Publish Advisories

GHSA-m449-vh5f-574g
GHSA-vqpr-j7v3-hqw9
GHSA-xh5w-g8gq-r3v9

Author: advisory-database[bot]

advisories/github-reviewed/2025/11/GHSA-m449-vh5f-574g/GHSA-m449-vh5f-574g.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m449-vh5f-574g",
+  "modified": "2025-11-26T19:33:08Z",
+  "published": "2025-11-26T19:33:08Z",
+  "aliases": [
+    "CVE-2025-65966"
+  ],
+  "summary": "OneUptime Unauthorized User Creation via API",
+  "details": "### Summary\nA low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface.\n\n### PoC\nA low-permission user sends a crafted API request to the user-creation endpoint and the system creates the account successfully.\n![WhatsApp Image 2025-11-23 at 14 27 32_0e0f5889](https://github.com/user-attachments/assets/5a539310-c9a2-4466-8926-b49b9b2a2422)\n\n### Impact\nThis allows attackers to create unauthorized accounts.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@oneuptime/common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-m449-vh5f-574g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OneUptime/oneuptime/commit/07bc6d4edde7397ea6b88f889c065ec392052ab4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OneUptime/oneuptime"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T19:33:08Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2025/11/GHSA-vqpr-j7v3-hqw9/GHSA-vqpr-j7v3-hqw9.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vqpr-j7v3-hqw9",
+  "modified": "2025-11-26T19:33:34Z",
+  "published": "2025-11-26T19:33:34Z",
+  "aliases": [
+    "CVE-2025-66020"
+  ],
+  "summary": "Valibot has a ReDoS vulnerability in `EMOJI_REGEX`",
+  "details": "### Summary\n\nThe `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.\n\n### Details\n\nThe ReDoS vulnerability stems from \"catastrophic backtracking\" in the `EMOJI_REGEX`. This is caused by ambiguity in the regex pattern due to overlapping character classes.\n\nSpecifically, the class `\\p{Emoji_Presentation}` overlaps with more specific classes used in the same alternation, such as `[\\u{1F1E6}-\\u{1F1FF}]` (regional indicator symbols used for flags) and `\\p{Emoji_Modifier_Base}`.\n\nWhen the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.\n\n### PoC\n\nThe following code demonstrates the vulnerability.\n\n```javascript\nimport * as v from 'valibot';\n\nconst schema = v.object({\n  x: v.pipe(v.string(), v.emoji()),\n});\n\nconst attackString = '\\u{1F1E6}'.repeat(49) + '0';\n\nconsole.log(`Input length: ${attackString.length}`);\nconsole.log('Starting parse... (This will take a long time)');\n\n// On my machine, a length of 99 takes approximately 2 minutes.\nconsole.time();\ntry {\n  v.parse(schema, {x: attackString });\n} catch (e) {}\nconsole.timeEnd();\n```\n\n### Impact\n\nAny project using Valibot's `emoji` validation on user-controllable input is vulnerable to a Denial of Service attack.\n\nAn attacker can block server resources (e.g., a web server's event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).\n\n### Recommended Fix\n\nThe root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads (`(?!...)`) to subtract the specific classes from the more general one.\n\nThe following modified `EMOJI_REGEX` applies this principle:\n\n```javascript\nexport const EMOJI_REGEX: RegExp =\n  // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives\n  /^(?:[\\u{1F1E6}-\\u{1F1FF}]{2}|\\u{1F3F4}[\\u{E0061}-\\u{E007A}]{2}[\\u{E0030}-\\u{E0039}\\u{E0061}-\\u{E007A}]{1,3}\\u{E007F}|(?:\\p{Emoji}\\uFE0F\\u20E3?|\\p{Emoji_Modifier_Base}\\p{Emoji_Modifier}?|(?![\\p{Emoji_Modifier_Base}\\u{1F1E6}-\\u{1F1FF}])\\p{Emoji_Presentation})(?:\\u200D(?:\\p{Emoji}\\uFE0F\\u20E3?|\\p{Emoji_Modifier_Base}\\p{Emoji_Modifier}?|(?![\\p{Emoji_Modifier_Base}\\u{1F1E6}-\\u{1F1FF}])\\p{Emoji_Presentation}))*)+$/u;\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "valibot"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.31.0"
+            },
+            {
+              "fixed": "1.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66020"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open-circle/valibot"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1333"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T19:33:34Z",
+    "nvd_published_at": "2025-11-26T02:15:49Z"
+  }
+}

…-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json …-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.jsonadvisories/unreviewed/2025/11/GHSA-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json renamed to advisories/github-reviewed/2025/11/GHSA-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json advisories/unreviewed/2025/11/GHSA-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json renamed to advisories/github-reviewed/2025/11/GHSA-xh5w-g8gq-r3v9/GHSA-xh5w-g8gq-r3v9.json

@@ -1,40 +1,77 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xh5w-g8gq-r3v9",
-  "modified": "2025-11-24T18:31:14Z",
+  "modified": "2025-11-26T19:32:37Z",
   "published": "2025-11-24T18:31:14Z",
   "aliases": [
     "CVE-2025-13609"
   ],
+  "summary": "Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices",
   "details": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "keylime"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13609"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keylime/keylime/pull/1785"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keylime/keylime/commit/e1ae8de1f7b1385eaeec66572a92ff1338e6e157"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-13609"
     },
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416761"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keylime/keylime"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keylime/keylime/releases/tag/v7.13.0"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-694"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-26T19:32:37Z",
     "nvd_published_at": "2025-11-24T18:15:49Z"
   }
 }