CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
422 vulnerabilities reference this CWE, most recent first.
GHSA-4PG4-QVPC-4Q3H
Vulnerability from github – Published: 2025-05-19 22:16 – Updated: 2025-05-19 22:16Impact
A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.0
Workarounds
None
References
- https://github.com/expressjs/multer/issues/1176
- https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "multer"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.4-lts.1"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47944"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-19T22:16:30Z",
"nvd_published_at": "2025-05-19T20:15:26Z",
"severity": "HIGH"
},
"details": "### Impact\nA vulnerability in Multer versions \u003e=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.\n\n### Patches\nUsers should upgrade to `2.0.0`\n\n### Workarounds\nNone\n\n### References\n\n- https://github.com/expressjs/multer/issues/1176\n- https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665",
"id": "GHSA-4pg4-qvpc-4q3h",
"modified": "2025-05-19T22:16:30Z",
"published": "2025-05-19T22:16:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47944"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/issues/1176"
},
{
"type": "WEB",
"url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"
},
{
"type": "PACKAGE",
"url": "https://github.com/expressjs/multer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Multer vulnerable to Denial of Service from maliciously crafted requests"
}
GHSA-4RQ4-8R9H-8884
Vulnerability from github – Published: 2023-01-17 18:30 – Updated: 2023-01-25 00:30NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated.
{
"affected": [],
"aliases": [
"CVE-2023-0158"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T17:15:00Z",
"severity": "HIGH"
},
"details": "NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the \"/rrdp\" endpoint. Prior to 0.12.1 a direct query for any existing directory under \"/rrdp/\", rather than an RRDP file such as \"/rrdp/notification.xml\" as would be expected, causes Krill to crash. If the built-in \"/rrdp\" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated.",
"id": "GHSA-4rq4-8r9h-8884",
"modified": "2023-01-25T00:30:39Z",
"published": "2023-01-17T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0158"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/krill/CVE-2023-0158.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RXP-72G2-FXHM
Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-07 18:31NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-24175"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T18:16:40Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-4rxp-72g2-fxhm",
"modified": "2026-04-07T18:31:38Z",
"published": "2026-04-07T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24175"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5816"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V88-6PP2-RX52
Vulnerability from github – Published: 2023-09-20 03:30 – Updated: 2024-04-04 07:44NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-25526"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-20T01:15:52Z",
"severity": "MODERATE"
},
"details": "NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.",
"id": "GHSA-4v88-6pp2-rx52",
"modified": "2024-04-04T07:44:52Z",
"published": "2023-09-20T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25526"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4VH4-C5MM-JQMW
Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2025-03-13 18:31In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-52342"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T03:15:08Z",
"severity": "HIGH"
},
"details": "In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed",
"id": "GHSA-4vh4-c5mm-jqmw",
"modified": "2025-03-13T18:31:54Z",
"published": "2024-04-08T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52342"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1777143682512781313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4W56-VR39-RVQR
Vulnerability from github – Published: 2024-12-12 12:31 – Updated: 2024-12-12 12:31Null pointer dereference vulnerability in the image decoding module Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-54106"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T12:15:25Z",
"severity": "HIGH"
},
"details": "Null pointer dereference vulnerability in the image decoding module\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-4w56-vr39-rvqr",
"modified": "2024-12-12T12:31:16Z",
"published": "2024-12-12T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54106"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52XJ-VX8W-46QJ
Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-01-20 21:31We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2025-59466"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T21:16:04Z",
"severity": "MODERATE"
},
"details": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"id": "GHSA-52xj-vx8w-46qj",
"modified": "2026-01-20T21:31:35Z",
"published": "2026-01-20T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5375-PQ7M-F5R2
Vulnerability from github – Published: 2026-06-11 13:27 – Updated: 2026-06-11 13:27Impact
An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.
Patches
The following version have fixes for this vulnerability:
- 1.9.16
- 1.10.12
- 1.11.4
- 1.12.7
- 1.13.5
- 1.14.4
Workarounds
There is no workaround.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48068"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:27:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nAn invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.\n\n### Patches\nThe following version have fixes for this vulnerability:\n\n - 1.9.16\n - 1.10.12\n - 1.11.4\n - 1.12.7\n - 1.13.5\n - 1.14.4\n\n### Workarounds\nThere is no workaround.",
"id": "GHSA-5375-pq7m-f5r2",
"modified": "2026-06-11T13:27:54Z",
"published": "2026-06-11T13:27:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2"
},
{
"type": "PACKAGE",
"url": "https://github.com/grpc/grpc-node"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@grpc/grpc-js: A malformed request can cause a server crash"
}
GHSA-56PQ-38G7-F784
Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected:
- 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))
- 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))
- 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))
- 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))
- all versions of 9.10 and prior.
{
"affected": [],
"aliases": [
"CVE-2026-27790"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T05:16:50Z",
"severity": "LOW"
},
"details": "Uncaught Exception (CWE-248)\u00a0in\u00a0the T20 Readers\u00a0allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service.\u00a0Version of Command Centre affected:\n\n\n\n\n\n * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))\n * 9.40 prior to vCR9.40.260616a (distributed in\u00a09.40.3130(MR3))\n * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))\n * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))\n * all versions of 9.10 and prior.",
"id": "GHSA-56pq-38g7-f784",
"modified": "2026-07-07T06:31:23Z",
"published": "2026-07-07T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27790"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-27790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-56X4-8XCJ-44R6
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-12-21 03:30In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
{
"affected": [],
"aliases": [
"CVE-2023-22941"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T18:15:00Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted \u2018INGEST_EVAL\u2019 parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd).",
"id": "GHSA-56x4-8xcj-44r6",
"modified": "2023-12-21T03:30:32Z",
"published": "2023-07-06T19:24:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22941"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0211"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/08978eca-caff-44c1-84dc-53f17def4e14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.