CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
422 vulnerabilities reference this CWE, most recent first.
GHSA-6827-G8XF-36C7
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. The middleware checkBan is not surrounded by a try-catch block, and an unhandled exception will cause the server to crash. This issue is fixed in version 0.7.6.
{
"affected": [],
"aliases": [
"CVE-2024-11172"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:24Z",
"severity": "HIGH"
},
"details": "A vulnerability in danny-avila/librechat version git a1647d7 allows an unauthenticated attacker to cause a denial of service by sending a crafted payload to the server. The middleware `checkBan` is not surrounded by a try-catch block, and an unhandled exception will cause the server to crash. This issue is fixed in version 0.7.6.",
"id": "GHSA-6827-g8xf-36c7",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11172"
},
{
"type": "WEB",
"url": "https://github.com/danny-avila/librechat/commit/976784c01fa4cce00d4c2941801d56aed375c21b"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/c76a7ee3-2e26-45a0-8940-21c749592105"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6M9Q-HWQP-8RV6
Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31Multiple Cisco products are affected by a vulnerability in the Snort 3 detection engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.
This vulnerability is due to incomplete error checking when parsing remote procedure call (RPC) data. An attacker could exploit this vulnerability by sending crafted RPC packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.
{
"affected": [],
"aliases": [
"CVE-2026-20068"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T18:16:22Z",
"severity": "MODERATE"
},
"details": "Multiple Cisco products are affected by a vulnerability in the Snort 3 detection engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.\n\nThis vulnerability is due to incomplete error checking when parsing remote procedure call (RPC) data. An attacker could exploit this vulnerability by sending crafted RPC packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.",
"id": "GHSA-6m9q-hwqp-8rv6",
"modified": "2026-03-04T18:31:55Z",
"published": "2026-03-04T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20068"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-multi-dos-XFWkWSwz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6QC9-V4R8-22XG
Vulnerability from github – Published: 2025-05-28 19:41 – Updated: 2025-06-27 21:06Summary
Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server
Details
The following API call
(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'
will provoke a Uncaught exceptions from xgrammer in
./lib64/python3.11/site-packages/xgrammar/compiler.py
Issue with more information: https://github.com/vllm-project/vllm/issues/17248
PoC
Make a call to vllm with invalid json_scema e.g. {\"properties\":{\"reason\":{\"type\": \"stsring\"}}}
curl -s http://localhost:8000/v1/completions -H "Content-Type: application/json" -d '{"model": "meta-llama/Llama-3.2-3B-Instruct","prompt": "Name two great reasons to visit Sligo ", "max_tokens": 10, "temperature": 0.5, "guided_json":"{\"properties\":{\"reason\":{\"type\": \"stsring\"}}}"}'
Impact
vllm crashes
example traceback
ERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last):
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 333, in run_engine_core
ERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop()
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 367, in run_busy_loop
ERROR 03-26 17:25:01 [core.py:340] outputs = step_fn()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/engine/core.py", line 181, in step
ERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py", line 257, in schedule
ERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar:
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 41, in grammar
ERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py", line 29, in _check_grammar_completion
ERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001)
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 456, in result
ERROR 03-26 17:25:01 [core.py:340] return self.__get_result()
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/_base.py", line 401, in __get_result
ERROR 03-26 17:25:01 [core.py:340] raise self._exception
ERROR 03-26 17:25:01 [core.py:340] File "/usr/lib64/python3.11/concurrent/futures/thread.py", line 58, in run
ERROR 03-26 17:25:01 [core.py:340] result = self.fn(*self.args, **self.kwargs)
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py", line 120, in _async_create_grammar
ERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec,
ERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ERROR 03-26 17:25:01 [core.py:340] File "/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py", line 101, in compile_json_schema
ERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema(
ERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is<picojson::object>()) is false: Schema should be an object or bool
ERROR 03-26 17:25:01 [core.py:340]
ERROR 03-26 17:25:01 [core.py:340]
CRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.
