Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit daf0b7b82dd2 · 2025-10-31T21:25:49.000Z
GHSA-2qfp-q593-8484 GHSA-vw84-hprm-cxmm GHSA-2qfp-q593-8484
diff --git a/advisories/github-reviewed/2025/10/GHSA-2qfp-q593-8484/GHSA-2qfp-q593-8484.json b/advisories/github-reviewed/2025/10/GHSA-2qfp-q593-8484/GHSA-2qfp-q593-8484.json
@@ -0,0 +1,77 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2qfp-q593-8484",
+  "modified": "2025-10-31T21:23:47Z",
+  "published": "2025-10-31T00:30:35Z",
+  "aliases": [
+    "CVE-2025-6176"
+  ],
+  "summary": "Brotli is vulnerable to a denial of service (DoS) attack due to decompression",
+  "details": "Brotli versions up to 1.1.0 are vulnerable to a denial of service (DoS) attack due to decompression. This issue has been patched in Brotli version 1.2.0. \n\nAdditionally, this affects users who implement the Brotli decompression with Scrapy versions up to 2.13.2, leaving them vulnerable to a denial of service (DoS) attack. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "brotli"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6176"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/google/brotli/issues/1327#issuecomment-3457434715"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/google/brotli/pull/1234"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/google/brotli/commit/67d78bc41db1a0d03f2e763497748f2f69946627"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/google/brotli"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/google/brotli/releases/tag/v1.2.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/2c26a886-5984-47ee-a421-0d5fe1344eb0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-31T21:23:47Z",
+    "nvd_published_at": "2025-10-31T00:15:37Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-vw84-hprm-cxmm/GHSA-vw84-hprm-cxmm.json b/advisories/github-reviewed/2025/10/GHSA-vw84-hprm-cxmm/GHSA-vw84-hprm-cxmm.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vw84-hprm-cxmm",
+  "modified": "2025-10-31T21:24:53Z",
+  "published": "2025-10-31T21:24:53Z",
+  "aliases": [
+    "CVE-2025-64168"
+  ],
+  "summary": "Agno session state overwrites between different sessions/users",
+  "details": "### Impact\nUnder certain conditions (under high concurrency), when `session_state` is passed to an Agent or Team during run or arun calls, a race condition can occur, causing a `session_state` to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user.\n\n### Patches\nThis has been patched in version 2.2.2. Upgrade with `pip install -U agno`.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "agno"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "fixed": "2.2.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/agno-agi/agno/security/advisories/GHSA-vw84-hprm-cxmm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64168"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/agno-agi/agno"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-362",
+      "CWE-668"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-31T21:24:53Z",
+    "nvd_published_at": "2025-10-31T15:15:43Z"
+  }
+}
diff --git a/advisories/unreviewed/2025/10/GHSA-2qfp-q593-8484/GHSA-2qfp-q593-8484.json b/advisories/unreviewed/2025/10/GHSA-2qfp-q593-8484/GHSA-2qfp-q593-8484.json
