CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
422 vulnerabilities reference this CWE, most recent first.
GHSA-8RVJ-6HP5-GF5X
Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 18:31On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153
{
"affected": [],
"aliases": [
"CVE-2025-8870"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-14T16:15:59Z",
"severity": "MODERATE"
},
"details": "On affected platforms running Arista EOS, certain serial console input might result in an unexpected reload of the device.153",
"id": "GHSA-8rvj-6hp5-gf5x",
"modified": "2025-11-14T18:31:39Z",
"published": "2025-11-14T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8870"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22811-security-advisory-0125"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8XFF-473H-F863
Vulnerability from github – Published: 2024-02-21 00:00 – Updated: 2024-02-21 00:00The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.
Impact
A client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.
Patches
- Version 1.2.1 and later are not affected by this issue.
Workarounds
Concerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.
References
-
3527
- https://github.com/StarlaneStudios/Surrealist/issues/177
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.0"
},
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-21T00:00:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The span rendering would panic when handling failed parsing of queries where the error occurred on a line terminator character.\n\n### Impact\n\nA client that is authorized to run queries in a SurrealDB server is able to execute a malformed query which will fail to parse on a line terminator character and cause a panic in the span rendering code. This will crash the server, leading to denial of service.\n\n### Patches\n\n- Version 1.2.1 and later are not affected by this issue.\n\n### Workarounds\n\nConcerned users unable to update may want to limit the ability of untrusted users to run arbitrary SurrealQL queries in the affected versions of SurrealDB. To limit the impact of the denial of service, SurrealDB administrators may also want to ensure that the SurrealDB process is running so that it can be automatically re-started after a crash.\n\n### References\n\n- #3527\n- https://github.com/StarlaneStudios/Surrealist/issues/177",
"id": "GHSA-8xff-473h-f863",
"modified": "2024-02-21T00:00:54Z",
"published": "2024-02-21T00:00:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-8xff-473h-f863"
},
{
"type": "WEB",
"url": "https://github.com/StarlaneStudios/Surrealist/issues/177"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception Handling Parsing Errors on Line Terminators"
}
GHSA-93Q9-3XPQ-2256
Vulnerability from github – Published: 2025-08-29 09:31 – Updated: 2025-08-29 09:31Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature.
{
"affected": [],
"aliases": [
"CVE-2025-54777"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T07:15:32Z",
"severity": "MODERATE"
},
"details": "Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature.",
"id": "GHSA-93q9-3xpq-2256",
"modified": "2025-08-29T09:31:24Z",
"published": "2025-08-29T09:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54777"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU99831542"
},
{
"type": "WEB",
"url": "https://www.konicaminolta.jp/business/support/important/250829_01_01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-954H-PP6M-W6FR
Vulnerability from github – Published: 2025-02-13 00:33 – Updated: 2025-02-13 00:33Uncaught exception in OpenBMC Firmware for the Intel(R) Server M50FCP Family and Intel(R) Server D50DNP Family before version R01.02.0002 may allow an authenticated user to potentially enable denial of service via network access.
{
"affected": [],
"aliases": [
"CVE-2025-20097"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-12T22:15:41Z",
"severity": "MODERATE"
},
"details": "Uncaught exception in OpenBMC Firmware for the Intel(R) Server M50FCP Family and Intel(R) Server D50DNP Family before version R01.02.0002 may allow an authenticated user to potentially enable denial of service via network access.",
"id": "GHSA-954h-pp6m-w6fr",
"modified": "2025-02-13T00:33:07Z",
"published": "2025-02-13T00:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20097"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00990.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-95C3-QH99-CVF2
Vulnerability from github – Published: 2024-06-25 03:31 – Updated: 2024-07-02 21:32badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.
