nThis root user is unconditionally assigned superuser permissions.\n\nWhich means that if any user via any service logs in with the root user's username, they will unconditionally have superuser permissions on the CodeChecker instance.\n\nThe name of the user name can be found in `root.user` file in the CodeChecker configuration directory.\nYou can check if you are impacted by checking the existence of this user in the external authentication services (e.g. LDAP, PAM etc.).\n\n### Impact\nThis vulnerability allows an attacker who can create an account on an enabled external authentication service, to log in as the root user, and access and control everything that can be controlled via the web interface.\nThe attacker needs to acquire the username of the root user to be successful.",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2025/11/GHSA-w2vj-39qv-7vh7/GHSA-w2vj-39qv-7vh7.json b/advisories/github-reviewed/2025/11/GHSA-w2vj-39qv-7vh7/GHSA-w2vj-39qv-7vh7.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w2vj-39qv-7vh7",
-  "modified": "2025-11-13T22:38:30Z",
+  "modified": "2025-11-15T03:16:38Z",
   "published": "2025-11-13T22:38:30Z",
   "aliases": [
     "CVE-2025-64745"
   ],
   "summary": "Astro development server error page vulnerable to reflected Cross-site Scripting",
-  "details": "## Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links.\n\n## Details\n\n### Vulnerability Location\n\nhttps://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149\n\n### Root Cause\n\nThe vulnerability was introduced in commit `536175528` (PR #12994) , as part of a feature to \"redirect trailing slashes on on-demand rendered pages.\" The feature added a helpful 404 error page in development mode to alert developers of trailing slash mismatches.\n\n**Issue**: The `corrected` variable, which is derived from the user-controlled `pathname` parameter, is directly interpolated into the HTML without proper escaping. While the `pathname` variable itself is escaped elsewhere in the same file (line 114: `escape(pathname)`), the `corrected` variable is not sanitized before being inserted into both the `href` attribute and the link text.\n\n### Attack Vector\n\nWhen a developer has configured `trailingSlash` to `'always'` or `'never'` and visits a URL with a mismatched trailing slash, the development server returns a 404 page containing the vulnerable template. An attacker can craft a URL with JavaScript payloads that will be executed when the page is rendered.\n\n## PoC\n\n### Local Testing (localhost)\n\nBasic vulnerability verification in local development environment\n\n<details>\n<summary>Show details</summary>\n\n`astro.config.mjs`:\n```javascript\nimport { defineConfig } from 'astro/config';\n\nexport default defineConfig({\n  trailingSlash: 'never', // or 'always'\n  server: {\n    port: 3000,\n    host: true\n  }\n});\n```\n\n`package.json`:\n```json\n{\n  \"name\": \"astro-xss-poc-victim\",\n  \"version\": \"0.1.0\",\n  \"scripts\": {\n    \"dev\": \"astro dev\"\n  },\n  \"dependencies\": {\n    \"astro\": \"5.15.5\"\n  }\n}\n```\n\nStart the development server:\n```bash\nnpm install\nnpm run dev\n```\n\nAccess the following malicious URL depending on your configuration:\n\n**For `trailingSlash: 'never'`** (requires trailing slash):\n```\nhttp://localhost:3000/\"></code><script>alert(document.domain)</script><!--/\n```\n\n**For `trailingSlash: 'always'`** (no trailing slash):\n```\nhttp://localhost:3000/\"></code><script>alert(document.domain)</script><!--\n```\n\nWhen accessing the malicious URL:\n1. The development server returns a 404 page due to trailing slash mismatch\n2. The JavaScript payload (`alert(document.domain)`) executes in the browser\n3. An alert dialog appears, demonstrating arbitrary code execution\n\n</details>\n\n### Remote Testing (ngrok)\n\nReproduce realistic attack scenario via external malicious link\n\n<details>\n<summary>Show details</summary>\n\nPrerequisites: ngrok account and authtoken configured (`ngrok config add-authtoken <key>`)\n\nSetup and Execution:\n```bash\n#!