Fix
- https://github.com/vllm-project/vllm/pull/17623
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48942"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T19:41:53Z",
"nvd_published_at": "2025-05-30T19:15:30Z",
"severity": "MODERATE"
},
"details": "### Summary\nHitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server\n\n\n### Details\nThe following API call \n`(venv) [derekh@ip-172-31-15-108 ]$ curl -s http://localhost:8000/v1/completions -H \"Content-Type: application/json\" -d \u0027{\"model\": \"meta-llama/Llama-3.2-3B-Instruct\",\"prompt\": \"Name two great reasons to visit Sligo \", \"max_tokens\": 10, \"temperature\": 0.5, \"guided_json\":\"{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}\"}\u0027 \n`\nwill provoke a Uncaught exceptions from xgrammer in \n`./lib64/python3.11/site-packages/xgrammar/compiler.py\n`\n\nIssue with more information: https://github.com/vllm-project/vllm/issues/17248\n\n### PoC\nMake a call to vllm with invalid json_scema e.g. `{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}`\n\n`curl -s http://localhost:8000/v1/completions -H \"Content-Type: application/json\" -d \u0027{\"model\": \"meta-llama/Llama-3.2-3B-Instruct\",\"prompt\": \"Name two great reasons to visit Sligo \", \"max_tokens\": 10, \"temperature\": 0.5, \"guided_json\":\"{\\\"properties\\\":{\\\"reason\\\":{\\\"type\\\": \\\"stsring\\\"}}}\"}\u0027\n`\n### Impact\nvllm crashes\n\n\nexample traceback\n```\nERROR 03-26 17:25:01 [core.py:340] EngineCore hit an exception: Traceback (most recent call last):\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 333, in run_engine_core\nERROR 03-26 17:25:01 [core.py:340] engine_core.run_busy_loop()\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 367, in run_busy_loop\nERROR 03-26 17:25:01 [core.py:340] outputs = step_fn()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/engine/core.py\", line 181, in step\nERROR 03-26 17:25:01 [core.py:340] scheduler_output = self.scheduler.schedule()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/core/scheduler.py\", line 257, in schedule\nERROR 03-26 17:25:01 [core.py:340] if structured_output_req and structured_output_req.grammar:\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py\", line 41, in grammar\nERROR 03-26 17:25:01 [core.py:340] completed = self._check_grammar_completion()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/request.py\", line 29, in _check_grammar_completion\nERROR 03-26 17:25:01 [core.py:340] self._grammar = self._grammar.result(timeout=0.0001)\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/usr/lib64/python3.11/concurrent/futures/_base.py\", line 456, in result\nERROR 03-26 17:25:01 [core.py:340] return self.__get_result()\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/usr/lib64/python3.11/concurrent/futures/_base.py\", line 401, in __get_result\nERROR 03-26 17:25:01 [core.py:340] raise self._exception\nERROR 03-26 17:25:01 [core.py:340] File \"/usr/lib64/python3.11/concurrent/futures/thread.py\", line 58, in run\nERROR 03-26 17:25:01 [core.py:340] result = self.fn(*self.args, **self.kwargs)\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/vllm/v1/structured_output/__init__.py\", line 120, in _async_create_grammar\nERROR 03-26 17:25:01 [core.py:340] ctx = self.compiler.compile_json_schema(grammar_spec,\nERROR 03-26 17:25:01 [core.py:340] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nERROR 03-26 17:25:01 [core.py:340] File \"/home/derekh/workarea/vllm/venv/lib64/python3.11/site-packages/xgrammar/compiler.py\", line 101, in compile_json_schema\nERROR 03-26 17:25:01 [core.py:340] self._handle.compile_json_schema(\nERROR 03-26 17:25:01 [core.py:340] RuntimeError: [17:25:01] /project/cpp/json_schema_converter.cc:795: Check failed: (schema.is\u003cpicojson::object\u003e()) is false: Schema should be an object or bool\nERROR 03-26 17:25:01 [core.py:340] \nERROR 03-26 17:25:01 [core.py:340] \nCRITICAL 03-26 17:25:01 [core_client.py:269] Got fatal signal from worker processes, shutting down. See stack trace above for root cause issue.\n```\n\n### Fix\n\n* https://github.com/vllm-project/vllm/pull/17623",
"id": "GHSA-6qc9-v4r8-22xg",
"modified": "2025-06-27T21:06:56Z",
"published": "2025-05-28T19:41:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48942"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/issues/17248"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/17623"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-54.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM DOS: Remotely kill vllm over http with invalid JSON schema"
}
GHSA-6VV4-QQ3R-9RV8
Vulnerability from github – Published: 2023-02-12 15:30 – Updated: 2023-02-24 16:02Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0790"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T01:04:31Z",
"nvd_published_at": "2023-02-12T14:15:00Z",
"severity": "HIGH"
},
"details": "Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11.",
"id": "GHSA-6vv4-qq3r-9rv8",
"modified": "2023-02-24T16:02:36Z",
"published": "2023-02-12T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0790"
},
{
"type": "WEB",
"url": "https://github.com/thorsten/phpmyfaq/commit/f34d84dfe551ecdd675916e45cc0606e04a0734e"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/06af150b-b481-4248-9a48-56ded2814156"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception in thorsten/phpmyfaq"
}
GHSA-6WR5-JMPR-MJCX
Vulnerability from github – Published: 2024-02-21 00:03 – Updated: 2024-02-21 00:03The query executor would panic when executing a query containing a call to a built-in SurrealDB function that did not exist. This could occur accidentally in situations where the version of the SurrealDB client was newer than the SurrealDB server or when a pre-parsed query was provided to the server via a newer version of the SurrealDB SDK.
