Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

422 vulnerabilities reference this CWE, most recent first.

GHSA-827P-G5X5-H86C

Vulnerability from github – Published: 2026-03-17 18:37 – Updated: 2026-03-19 21:12
VLAI
Summary
Parse Server LiveQuery subscription with invalid regular expression crashes server
Details

Impact

A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.

Patches

The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.

Workarounds

Disable LiveQuery if it is not needed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.6.0-alpha.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T18:37:30Z",
    "nvd_published_at": "2026-03-18T22:16:25Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.\n\n### Patches\n\nThe fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.\n\n### Workarounds\n\nDisable LiveQuery if it is not needed.",
  "id": "GHSA-827p-g5x5-h86c",
  "modified": "2026-03-19T21:12:58Z",
  "published": "2026-03-17T18:37:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/10199"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Parse Server LiveQuery subscription with invalid regular expression crashes server"
}

GHSA-83RC-2389-WCCM

Vulnerability from github – Published: 2026-02-10 21:31 – Updated: 2026-02-10 21:31
VLAI
Details

The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T21:16:01Z",
    "severity": "HIGH"
  },
  "details": "The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.",
  "id": "GHSA-83rc-2389-wccm",
  "modified": "2026-02-10T21:31:31Z",
  "published": "2026-02-10T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1507"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-84R8-W725-7J27

Vulnerability from github – Published: 2022-11-25 15:30 – Updated: 2022-11-30 21:30
VLAI
Details

In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-25T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "In F?Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.",
  "id": "GHSA-84r8-w725-7j27",
  "modified": "2022-11-30T21:30:22Z",
  "published": "2022-11-25T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38166"
    },
    {
      "type": "WEB",
      "url": "https://www.f-secure.com/en/home/support/security-advisories/cve-2022-38166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-877P-G3P3-329R

Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-07 21:30
VLAI
Details

An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-37554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T16:16:31Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser\u0027s catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver.",
  "id": "GHSA-877p-g3p3-329r",
  "modified": "2026-05-07T21:30:24Z",
  "published": "2026-05-01T18:31:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza/security/advisories/GHSA-44qj-vh8c-5354"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37554"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza"
    },
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-87MF-GV2C-C62C

Vulnerability from github – Published: 2026-06-19 06:31 – Updated: 2026-06-19 21:41
VLAI
Summary
ts-deepmerge: Prototype Method Override leads to DoS
Details

Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken — any string context operation throws a TypeError, crashing the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ts-deepmerge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-12644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:41:52Z",
    "nvd_published_at": "2026-06-19T06:17:01Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods (such as toString, valueOf). When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken \u2014 any string context operation throws a TypeError, crashing the application.",
  "id": "GHSA-87mf-gv2c-c62c",
  "modified": "2026-06-19T21:41:52Z",
  "published": "2026-06-19T06:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/voodoocreation/ts-deepmerge/commit/305a05831a462fb2c353d3cbbff55a0733286f8c"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/igorg1312/775fa00114c4d47df6ae0551779ab407"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/voodoocreation/ts-deepmerge"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-TSDEEPMERGE-17339141"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ts-deepmerge: Prototype Method Override leads to DoS"
}

GHSA-8C5G-69WP-X3WV

Vulnerability from github – Published: 2025-06-06 09:30 – Updated: 2025-06-06 09:30
VLAI
Details

Deserialization vulnerability in the IPC module Impact: Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-06T07:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Deserialization vulnerability in the IPC module\nImpact: Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-8c5g-69wp-x3wv",
  "modified": "2025-06-06T09:30:24Z",
  "published": "2025-06-06T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48907"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2025/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8GV7-MMCH-W6H8

Vulnerability from github – Published: 2024-11-13 21:30 – Updated: 2024-11-13 21:30
VLAI
Details

Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-29076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-13T21:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access.",
  "id": "GHSA-8gv7-mmch-w6h8",
  "modified": "2024-11-13T21:30:36Z",
  "published": "2024-11-13T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29076"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8R4G-CG4M-X23C

Vulnerability from github – Published: 2021-09-22 18:22 – Updated: 2025-10-03 18:27
VLAI
Summary
Denial of Service in node-static
Details

All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-static"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.7.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-22T18:21:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "All versions of node-static are vulnerable to a Denial of Service. The package fails to catch an exception when user input includes null bytes. This allows attackers to access `http://host/%00` and crash the server.",
  "id": "GHSA-8r4g-cg4m-x23c",
  "modified": "2025-10-03T18:27:42Z",
  "published": "2021-09-22T18:22:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudhead/node-static/pull/213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/6248"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudhead/node-static"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudhead/node-static/blob/643a528ec7bbd05a59c4030655d94810570afb3f/CHANGES.md#-unreleased"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-1297183"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Denial of Service in node-static"
}

GHSA-8RF5-92JH-3VC9

Vulnerability from github – Published: 2021-05-13 22:31 – Updated: 2021-04-06 21:46
VLAI
Summary
Uncaught Exception leading to Denial of Service in json-sanitizer
Details

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.mikesamuel:json-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T21:46:21Z",
    "nvd_published_at": "2021-01-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.",
  "id": "GHSA-8rf5-92jh-3vc9",
  "modified": "2021-04-06T21:46:21Z",
  "published": "2021-05-13T22:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception leading to Denial of Service in json-sanitizer"
}

GHSA-8RJ5-2857-877J

Vulnerability from github – Published: 2023-08-23 13:19 – Updated: 2024-09-27 15:46
VLAI
Summary
json2xml Uncaught Exception vulnerability
Details

The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "json2xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-23T13:19:55Z",
    "nvd_published_at": "2023-08-22T19:16:22Z",
    "severity": "HIGH"
  },
  "details": "The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.",
  "id": "GHSA-8rj5-2857-877j",
  "modified": "2024-09-27T15:46:25Z",
  "published": "2023-08-23T13:19:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25024"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/issues/106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/pull/107"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/pull/107/files"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vinitkumar/json2xml"
    },
    {
      "type": "WEB",
      "url": "https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "json2xml Uncaught Exception vulnerability"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.