CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
906 vulnerabilities reference this CWE, most recent first.
GHSA-JWCH-W7WH-GQJM
Vulnerability from github – Published: 2026-04-21 19:05 – Updated: 2026-04-24 21:11Summary
A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests even after request body retrieval or deserialization errors.
This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.
Details
The endpoint POST /nudr-dr/v2/policy-data/subs-to-notify is intended to create a Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid PolicyDataSubscription object. [file:93]
In the free5GC UDR implementation, the function HandlePolicyDataSubsToNotifyPost in NFs/udr/internal/sbi/api_datarepository.go does not terminate execution after input-processing failures. [file:93]
The request flow is:
- The handler calls
c.GetRawData()to read the HTTP request body. [file:93] - If
GetRawData()fails, the handler sends an HTTP 500 error response, but does not return. [file:93] - The handler then calls
openapi.Deserialize(policyDataSubscription, reqBody, "application/json"). [file:93] - If deserialization fails, the handler sends an HTTP 400 error response, but again does not return. [file:93]
- Execution continues and the handler still invokes
s.Processor().PolicyDataSubsToNotifyPostProcedure(c,policyDataSubscription). [file:93]
As a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]
This differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]
Security Impact
This issue affects a write-capable API that creates Policy Data notification subscriptions. [file:93]
Because execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended PolicyDataSubscription object. [file:93]
The exact runtime impact depends on downstream processor behavior and storage validation. [file:93]
At minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling; under certain runtime conditions it may allow creation of invalid or unintended subscription state. [file:93]
Reproduction Status
The code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription creation after GetRawData() or deserialization failure has not yet been established. [file:93]
Patch
The handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]
A minimal fix is to add missing return statements in HandlePolicyDataSubsToNotifyPost:
reqBody, err := c.GetRawData()
if err != nil {
logger.DataRepoLog.Errorf("Get Request Body error: %+v", err)
pd := openapi.ProblemDetailsSystemFailure(err.Error())
c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
c.JSON(http.StatusInternalServerError, pd)
return
}
err = openapi.Deserialize(&policyDataSubscription, reqBody, "application/json")
if err != nil {
logger.DataRepoLog.Errorf("Deserialize Request Body error: %+v", err)
pd := util.ProblemDetailsMalformedReqSyntax(err.Error())
c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
c.JSON(http.StatusBadRequest, pd)
return
}
Additionally, the deserialization call should pass a pointer to the destination object so that the parsed body is written into the intended structure. [file:93]
Details
The issue is compounded by the handler's deserialization call, which passes
policyDataSubscription directly to openapi.Deserialize(...) instead of
passing a pointer to the destination object. This inconsistent usage further
increases the risk that request processing continues with an empty, partially
initialized, or otherwise unintended subscription object. [file:93]
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/udr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40343"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T19:05:18Z",
"nvd_published_at": "2026-04-22T00:16:27Z",
"severity": "MODERATE"
},
"details": "### Summary\nA fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors.\n\nThis may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.\n\n### Details\nThe endpoint `POST /nudr-dr/v2/policy-data/subs-to-notify` is intended to create a Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid `PolicyDataSubscription` object. [file:93]\n\nIn the free5GC UDR implementation, the function `HandlePolicyDataSubsToNotifyPost` in `NFs/udr/internal/sbi/api_datarepository.go` does not terminate execution after input-processing failures. [file:93]\n\nThe request flow is:\n\n1. The handler calls `c.GetRawData()` to read the HTTP request body. [file:93]\n2. If `GetRawData()` fails, the handler sends an HTTP 500 error response, but **does not return**. [file:93]\n3. The handler then calls `openapi.Deserialize(policyDataSubscription, reqBody, \"application/json\")`. [file:93]\n4. If deserialization fails, the handler sends an HTTP 400 error response, but again **does not return**. [file:93]\n5. Execution continues and the handler still invokes `s.Processor().PolicyDataSubsToNotifyPostProcedure(c,policyDataSubscription)`. [file:93]\n\nAs a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]\n\nThis differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]\n\n### Security Impact\nThis issue affects a write-capable API that creates Policy Data notification subscriptions. [file:93] \nBecause execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended `PolicyDataSubscription` object. [file:93]\n\nThe