/bin/bash\nset -e\n\nmkdir -p logs\n\nnpm i\nnpm run dev > ./logs/victim.log 2>&1 &\n\nngrok http 3000 > ./logs/ngrok.log 2>&1 &\n\nsleep 3\n\nNGROK_URL=$(curl -s http://localhost:4040/api/tunnels | grep -o '\"public_url\":\"https://[^\"]*' | head -1 | cut -d'\"' -f4)\necho \"\"\necho \"=== Attack URLs ===\"\necho \"\"\necho \"For trailingSlash: 'never' (requires trailing slash):\"\necho \"${NGROK_URL}/\\\"></code><script>alert(document.domain)</script><!--/\"\necho \"\"\necho \"For trailingSlash: 'always' (no trailing slash):\"\necho \"${NGROK_URL}/\\\"></code><script>alert(document.domain)</script><!--\"\necho \"\"\nwait\n```\n\nWhen a remote user accesses either of the generated attack URLs:\n1. The request is tunneled through ngrok to the local development server\n2. The development server returns a 404 page due to trailing slash mismatch\n3. The JavaScript payload (`alert(document.domain)`) executes in the user's browser\n\nBoth URL patterns work depending on your `trailingSlash` configuration ('never' or 'always').\n\n</details>\n\n## Impact\n\nThis only affects the **development server**. Risk depends on how and where the dev server is exposed.\n\n### Security impact\n\n* **Developer environment compromise**: Visiting a crafted URL can run arbitrary JS in the developer's browser.\n* **Session hijacking**: Active developer sessions can be stolen if services are open in the browser.\n* **Local resource access**: JS may probe `localhost` endpoints or dev tools depending on browser policies.\n* **Supply-chain risk**: Malicious packages or CI that start dev servers can widen exposure.\n\n### Attack scenarios\n\n* **Social engineering**: Malicious link sent to a developer triggers the XSS when opened.\n* **Malicious documentation**: Attack URLs embedded in issues, PRs, chat, or docs.\n* **Dependency/CI abuse**: Packages or automation that spawn public dev servers expose many targets.\n\n## Remediation\n\nThe fix is straightforward and requires escaping the `corrected` variable before inserting it into the HTML template. The codebase already imports and uses the `escape()` function from the `html-escaper` package.",
+  "details": "## Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executes in the victim's browser context by crafting a malicious URL. While this vulnerability only affects the development server and not production builds, it could be exploited to compromise developer environments through social engineering or malicious links.\n\n## Details\n\n### Vulnerability Location\n\nhttps://github.com/withastro/astro/blob/5bc37fd5cade62f753aef66efdf40f982379029a/packages/astro/src/template/4xx.ts#L133-L149\n\n### Root Cause\n\nThe vulnerability was introduced in commit `536175528` (PR #12994) , as part of a feature to \"redirect trailing slashes on on-demand rendered pages.\" The feature added a helpful 404 error page in development mode to alert developers of trailing slash mismatches.\n\n**Issue**: The `corrected` variable, which is derived from the user-controlled `pathname` parameter, is directly interpolated into the HTML without proper escaping. While the `pathname` variable itself is escaped elsewhere in the same file (line 114: `escape(pathname)`), the `corrected` variable is not sanitized before being inserted into both the `href` attribute and the link text.\n\n### Attack Vector\n\nWhen a developer has configured `trailingSlash` to `'always'` or `'never'` and visits a URL with a mismatched trailing slash, the development server returns a 404 page containing the vulnerable template. An attacker can craft a URL with JavaScript payloads that will be executed when the page is rendered.