Publish Advisories

GHSA-95fv-5gfj-2r84
GHSA-whqg-ppgf-wp8c

Author: advisory-database[bot]

advisories/github-reviewed/2025/12/GHSA-95fv-5gfj-2r84/GHSA-95fv-5gfj-2r84.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-95fv-5gfj-2r84",
+  "modified": "2025-12-08T16:25:53Z",
+  "published": "2025-12-08T16:25:53Z",
+  "aliases": [
+    "CVE-2025-64113"
+  ],
+  "summary": "Emby Server API Vulnerability allowing to gain administrative access without precondition",
+  "details": "### Impact\n\nThis vulnerability affects all Emby Server versions - beta and stable up to the specified versions.\nIt allows an attacker to gain full administrative access to an Emby Server (for Emby Server administration, **not at the OS level**,).\nOther than network access, no specific preconditions need to be fulfilled for a server to be vulnerable.\n\n### Patches\n\n#### Quick Fix\n\nA quick fix will be rolled out via an update to one of the default-included Emby Server plugins.\nThis way is chosen because many users are updating their servers manually while plugin updates are typically configured to be applied automatically. This allows to get a patch deployed to a large amount of servers within a single day.\n\n#### Server Patches\n\nPatched versions for both, Emby Server stable and Emby Server beta are available now.\n\n**All Emby Server owners are strongly encouraged to apply those updates as soon as possible.**\n\n\n### Workarounds\n\n> [!NOTE]\n> These workarounds are OBSOLETE now. Please update Emby Server instead!\n\nAs and immediate remedy, it is possible to set restricted file system permissions on the `passwordreset.txt` file in the configuration folder of Emby Server. If it doesn't exist, users can create the file themselves or just call the ForgotPassword API once, which will create the file.\n\nOn Windows, users can set DENY permissions for \"Authenticated users\" and on Linux, permissions can be set via `sudo chmod 444 passwordreset.txt`.\nThis will make the API request fail, which completely eliminates the vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "MediaBrowser.Server.Core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.9.1.81"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.9.1.80"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/EmbySupport/Emby.Security"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-640"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-08T16:25:53Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2025/12/GHSA-whqg-ppgf-wp8c/GHSA-whqg-ppgf-wp8c.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-whqg-ppgf-wp8c",
+  "modified": "2025-12-08T16:26:43Z",
+  "published": "2025-12-08T16:26:43Z",
+  "aliases": [
+    "CVE-2025-66202"
+  ],
+  "summary": "Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765",
+  "details": "# Authentication Bypass via Double URL Encoding in Astro\n## Bypass for CVE-2025-64765 / GHSA-ggxq-hp9w-j794\n\n---\n\n### Summary\n\nA **double URL encoding bypass** allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 (single URL encoding) was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs like `/%2561dmin` instead of `/%61dmin`, attackers can still bypass authentication and access protected resources such as `/admin`, `/api/internal`, or any route protected by middleware pathname checks.\n\n\n## Fix \n\nA more secure fix is just decoding once, then if the request has a %xx format, return a 400 error by using something like :\n\n```\nif (containsEncodedCharacters(pathname)) {\n            // Multi-level encoding detected - reject request\n            return new Response(\n                'Bad Request: Multi-level URL encoding is not allowed',\n                {\n                    status: 400,\n                    headers: { 'Content-Type': 'text/plain' }\n                }\n            );\n        }\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "astro"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.15.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64765"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/withastro/astro"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-647"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-08T16:26:43Z",
+    "nvd_published_at": null
+  }
+}