Impact
A client that is authorized to run queries in a SurrealDB server is able to craft and execute a pre-parsed query invoking a nonexistent built-in function, which will cause a panic. This will crash the server, leading to denial of service.
Patches
- Version 1.2.0 and later are not affected by this issue.
Workarounds
Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
References
-
3454
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65755
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:03:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The query executor would panic when executing a query containing a call to a built-in SurrealDB function that did not exist. This could occur accidentally in situations where the version of the SurrealDB client was newer than the SurrealDB server or when a pre-parsed query was provided to the server via a newer version of the SurrealDB SDK.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server is able to craft and execute a pre-parsed query invoking a nonexistent built-in function, which will cause a panic. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.2.0 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3454\n- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65755",
"id": "GHSA-6wr5-jmpr-mjcx",
"modified": "2024-02-21T00:03:06Z",
"published": "2024-02-21T00:03:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6wr5-jmpr-mjcx"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/pull/3454"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65755"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception in Macro Expecting Native Function to Exist"
}
GHSA-6XVM-J4WR-6V98
Vulnerability from github – Published: 2026-03-11 00:09 – Updated: 2026-03-11 05:46Summary
A remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication.
Details
The issue is panic-on-untrusted-input in QUIC transport parameter parsing.
In quinn-proto (observed in quinn-proto 0.11.13), parsing of some transport parameters uses a fallible varint decode followed by unwrap(). For malformed/truncated parameter values, decode returns UnexpectedEnd, and unwrap() panics.
Observed output:
thread 'tokio-rt-worker' (2366474) panicked at quinn-proto/src/transport_parameters.rs:473:67:
called `Result::unwrap()` on an `Err` value: UnexpectedEnd
PoC
Reproduces against the upstream Quinn server example.
- Start server:
cargo run --example server -- ./
- Prepare PoC client environment:
python3 -m venv .venv
source .venv/bin/activate
pip install aioquic
- Run PoC script attack.py against server QUIC listener (default example target shown):
python attack.py
Observed output
thread 'tokio-rt-worker' (2366903) panicked at quinn-proto/src/transport_parameters.rs:473:67:
called `Result::unwrap()` on an `Err` value: UnexpectedEnd
Impact
Vulnerability type: Remote Denial of Service (panic/crash)
Attack requirements: Network reachability to UDP QUIC listener
Authentication/privileges: None
Who is impacted: Any server/application using affected quinn/quinn-proto versions where this parse path is reachable; process-level impact depends on integration panic handling policy
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "quinn-proto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31812"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:09:19Z",
"nvd_published_at": "2026-03-10T22:16:18Z",
"severity": "HIGH"
},
"details": "### Summary\nA remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable `quinn` versions by sending a crafted QUIC Initial packet containing malformed `quic_transport_parameters`. `In quinn-proto` parsing logic, attacker-controlled varints are decoded with `unwrap()`, so truncated encodings cause `Err(UnexpectedEnd)` and `panic`. This is reachable over the network with a single packet and no prior trust or authentication.\n\n### Details\nThe issue is panic-on-untrusted-input in QUIC transport parameter parsing.\nIn `quinn-proto` (observed in `quinn-proto 0.11.13`), parsing of some transport parameters uses a fallible varint decode followed by `unwrap()`. For malformed/truncated parameter values, decode returns `UnexpectedEnd`, and `unwrap()` panics.\n\n#### Observed output:\n```\nthread \u0027tokio-rt-worker\u0027 (2366474) panicked at quinn-proto/src/transport_parameters.rs:473:67:\ncalled `Result::unwrap()` on an `Err` value: UnexpectedEnd\n```\n\n### PoC\n#### Reproduces against the upstream Quinn server example.\n1. Start server:\n```\ncargo run --example server -- ./\n```\n2. Prepare PoC client environment:\n```\npython3 -m venv .venv\nsource .venv/bin/activate\npip install aioquic\n```\n3. Run PoC script [attack.py](https://github.com/user-attachments/files/25741713/attack.py) against server QUIC listener (default example target shown):\n```\npython attack.py\n```\n#### Observed output\n```\nthread \u0027tokio-rt-worker\u0027 (2366903) panicked at quinn-proto/src/transport_parameters.rs:473:67:\ncalled `Result::unwrap()` on an `Err` value: UnexpectedEnd\n```\n\n\n\n### Impact\nVulnerability type: Remote Denial of Service (panic/crash)\nAttack requirements: Network reachability to UDP QUIC listener\nAuthentication/privileges: None\nWho is impacted: Any server/application using affected `quinn/quinn-proto` versions where this parse path is reachable; process-level impact depends on integration panic handling policy\n\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