\n\n## PoC\n\n### Local Testing (localhost)\n\nBasic vulnerability verification in local development environment\n\n<details>\n<summary>Show details</summary>\n\n`astro.config.mjs`:\n```javascript\nimport { defineConfig } from 'astro/config';\n\nexport default defineConfig({\n  trailingSlash: 'never', // or 'always'\n  server: {\n    port: 3000,\n    host: true\n  }\n});\n```\n\n`package.json`:\n```json\n{\n  \"name\": \"astro-xss-poc-victim\",\n  \"version\": \"0.1.0\",\n  \"scripts\": {\n    \"dev\": \"astro dev\"\n  },\n  \"dependencies\": {\n    \"astro\": \"5.15.5\"\n  }\n}\n```\n\nStart the development server:\n```bash\nnpm install\nnpm run dev\n```\n\nAccess the following malicious URL depending on your configuration:\n\n**For `trailingSlash: 'never'`** (requires trailing slash):\n```\nhttp://localhost:3000/\"></code><script>alert(document.domain)</script><!--/\n```\n\n**For `trailingSlash: 'always'`** (no trailing slash):\n```\nhttp://localhost:3000/\"></code><script>alert(document.domain)</script><!--\n```\n\nWhen accessing the malicious URL:\n1. The development server returns a 404 page due to trailing slash mismatch\n2. The JavaScript payload (`alert(document.domain)`) executes in the browser\n3. An alert dialog appears, demonstrating arbitrary code execution\n\n</details>\n\n### Remote Testing (ngrok)\n\nReproduce realistic attack scenario via external malicious link\n\n<details>\n<summary>Show details</summary>\n\nPrerequisites: ngrok account and authtoken configured (`ngrok config add-authtoken <key>`)\n\nSetup and Execution:\n```bash\n#!/bin/bash\nset -e\n\nmkdir -p logs\n\nnpm i\nnpm run dev > ./logs/victim.log 2>&1 &\n\nngrok http 3000 > ./logs/ngrok.log 2>&1 &\n\nsleep 3\n\nNGROK_URL=$(curl -s http://localhost:4040/api/tunnels | grep -o '\"public_url\":\"https://[^\"]*' | head -1 | cut -d'\"' -f4)\necho \"\"\necho \"=== Attack URLs ===\"\necho \"\"\necho \"For trailingSlash: 'never' (requires trailing slash):\"\necho \"${NGROK_URL}/\\\"></code><script>alert(document.domain)</script><!--/\"\necho \"\"\necho \"For trailingSlash: 'always' (no trailing slash):\"\necho \"${NGROK_URL}/\\\"></code><script>alert(document.domain)</script><!--\"\necho \"\"\nwait\n```\n\nWhen a remote user accesses either of the generated attack URLs:\n1. The request is tunneled through ngrok to the local development server\n2. The development server returns a 404 page due to trailing slash mismatch\n3. The JavaScript payload (`alert(document.domain)`) executes in the user's browser\n\nBoth URL patterns work depending on your `trailingSlash` configuration ('never' or 'always').\n\n</details>\n\n## Impact\n\nThis only affects the **development server**. Risk depends on how and where the dev server is exposed.\n\n### Security impact\n\n* **Developer environment compromise**: Visiting a crafted URL can run arbitrary JS in the developer's browser.\n* **Session hijacking**: Active developer sessions can be stolen if services are open in the browser.\n* **Local resource access**: JS may probe `localhost` endpoints or dev tools depending on browser policies.\n* **Supply-chain risk**: Malicious packages or CI that start dev servers can widen exposure.\n\n### Attack scenarios\n\n* **Social engineering**: Malicious link sent to a developer triggers the XSS when opened.\n* **Malicious documentation**: Attack URLs embedded in issues, PRs, chat, or docs.\n* **Dependency/CI abuse**: Packages or automation that spawn public dev servers expose many targets.",
   "severity": [
     {
       "type": "CVSS_V3",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-f3f8-vx3w-hp5q",`
`4`		`- "modified": "2025-04-08T17:52:08Z",`
	`4`	`+ "modified": "2025-11-15T03:17:05Z",`
`5`	`5`	`"published": "2024-11-06T15:57:08Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2024-10081"`
`@@ -36,10 +36,7 @@`
`36`	`36`	`}`
`37`	`37`	`]`
`38`	`38`	`}`
`39`		`- ],`
`40`		`- "database_specific": {`
`41`		`- "last_known_affected_version_range": "<= 6.24.1"`
`42`		`- }`
	`39`	`+ ]`
`43`	`40`	`}`
`44`	`41`	`],`
`45`	`42`	`"references": [`