{
"affected": [],
"aliases": [
"CVE-2023-5038"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-25T03:15:09Z",
"severity": "HIGH"
},
"details": "badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer\u0027s report for details and workarounds.",
"id": "GHSA-95c3-qh99-cvf2",
"modified": "2024-07-02T21:32:06Z",
"published": "2024-06-25T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5038"
},
{
"type": "WEB",
"url": "https://www.hanwhavision.com/wp-content/uploads/2024/06/Camera-Vulnerability-Report-CVE-2023-5037-5038.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-95Q3-PPPP-R683
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-11-01 22:33When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.mesos:mesos"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1330"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-01T22:33:40Z",
"nvd_published_at": "2018-09-13T19:29:00Z",
"severity": "HIGH"
},
"details": "When parsing a malformed JSON payload, libprocess in Apache Mesos versions 1.4.0 to 1.5.0 might crash due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash too because of the mistakenly planted assertion. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.",
"id": "GHSA-95q3-pppp-r683",
"modified": "2022-11-01T22:33:40Z",
"published": "2022-05-14T01:38:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1330"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/395cb6bcf367702acd1e580a1f39b56cdd7a5953d0368b4c1adb1dde@\u003cdev.mesos.apache.org\u003e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Crash when decoding malformed HTTP requests or malformed JSON payload"
}
GHSA-98FP-7V67-4V3Q
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 21:56A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the /api/v1/state endpoint of LightningApp. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pytorch-lightning"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8020"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T21:56:43Z",
"nvd_published_at": "2025-03-20T10:15:39Z",
"severity": "HIGH"
},
"details": "A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.",
"id": "GHSA-98fp-7v67-4v3q",
"modified": "2025-03-21T21:56:43Z",
"published": "2025-03-20T12:32:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8020"
},
{
"type": "PACKAGE",
"url": "https://github.com/Lightning-AI/pytorch-lightning"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PyTorch Lightning denial of service vulnerability"
}
GHSA-98V9-3HQ2-88Q8
Vulnerability from github – Published: 2025-10-14 15:31 – Updated: 2025-10-14 15:31A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.
{
"affected": [],
"aliases": [
"CVE-2025-9124"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T13:15:40Z",
"severity": "HIGH"
},
"details": "A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.",
"id": "GHSA-98v9-3hq2-88q8",
"modified": "2025-10-14T15:31:27Z",
"published": "2025-10-14T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9124"
},
{
"type": "WEB",
"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1755.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-99F4-GRH7-6PCQ
Vulnerability from github – Published: 2026-06-11 13:27 – Updated: 2026-06-11 13:27Impact
An invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js
Patches
The following version have fixes for this vulnerability:
- 1.9.16
- 1.10.12
- 1.11.4
- 1.12.7
- 1.13.5
- 1.14.4
Workarounds
There is no workaround.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48069"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:27:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nAn invalid incoming compressed message can cause a client or server process to crash. This affects all clients and servers that use @grpc/grpc-js\n\n### Patches\nThe following version have fixes for this vulnerability:\n\n - 1.9.16\n - 1.10.12\n - 1.11.4\n - 1.12.7\n - 1.13.5\n - 1.14.4\n\n### Workarounds\nThere is no workaround.",
"id": "GHSA-99f4-grh7-6pcq",
"modified": "2026-06-11T13:27:44Z",
"published": "2026-06-11T13:27:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-99f4-grh7-6pcq"
},
{
"type": "PACKAGE",
"url": "https://github.com/grpc/grpc-node"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash"
}
GHSA-9HCF-V7M4-6M2J
Vulnerability from github – Published: 2025-05-28 19:42 – Updated: 2025-06-27 21:07Impact
A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema.
Issue with more details: https://github.com/vllm-project/vllm/issues/17313
Patches
- https://github.com/vllm-project/vllm/pull/17623
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48943"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T19:42:12Z",
"nvd_published_at": "2025-05-30T19:15:30Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to [GHSA-6qc9-v4r8-22xg](https://github.com/vllm-project/vllm/security/advisories/GHSA-6qc9-v4r8-22xg), but for regex instead of a JSON schema.\n\nIssue with more details: https://github.com/vllm-project/vllm/issues/17313\n\n### Patches\n\n* https://github.com/vllm-project/vllm/pull/17623",
"id": "GHSA-9hcf-v7m4-6m2j",
"modified": "2025-06-27T21:07:04Z",
"published": "2025-05-28T19:42:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-9hcf-v7m4-6m2j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48943"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/issues/17313"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/17623"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-55.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM allows clients to crash the openai server with invalid regex"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.