CWE-440
Expected Behavior Violation
A feature, API, or function does not perform according to its specification.
CVE-2025-46712 (GCVE-0-2025-46712)
Vulnerability from cvelistv5 – Published: 2025-05-08 19:26 – Updated: 2026-01-12 14:40
VLAI
Title
Erlang/OTP SSH Has Strict KEX Violations
Summary
Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25).
Severity
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/erlang/otp/security/advisories… | x_refsource_CONFIRM |
| https://github.com/erlang/otp/commit/e4b56a9f4a51… | x_refsource_MISC |
| https://github.com/erlang/otp/releases/tag/OTP-25… | x_refsource_MISC |
| https://github.com/erlang/otp/releases/tag/OTP-26… | x_refsource_MISC |
| https://github.com/erlang/otp/releases/tag/OTP-27.3.4 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T20:02:52.990837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T20:03:27.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "otp",
"vendor": "erlang",
"versions": [
{
"status": "affected",
"version": "\u003e= OTP 27.0, \u003c OTP 27.3.4"
},
{
"status": "affected",
"version": "\u003e= OTP 26.2.1, \u003c OTP 26.2.5.12"
},
{
"status": "affected",
"version": "\u003c OTP 25.3.2.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This allows a Man-in-the-Middle attacker to inject these messages in a connection during the handshake. This issue has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for OTP-26), and OTP-25.3.2.21 (for OTP-25)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-12T14:40:27.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/erlang/otp/security/advisories/GHSA-934x-xq38-hhqf"
},
{
"name": "https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/commit/e4b56a9f4a511aa9990dd86c16c61439c828df83"
},
{
"name": "https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-25.3.2.21"
},
{
"name": "https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.5.12"
},
{
"name": "https://github.com/erlang/otp/releases/tag/OTP-27.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erlang/otp/releases/tag/OTP-27.3.4"
}
],
"source": {
"advisory": "GHSA-934x-xq38-hhqf",
"discovery": "UNKNOWN"
},
"title": "Erlang/OTP SSH Has Strict KEX Violations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46712",
"datePublished": "2025-05-08T19:26:27.563Z",
"dateReserved": "2025-04-28T20:56:09.082Z",
"dateUpdated": "2026-01-12T14:40:27.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52953 (GCVE-0-2025-52953)
Vulnerability from cvelistv5 – Published: 2025-07-11 15:04 – Updated: 2025-07-11 20:11
VLAI
Title
Junos OS and Junos OS Evolved: An unauthenticated adjacent attacker sending a valid BGP UPDATE packet forces a BGP session reset
Summary
An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).
Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.
This issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.
This issue affects Junos OS:
* All versions before 21.2R3-S9,
* from 21.4 before 21.4R3-S11,
* from 22.2 before 22.2R3-S7,
* from 22.4 before 22.4R3-S7,
* from 23.2 before 23.2R2-S4,
* from 23.4 before 23.4R2-S4,
* from 24.2 before 24.2R2,
* from 24.4 before 24.4R1-S3, 24.4R2
Junos OS Evolved:
* All versions before 22.2R3-S7-EVO,
* from 22.4-EVO before 22.4R3-S7-EVO,
* from 23.2-EVO before 23.2R2-S4-EVO,
* from 23.4-EVO before 23.4R2-S4-EVO,
* from 24.2-EVO before 24.2R2-EVO,
* from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.