exact runtime impact depends on downstream processor behavior and storage validation. [file:93] \nAt minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling; under certain runtime conditions it may allow creation of invalid or unintended subscription state. [file:93]\n\n### Reproduction Status\nThe code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription creation after `GetRawData()` or deserialization failure has not yet been established. [file:93]\n\n### Patch\nThe handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]\n\nA minimal fix is to add missing `return` statements in `HandlePolicyDataSubsToNotifyPost`:\n\n```go\nreqBody, err := c.GetRawData()\nif err != nil {\n logger.DataRepoLog.Errorf(\"Get Request Body error: %+v\", err)\n pd := openapi.ProblemDetailsSystemFailure(err.Error())\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n c.JSON(http.StatusInternalServerError, pd)\n return\n}\n\nerr = openapi.Deserialize(\u0026policyDataSubscription, reqBody, \"application/json\")\nif err != nil {\n logger.DataRepoLog.Errorf(\"Deserialize Request Body error: %+v\", err)\n pd := util.ProblemDetailsMalformedReqSyntax(err.Error())\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n c.JSON(http.StatusBadRequest, pd)\n return\n}\n```\nAdditionally, the deserialization call should pass a pointer to the destination\nobject so that the parsed body is written into the intended structure. [file:93]\n\n###Details\nThe issue is compounded by the handler\u0027s deserialization call, which passes\n`policyDataSubscription` directly to `openapi.Deserialize(...)` instead of\npassing a pointer to the destination object. This inconsistent usage further\nincreases the risk that request processing continues with an empty, partially\ninitialized, or otherwise unintended subscription object. [file:93]",
"id": "GHSA-jwch-w7wh-gqjm",
"modified": "2026-04-24T21:11:11Z",
"published": "2026-04-21T19:05:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40343"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation"
}
GHSA-JX5X-3WF9-9RHG
Vulnerability from github – Published: 2026-05-07 15:38 – Updated: 2026-06-30 03:36Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox ESR 140.10.2 and Firefox ESR 115.35.2.
{
"affected": [],
"aliases": [
"CVE-2026-8091"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-07T13:16:14Z",
"severity": "CRITICAL"
},
"details": "Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox ESR 140.10.2 and Firefox ESR 115.35.2.",
"id": "GHSA-jx5x-3wf9-9rhg",
"modified": "2026-06-30T03:36:33Z",
"published": "2026-05-07T15:38:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-8091"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2029301"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467699"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-8091.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-36"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-39"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-41"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M2R3-8492-VX59
Vulnerability from github – Published: 2021-10-06 17:47 – Updated: 2021-10-06 15:13All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mongo-express"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.54.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23372"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-06T15:13:57Z",
"nvd_published_at": "2021-04-13T20:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.",
"id": "GHSA-m2r3-8492-vx59",
"modified": "2021-10-06T15:13:57Z",
"published": "2021-10-06T17:47:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23372"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongo-express/mongo-express"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-1085403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service (DoS) in mongo-express"
}
GHSA-M3FH-QQV6-HGXX
Vulnerability from github – Published: 2024-08-22 09:30 – Updated: 2024-08-23 18:33Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict the input in POST /api/v4/users which allows a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older.
{
"affected": [],
"aliases": [
"CVE-2024-42411"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T07:15:04Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2 fail to restrict the input in POST /api/v4/users which allows\u00a0a user to manipulate the creation date in POST /api/v4/users tricking the admin into believing their account is much older.",
"id": "GHSA-m3fh-qqv6-hgxx",
"modified": "2024-08-23T18:33:00Z",
"published": "2024-08-22T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42411"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M3M6-H5X2-MHF5
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a logic error that occurs when an affected device inspects certain DNS packets. An attacker could exploit this vulnerability by sending crafted DNS packets through an affected device that is performing NAT for DNS packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device. The vulnerability can be exploited only by traffic that is sent through an affected device via IPv4 packets. The vulnerability cannot be exploited via IPv6 traffic.