"id": "GHSA-6xvm-j4wr-6v98",
"modified": "2026-03-11T05:46:01Z",
"published": "2026-03-11T00:09:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quinn-rs/quinn/security/advisories/GHSA-6xvm-j4wr-6v98"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31812"
},
{
"type": "WEB",
"url": "https://github.com/quinn-rs/quinn/pull/2559"
},
{
"type": "PACKAGE",
"url": "https://github.com/quinn-rs/quinn"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0037.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing"
}
GHSA-765F-85MC-5QMW
Vulnerability from github – Published: 2025-09-25 18:30 – Updated: 2025-09-29 18:33A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2025-55557"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-25T16:15:34Z",
"severity": "HIGH"
},
"details": "A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service (DoS).",
"id": "GHSA-765f-85mc-5qmw",
"modified": "2025-09-29T18:33:12Z",
"published": "2025-09-25T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55557"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/issues/151738"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/pytorch/pull/151931"
},
{
"type": "WEB",
"url": "https://gist.github.com/shaoyuyoung/0e7d2a586297ae9c8ed14d8706749efc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-78H2-9FRX-2JM8
Vulnerability from github – Published: 2026-04-03 03:28 – Updated: 2026-04-06 23:11Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.
This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.
This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.
Panics can lead to denial of service.
Fixed In
4.1.4 and v3.0.5
Workarounds
If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.
If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).
Thanks
Thanks to Datadog's Security team for finding this issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34986"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:28:56Z",
"nvd_published_at": "2026-04-06T17:17:11Z",
"severity": "HIGH"
},
"details": "### Impact\n\nDecrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with a zero or negative length based on the length of the `encrypted_key`.\n\nThis code path is reachable from `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.\n\nThis panic is also reachable by calling `cipher.KeyUnwrap()` directly with any `ciphertext` parameter less than 16 bytes long, but calling this function directly is less common.\n\nPanics can lead to denial of service.\n\n### Fixed In\n\n4.1.4 and v3.0.5\n\n### Workarounds\n\nIf the list of `keyAlgorithms` passed to `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key wrapping algorithms (those ending in `KW`), your application is unaffected.\n\nIf your application uses key wrapping, you can prevalidate to the JWE objects to ensure the `encrypted_key` field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second `.`).\n\n### Thanks\n\nThanks to Datadog\u0027s Security team for finding this issue.",
"id": "GHSA-78h2-9frx-2jm8",
"modified": "2026-04-06T23:11:46Z",
"published": "2026-04-03T03:28:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-jose/go-jose"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Go JOSE Panics in JWE decryption"
}
GHSA-7FM6-52CC-8V3R
Vulnerability from github – Published: 2024-04-01 03:30 – Updated: 2025-03-13 18:31In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541765; Issue ID: ALPS08541765.
{
"affected": [],
"aliases": [
"CVE-2024-20049"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T03:15:08Z",
"severity": "MODERATE"
},
"details": "In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541765; Issue ID: ALPS08541765.",
"id": "GHSA-7fm6-52cc-8v3r",
"modified": "2025-03-13T18:31:54Z",
"published": "2024-04-01T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20049"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7X3M-W77C-7WH5
Vulnerability from github – Published: 2025-04-07 06:30 – Updated: 2025-04-07 06:30Exception capture failure vulnerability in the SVG parsing module of the ArkUI framework Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-58111"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T04:15:16Z",
"severity": "HIGH"
},
"details": "Exception capture failure vulnerability in the SVG parsing module of the ArkUI framework\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-7x3m-w77c-7wh5",
"modified": "2025-04-07T06:30:27Z",
"published": "2025-04-07T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58111"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.