CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11276 vulnerabilities reference this CWE, most recent first.
GHSA-QFXW-5XVG-W6RC
Vulnerability from github – Published: 2024-06-05 21:31 – Updated: 2024-06-05 21:31An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_set_delayed_wakeup_type(), there is no input validation check on a length of ioctl_args->args[i] coming from userspace, which can lead to a heap over-read.
{
"affected": [],
"aliases": [
"CVE-2024-27380"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-05T19:15:14Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330. In the function slsi_set_delayed_wakeup_type(), there is no input validation check on a length of ioctl_args-\u003eargs[i] coming from userspace, which can lead to a heap over-read.",
"id": "GHSA-qfxw-5xvg-w6rc",
"modified": "2024-06-05T21:31:28Z",
"published": "2024-06-05T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27380"
},
{
"type": "WEB",
"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QG2W-5GV5-2CF4
Vulnerability from github – Published: 2024-07-30 09:31 – Updated: 2025-09-26 15:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: always do the basic checks for btrfs_qgroup_inherit structure
[BUG] Syzbot reports the following regression detected by KASAN:
BUG: KASAN: slab-out-of-bounds in btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277 Read of size 8 at addr ffff88814628ca50 by task syz-executor318/5171
CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277 create_pending_snapshot+0x1359/0x29b0 fs/btrfs/transaction.c:1854 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1922 btrfs_commit_transaction+0xf20/0x3740 fs/btrfs/transaction.c:2382 create_snapshot+0x6a1/0x9e0 fs/btrfs/ioctl.c:875 btrfs_mksubvol+0x58f/0x710 fs/btrfs/ioctl.c:1029 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1075 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1340 btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 fs/btrfs/ioctl.c:1422 btrfs_ioctl+0x99e/0xc60 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcbf1992509 RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509 RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660 R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e
And it also pinned it down to commit b5357cb268c4 ("btrfs: qgroup: do not check qgroup inherit if qgroup is disabled").
[CAUSE] That offending commit skips the whole qgroup inherit check if qgroup is not enabled.
But that also skips the very basic checks like num_ref_copies/num_excl_copies and the structure size checks.
Meaning if a qgroup enable/disable race is happening at the background, and we pass a btrfs_qgroup_inherit structure when the qgroup is disabled, the check would be completely skipped.
Then at the time of transaction commitment, qgroup is re-enabled and btrfs_qgroup_inherit() is going to use the incorrect structure and causing the above KASAN error.
[FIX] Make btrfs_qgroup_check_inherit() only skip the source qgroup checks. So that even if invalid btrfs_qgroup_inherit structure is passed in, we can still reject invalid ones no matter if qgroup is enabled or not.
Furthermore we do already have an extra safety inside btrfs_qgroup_inherit(), which would just ignore invalid qgroup sources, so even if we only skip the qgroup source check we're still safe.
{
"affected": [],
"aliases": [
"CVE-2024-42111"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T08:15:03Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: always do the basic checks for btrfs_qgroup_inherit structure\n\n[BUG]\nSyzbot reports the following regression detected by KASAN:\n\n BUG: KASAN: slab-out-of-bounds in btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277\n Read of size 8 at addr ffff88814628ca50 by task syz-executor318/5171\n\n CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277\n create_pending_snapshot+0x1359/0x29b0 fs/btrfs/transaction.c:1854\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1922\n btrfs_commit_transaction+0xf20/0x3740 fs/btrfs/transaction.c:2382\n create_snapshot+0x6a1/0x9e0 fs/btrfs/ioctl.c:875\n btrfs_mksubvol+0x58f/0x710 fs/btrfs/ioctl.c:1029\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1075\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1340\n btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 fs/btrfs/ioctl.c:1422\n btrfs_ioctl+0x99e/0xc60\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:907 [inline]\n __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7fcbf1992509\n RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509\n RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660\n R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e\n \u003c/TASK\u003e\n\nAnd it also pinned it down to commit b5357cb268c4 (\"btrfs: qgroup: do not\ncheck qgroup inherit if qgroup is disabled\").\n\n[CAUSE]\nThat offending commit skips the whole qgroup inherit check if qgroup is\nnot enabled.