{
"affected": [],
"aliases": [
"CVE-2021-1446"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a logic error that occurs when an affected device inspects certain DNS packets. An attacker could exploit this vulnerability by sending crafted DNS packets through an affected device that is performing NAT for DNS packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device. The vulnerability can be exploited only by traffic that is sent through an affected device via IPv4 packets. The vulnerability cannot be exploited via IPv6 traffic.",
"id": "GHSA-m3m6-h5x2-mhf5",
"modified": "2022-05-24T17:45:15Z",
"published": "2022-05-24T17:45:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1446"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-alg-dos-hbBS7SZE"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M4HF-J54P-P353
Vulnerability from github – Published: 2022-02-10 00:19 – Updated: 2024-11-13 22:12Impact
The implementation of shape inference for ConcatV2 can be used to trigger a denial of service attack via a segfault caused by a type confusion:
import tensorflow as tf
@tf.function
def test():
y = tf.raw_ops.ConcatV2(
values=[[1,2,3],[4,5,6]],
axis = 0xb500005b)
return y
test()
The axis argument is translated into concat_dim in the ConcatShapeHelper helper function. Then, a value for min_rank is computed based on concat_dim. This is then used to validate that the values tensor has at least the required rank:
int64_t concat_dim;
if (concat_dim_t->dtype() == DT_INT32) {
concat_dim = static_cast<int64_t>(concat_dim_t->flat<int32>()(0));
} else {
concat_dim = concat_dim_t->flat<int64_t>()(0);
}
// Minimum required number of dimensions.
const int min_rank = concat_dim < 0 ? -concat_dim : concat_dim + 1;
// ...
ShapeHandle input = c->input(end_value_index - 1);
TF_RETURN_IF_ERROR(c->WithRankAtLeast(input, min_rank, &input));
However, WithRankAtLeast receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented:
Status InferenceContext::WithRankAtLeast(ShapeHandle shape, int64_t rank,
ShapeHandle* out) {
if (rank > kint32max) {
return errors::InvalidArgument("Rank cannot exceed kint32max");
}
// ...
}
Due to the fact that min_rank is a 32-bits value and the value of axis, the rank argument is a negative value, so the error check is bypassed.
Patches
We have patched the issue in GitHub commit 08d7b00c0a5a20926363849f611729f53f3ec022.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-21731"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-03T19:01:09Z",
"nvd_published_at": "2022-02-03T12:15:00Z",
"severity": "HIGH"
},
"details": "### Impact \nThe [implementation of shape inference for `ConcatV2`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/common_shape_fns.cc#L1961-L2059) can be used to trigger a denial of service attack via a segfault caused by a type confusion:\n\n```python\nimport tensorflow as tf\n\n@tf.function\ndef test():\n y = tf.raw_ops.ConcatV2(\n values=[[1,2,3],[4,5,6]],\n axis = 0xb500005b)\n return y\n\ntest()\n```\n\nThe `axis` argument is translated into `concat_dim` in the `ConcatShapeHelper` helper function. Then, a value for `min_rank` is computed based on `concat_dim`. This is then used to validate that the `values` tensor has at least the required rank:\n\n```cc\n int64_t concat_dim;\n if (concat_dim_t-\u003edtype() == DT_INT32) {\n concat_dim = static_cast\u003cint64_t\u003e(concat_dim_t-\u003eflat\u003cint32\u003e()(0));\n } else {\n concat_dim = concat_dim_t-\u003eflat\u003cint64_t\u003e()(0);\n }\n\n // Minimum required number of dimensions.\n const int min_rank = concat_dim \u003c 0 ? -concat_dim : concat_dim + 1;\n\n // ...\n ShapeHandle input = c-\u003einput(end_value_index - 1);\n TF_RETURN_IF_ERROR(c-\u003eWithRankAtLeast(input, min_rank, \u0026input));\n```\n\nHowever, [`WithRankAtLeast`](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.cc#L345-L358) receives the lower bound as a 64-bits value and then compares it against the maximum 32-bits integer value that could be represented:\n\n```cc\nStatus InferenceContext::WithRankAtLeast(ShapeHandle shape, int64_t rank,\n ShapeHandle* out) {\n if (rank \u003e kint32max) {\n return errors::InvalidArgument(\"Rank cannot exceed kint32max\");\n }\n // ...\n}\n```\n\nDue to the fact that `min_rank` is a 32-bits value and the value of `axis`, the `rank` argument is a [negative value](https://godbolt.org/z/Gcr5haMob), so the error check is bypassed.\n\n### Patches\nWe have patched the issue in GitHub commit [08d7b00c0a5a20926363849f611729f53f3ec022](https://github.com/tensorflow/tensorflow/commit/08d7b00c0a5a20926363849f611729f53f3ec022).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yu Tian of Qihoo 360 AIVul Team.",
"id": "GHSA-m4hf-j54p-p353",
"modified": "2024-11-13T22:12:12Z",
"published": "2022-02-10T00:19:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-m4hf-j54p-p353"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21731"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/08d7b00c0a5a20926363849f611729f53f3ec022"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-55.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-110.yaml"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/common_shape_fns.cc#L1961-L2059"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/framework/shape_inference.cc#L345-L358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Type confusion leading to segfault in Tensorflow"
}
GHSA-M5QM-C3VM-J6HM
Vulnerability from github – Published: 2022-05-14 01:03 – Updated: 2025-04-20 03:43In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.
