CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
422 vulnerabilities reference this CWE, most recent first.
GHSA-827P-G5X5-H86C
Vulnerability from github – Published: 2026-03-17 18:37 – Updated: 2026-03-19 21:12Impact
A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.
Patches
The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.
Workarounds
Disable LiveQuery if it is not needed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.43"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32770"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T18:37:30Z",
"nvd_published_at": "2026-03-18T22:16:25Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.\n\n### Patches\n\nThe fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.\n\n### Workarounds\n\nDisable LiveQuery if it is not needed.",
"id": "GHSA-827p-g5x5-h86c",
"modified": "2026-03-19T21:12:58Z",
"published": "2026-03-17T18:37:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10197"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10199"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parse Server LiveQuery subscription with invalid regular expression crashes server"
}
GHSA-83RC-2389-WCCM
Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2026-1507"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T21:16:01Z",
"severity": "HIGH"
},
"details": "The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.",
"id": "GHSA-83rc-2389-wccm",
"modified": "2026-02-10T21:31:31Z",
"published": "2026-02-10T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1507"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-84R8-W725-7J27
Vulnerability from github – Published: 2022-11-25 15:30 – Updated: 2022-11-30 21:30In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-38166"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T15:15:00Z",
"severity": "HIGH"
},
"details": "In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.",
"id": "GHSA-84r8-w725-7j27",
"modified": "2022-11-30T21:30:22Z",
"published": "2022-11-25T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38166"
},
{
"type": "WEB",
"url": "https://www.f-secure.com/en/home/support/security-advisories/cve-2022-38166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-877P-G3P3-329R
Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-07 21:30An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.
{
"affected": [],
"aliases": [
"CVE-2026-37554"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T16:16:31Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser\u0027s catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.",
"id": "GHSA-877p-g3p3-329r",
"modified": "2026-05-07T21:30:24Z",
"published": "2026-05-01T18:31:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza/security/advisories/GHSA-44qj-vh8c-5354"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37554"
},
{
"type": "WEB",
"url": "https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f"
},
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza"
},
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp"
},
{
"type": "WEB",
"url": "https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-87MF-GV2C-C62C
Vulnerability from github – Published: 2026-06-19 06:31 – Updated: 2026-06-19 21:41Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ts-deepmerge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-12644"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:41:52Z",
"nvd_published_at": "2026-06-19T06:17:01Z",
"severity": "MODERATE"
},
"details": "Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken \u2014 any string context operation throws a TypeError, crashing the application.",
"id": "GHSA-87mf-gv2c-c62c",
"modified": "2026-06-19T21:41:52Z",
"published": "2026-06-19T06:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12644"
},
{
"type": "WEB",
"url": "https://github.com/voodoocreation/ts-deepmerge/commit/305a05831a462fb2c353d3cbbff55a0733286f8c"
},
{
"type": "WEB",
"url": "https://gist.github.com/igorg1312/775fa00114c4d47df6ae0551779ab407"
},
{
"type": "PACKAGE",
"url": "https://github.com/voodoocreation/ts-deepmerge"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-17339141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "ts-deepmerge: Prototype Method Override leads to DoS"
}
GHSA-8C5G-69WP-X3WV
Vulnerability from github – Published: 2025-06-06 09:30 – Updated: 2025-06-06 09:30Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2025-48907"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-06T07:15:26Z",
"severity": "MODERATE"
},
"details": "Deserialization vulnerability in the IPC module\nImpact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-8c5g-69wp-x3wv",
"modified": "2025-06-06T09:30:24Z",
"published": "2025-06-06T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48907"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8GV7-MMCH-W6H8
Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2024-29076"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T21:15:15Z",
"severity": "MODERATE"
},
"details": "Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.",
"id": "GHSA-8gv7-mmch-w6h8",
"modified": "2024-11-13T21:30:36Z",
"published": "2024-11-13T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29076"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8R4G-CG4M-X23C
Vulnerability from github – Published: 2021-09-22 18:22 – Updated: 2025-10-03 18:27All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-static"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-22T18:21:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access `http://host/%00` and crash the server.",
"id": "GHSA-8r4g-cg4m-x23c",
"modified": "2025-10-03T18:27:42Z",
"published": "2021-09-22T18:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11149"
},
{
"type": "WEB",
"url": "https://github.com/cloudhead/node-static/pull/213"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/6248"
},
{
"type": "PACKAGE",
"url": "https://github.com/cloudhead/node-static"
},
{
"type": "WEB",
"url": "https://github.com/cloudhead/node-static/blob/643a528ec7bbd05a59c4030655d94810570afb3f/CHANGES.md#-unreleased"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Denial of Service in node-static"
}
GHSA-8RF5-92JH-3VC9
Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2021-04-06 21:46OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.mikesamuel:json-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23900"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-06T21:46:21Z",
"nvd_published_at": "2021-01-13T16:15:00Z",
"severity": "HIGH"
},
"details": "OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.",
"id": "GHSA-8rf5-92jh-3vc9",
"modified": "2021-04-06T21:46:21Z",
"published": "2021-05-13T22:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23900"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"
},
{
"type": "WEB",
"url": "https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception leading to Denial of Service in json-sanitizer"
}
GHSA-8RJ5-2857-877J
Vulnerability from github – Published: 2023-08-23 13:19 – Updated: 2024-09-27 15:46The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "json2xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25024"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-23T13:19:55Z",
"nvd_published_at": "2023-08-22T19:16:22Z",
"severity": "HIGH"
},
"details": "The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.",
"id": "GHSA-8rj5-2857-877j",
"modified": "2024-09-27T15:46:25Z",
"published": "2023-08-23T13:19:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25024"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/issues/106"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/pull/107"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/pull/107/files"
},
{
"type": "WEB",
"url": "https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vinitkumar/json2xml"
},
{
"type": "WEB",
"url": "https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "json2xml Uncaught Exception vulnerability"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.