\n\nBut that also skips the very basic checks like\nnum_ref_copies/num_excl_copies and the structure size checks.\n\nMeaning if a qgroup enable/disable race is happening at the background,\nand we pass a btrfs_qgroup_inherit structure when the qgroup is\ndisabled, the check would be completely skipped.\n\nThen at the time of transaction commitment, qgroup is re-enabled and\nbtrfs_qgroup_inherit() is going to use the incorrect structure and\ncausing the above KASAN error.\n\n[FIX]\nMake btrfs_qgroup_check_inherit() only skip the source qgroup checks.\nSo that even if invalid btrfs_qgroup_inherit structure is passed in, we\ncan still reject invalid ones no matter if qgroup is enabled or not.\n\nFurthermore we do already have an extra safety inside\nbtrfs_qgroup_inherit(), which would just ignore invalid qgroup sources,\nso even if we only skip the qgroup source check we\u0027re still safe.",
"id": "GHSA-qg2w-5gv5-2cf4",
"modified": "2025-09-26T15:30:23Z",
"published": "2024-07-30T09:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42111"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/724d8042cef84496ddb4492dc120291f997ae26b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ebe5ea02577b2c527958af1b76ac472c7ab53a56"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QG3Q-H7PR-4QJ6
Vulnerability from github – Published: 2024-08-13 00:31 – Updated: 2024-08-13 00:31The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PDF files. This could allow an attacker to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2023-7066"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-12T22:15:08Z",
"severity": "HIGH"
},
"details": "The affected applications contain an out of bounds read past the end of \nan allocated structure while parsing specially crafted PDF files. This \ncould allow an attacker to execute code in the context of the current \nprocess.",
"id": "GHSA-qg3q-h7pr-4qj6",
"modified": "2024-08-13T00:31:42Z",
"published": "2024-08-13T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7066"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-722010.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-193-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QG4M-5HG4-34VQ
Vulnerability from github – Published: 2025-03-03 15:31 – Updated: 2025-03-05 21:32An integer overflow flaw was found in the BFS file system driver in grub2. When reading a file with an indirect extent map, grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause an integer overflow during the file reading, leading to a heap of bounds read. As a consequence, sensitive data may be leaked, or grub2 will crash.
{
"affected": [],
"aliases": [
"CVE-2024-45779"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-03T15:15:14Z",
"severity": "MODERATE"
},
"details": "An integer overflow flaw was found in the BFS file system driver in grub2. When reading a file with an indirect extent map, grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause an integer overflow during the file reading, leading to a heap of bounds read. As a consequence, sensitive data may be leaked, or grub2 will crash.",
"id": "GHSA-qg4m-5hg4-34vq",
"modified": "2025-03-05T21:32:07Z",
"published": "2025-03-03T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45779"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-45779"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345854"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QG52-VH2P-769P
Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59CopyData in AxmlParser.c in AXML Parser through 2018-01-04 has an out-of-bounds read.
{
"affected": [],
"aliases": [
"CVE-2018-14401"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-19T05:29:00Z",
"severity": "HIGH"
},
"details": "CopyData in AxmlParser.c in AXML Parser through 2018-01-04 has an out-of-bounds read.",
"id": "GHSA-qg52-vh2p-769p",
"modified": "2022-05-14T02:59:31Z",
"published": "2022-05-14T02:59:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14401"
},
{
"type": "WEB",
"url": "https://github.com/jjanier/axml/issues/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QG74-9QXH-VMV5
Vulnerability from github – Published: 2025-03-11 21:30 – Updated: 2025-03-11 21:30Substance3D - Modeler versions 1.15.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-27180"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T21:15:42Z",
"severity": "MODERATE"
},
"details": "Substance3D - Modeler versions 1.15.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qg74-9qxh-vmv5",
"modified": "2025-03-11T21:30:38Z",
"published": "2025-03-11T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27180"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-21.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QG7H-W62H-CJMV
Vulnerability from github – Published: 2022-05-14 01:13 – Updated: 2022-05-14 01:13An out-of-bounds read was addressed with improved bounds checking. This issue affected versions prior to iOS 12.1.