{
"affected": [],
"aliases": [
"CVE-2017-13142"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-23T06:29:00Z",
"severity": "MODERATE"
},
"details": "In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.",
"id": "GHSA-m5qm-c3vm-j6hm",
"modified": "2025-04-20T03:43:44Z",
"published": "2022-05-14T01:03:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13142"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/46e3aabbf8d59a1bdebdbb65acb9b9e0484577d3"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/aa84944b405acebbeefe871d0f64969b9e9f31ac"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870105"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201711-07"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M5VF-RP25-854P
Vulnerability from github – Published: 2023-07-25 09:30 – Updated: 2024-04-04 06:20Knud from Fraktal.fi has found a flaw in some Axis Network Door Controllers and Axis Network Intercoms when communicating over OSDP, highlighting that the OSDP message parser crashes the pacsiod process, causing a temporary unavailability of the door-controlling functionalities meaning that doors cannot be opened or closed. No sensitive or customer data can be extracted as the Axis device is not further compromised. Please refer to the Axis security advisory for more information, mitigation and affected products and software versions.
{
"affected": [],
"aliases": [
"CVE-2023-21405"
],
"database_specific": {
"cwe_ids": [
"CWE-1286",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-25T08:15:09Z",
"severity": "MODERATE"
},
"details": "\nKnud from Fraktal.fi has found a flaw in some Axis Network Door Controllers and Axis Network\nIntercoms when communicating over OSDP, highlighting that the OSDP message parser crashes\nthe pacsiod process, causing a temporary unavailability of the door-controlling functionalities\nmeaning that doors cannot be opened or closed. No sensitive or customer data can be extracted\nas the Axis device is not further compromised. Please refer to the Axis security advisory for more information, mitigation and affected products and software versions.",
"id": "GHSA-m5vf-rp25-854p",
"modified": "2024-04-04T06:20:47Z",
"published": "2023-07-25T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21405"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/7f/3a/ed/cve-2023-21405-en-US-407244.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6VX-PMX5-G2WV
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2022-05-24 16:46A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a possible denial of service when writing sensitive application variables to the controller over Modbus.
{
"affected": [],
"aliases": [
"CVE-2019-6807"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T21:29:00Z",
"severity": "HIGH"
},
"details": "A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a possible denial of service when writing sensitive application variables to the controller over Modbus.",
"id": "GHSA-m6vx-pmx5-g2wv",
"modified": "2022-05-24T16:46:17Z",
"published": "2022-05-24T16:46:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6807"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-134-11"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0770"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M744-JHQ9-PPW6
Vulnerability from github – Published: 2026-06-19 20:46 – Updated: 2026-06-19 20:46Impact
A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.
Preconditions
The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Only allow authenticated writes to a topic
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "CoreWCF.Kafka"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "CoreWCF.Kafka"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.0"
},
{
"fixed": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54775"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T20:46:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.\n\n#### Preconditions\nThe attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, no authentication is required. \n\n### Patches\nFixed in CoreWCF v1.8.1 and v1.9.1\n\n### Workarounds\nOnly allow authenticated writes to a topic",
"id": "GHSA-m744-jhq9-ppw6",
"modified": "2026-06-19T20:46:49Z",
"published": "2026-06-19T20:46:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-m744-jhq9-ppw6"
},
{
"type": "PACKAGE",
"url": "https://github.com/CoreWCF/CoreWCF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service."
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.