{
"affected": [],
"aliases": [
"CVE-2018-4365"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-03T18:29:00Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read was addressed with improved bounds checking. This issue affected versions prior to iOS 12.1.",
"id": "GHSA-qg7h-w62h-cjmv",
"modified": "2022-05-14T01:13:07Z",
"published": "2022-05-14T01:13:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4365"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT209192"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QG9H-X99X-FCVH
Vulnerability from github – Published: 2024-04-02 09:30 – Updated: 2025-03-03 18:31In the Linux kernel, the following vulnerability has been resolved:
tunnels: fix out of bounds access when building IPv6 PMTU error
If the ICMPv6 error is built from a non-linear skb we get the following splat,
BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240 Read of size 4 at addr ffff88811d402c80 by task netperf/820 CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543 ... kasan_report+0xd8/0x110 do_csum+0x220/0x240 csum_partial+0xc/0x20 skb_tunnel_check_pmtu+0xeb9/0x3280 vxlan_xmit_one+0x14c2/0x4080 vxlan_xmit+0xf61/0x5c00 dev_hard_start_xmit+0xfb/0x510 __dev_queue_xmit+0x7cd/0x32a0 br_dev_queue_push_xmit+0x39d/0x6a0
Use skb_checksum instead of csum_partial who cannot deal with non-linear SKBs.
{
"affected": [],
"aliases": [
"CVE-2024-26665"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T07:15:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix out of bounds access when building IPv6 PMTU error\n\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\n\n BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n Read of size 4 at addr ffff88811d402c80 by task netperf/820\n CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n ...\n kasan_report+0xd8/0x110\n do_csum+0x220/0x240\n csum_partial+0xc/0x20\n skb_tunnel_check_pmtu+0xeb9/0x3280\n vxlan_xmit_one+0x14c2/0x4080\n vxlan_xmit+0xf61/0x5c00\n dev_hard_start_xmit+0xfb/0x510\n __dev_queue_xmit+0x7cd/0x32a0\n br_dev_queue_push_xmit+0x39d/0x6a0\n\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.",
"id": "GHSA-qg9h-x99x-fcvh",
"modified": "2025-03-03T18:31:21Z",
"published": "2024-04-02T09:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26665"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/510c869ffa4068c5f19ff4df51d1e2f3a30aaac1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7dc9feb8b1705cf00de20563b6bc4831f4c99dab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d75abeec401f8c86b470e7028a13fcdc87e5dd06"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d964dd1bc1452594b4207d9229c157d9386e5d8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e37cde7a5716466ff2a76f7f27f0a29b05b9a732"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e77bf828f1ca1c47fcff58bdc26b60a9d3dfbe1d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGC7-W7G7-9CC9
Vulnerability from github – Published: 2022-09-03 00:00 – Updated: 2022-09-08 00:00Memory corruption due to out of bound read while parsing a video file in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2022-22059"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-02T12:15:00Z",
"severity": "HIGH"
},
"details": "Memory corruption due to out of bound read while parsing a video file in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile",
"id": "GHSA-qgc7-w7g7-9cc9",
"modified": "2022-09-08T00:00:28Z",
"published": "2022-09-03T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22059"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/august-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QGC9-P7CJ-JVH6
Vulnerability from github – Published: 2025-12-01 15:30 – Updated: 2025-12-02 17:37FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "feehi/feehicms"
},
"versions": [
"2.1.1"
]
}
],
"aliases": [
"CVE-2025-63523"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-02T17:37:23Z",
"nvd_published_at": "2025-12-01T15:15:50Z",
"severity": "MODERATE"
},
"details": "FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as \"read-only.\" An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes.",
"id": "GHSA-qgc9-p7cj-jvh6",
"modified": "2025-12-02T17:37:23Z",
"published": "2025-12-01T15:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63523"
},
{
"type": "WEB",
"url": "https://github.com/liufee/cms/issues/77"
},
{
"type": "WEB",
"url": "https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/liufee/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "FeehiCMS fails to enforce server-side immutability"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.