Severity
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://supportportal.juniper.net/JSA100059 | vendor-advisory |
| https://www.juniper.net/documentation/us/en/softw… | technical-description |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Affected:
0 , < 21.2R3-S9
(semver)
Affected: 21.4 , < 21.4R3-S11 (semver) Affected: 22.2 , < 22.2R3-S7 (semver) Affected: 22.4 , < 22.4R3-S7 (semver) Affected: 23.2 , < 23.2R2-S4 (semver) Affected: 23.4 , < 23.4R2-S4 (semver) Affected: 24.2 , < 24.2R2 (semver) Affected: 24.4 , < 24.4R1-S3, 24.4R2 (semver) |
|
| Juniper Networks | Junos OS Evolved |
Affected:
0 , < 22.2R3-S7-EVO
(semver)
Affected: 22.4-EVO , < 22.4R3-S7-EVO (semver) Affected: 23.2-EVO , < 23.2R2-S4-EVO (semver) Affected: 23.4-EVO , < 23.4R2-S4-EVO (semver) Affected: 24.2-EVO , < 24.2R2-EVO (semver) Affected: 24.4-EVO , < 24.4R1-S3-EVO, 24.4R2-EVO (semver) |
Date Public
2025-07-09 16:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T20:11:16.564518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T20:11:26.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"bgp"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "21.2R3-S9",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "21.4R3-S11",
"status": "affected",
"version": "21.4",
"versionType": "semver"
},
{
"lessThan": "22.2R3-S7",
"status": "affected",
"version": "22.2",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7",
"status": "affected",
"version": "22.4",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4",
"status": "affected",
"version": "23.2",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4",
"status": "affected",
"version": "23.4",
"versionType": "semver"
},
{
"lessThan": "24.2R2",
"status": "affected",
"version": "24.2",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3, 24.4R2",
"status": "affected",
"version": "24.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"bgp"
],
"product": "Junos OS Evolved",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "22.2R3-S7-EVO",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "22.4R3-S7-EVO",
"status": "affected",
"version": "22.4-EVO",
"versionType": "semver"
},
{
"lessThan": "23.2R2-S4-EVO",
"status": "affected",
"version": "23.2-EVO",
"versionType": "semver"
},
{
"lessThan": "23.4R2-S4-EVO",
"status": "affected",
"version": "23.4-EVO",
"versionType": "semver"
},
{
"lessThan": "24.2R2-EVO",
"status": "affected",
"version": "24.2-EVO",
"versionType": "semver"
},
{
"lessThan": "24.4R1-S3-EVO, 24.4R2-EVO",
"status": "affected",
"version": "24.4-EVO",
"versionType": "semver"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "One of the following minimal configurations is necessary to be exposed to this issue:\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [protocols bgp group \u0026lt;group-name\u0026gt; neighbor \u003cspan style=\"background-color: rgba(245, 248, 255, 0.5);\"\u003e\u0026lt;peer-ip-address\u0026gt;\u003c/span\u003e\u0026nbsp;family inet6-vpn unicast]\u003cbr\u003e\u003c/tt\u003eor\u003cbr\u003e\u003ctt\u003e\u0026nbsp; [protocols bgp group \u0026lt;group-name\u0026gt; family inet6-vpn unicast]\u003cbr\u003eor\u003cbr\u003e\u003c/tt\u003e\u003ctt\u003e\u0026nbsp; [protocols bgp family inet6-vpn unicast]\u003c/tt\u003e"
}
],
"value": "One of the following minimal configurations is necessary to be exposed to this issue:\n\u00a0 [protocols bgp group \u003cgroup-name\u003e neighbor \u003cpeer-ip-address\u003e\u00a0family inet6-vpn unicast]\nor\n\u00a0 [protocols bgp group \u003cgroup-name\u003e family inet6-vpn unicast]\nor\n\u00a0 [protocols bgp family inet6-vpn unicast]"
}
],
"datePublic": "2025-07-09T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Expected Behavior Violation\u0026nbsp;vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).\u0026nbsp;\u003cbr\u003e\u003cbr\u003eContinuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\u003cbr\u003e\u003cbr\u003eThis issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.\u003cbr\u003e\u003cbr\u003eThis issue affects Junos OS:\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 21.2R3-S9,\u003c/li\u003e\u003cli\u003efrom 21.4 before 21.4R3-S11,\u003c/li\u003e\u003cli\u003efrom 22.2 before 22.2R3-S7,\u003c/li\u003e\u003cli\u003efrom 22.4 before 22.4R3-S7,\u003c/li\u003e\u003cli\u003efrom 23.2 before 23.2R2-S4,\u003c/li\u003e\u003cli\u003efrom 23.4 before 23.4R2-S4,\u003c/li\u003e\u003cli\u003efrom 24.2 before 24.2R2,\u003c/li\u003e\u003cli\u003efrom 24.4 before 24.4R1-S3, 24.4R2\u003c/li\u003e\u003c/ul\u003eJunos OS Evolved:\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eAll versions before 22.2R3-S7-EVO,\u003c/li\u003e\u003cli\u003efrom 22.4-EVO before 22.4R3-S7-EVO,\u003c/li\u003e\u003cli\u003efrom 23.2-EVO before 23.2R2-S4-EVO,\u003c/li\u003e\u003cli\u003efrom 23.4-EVO before 23.4R2-S4-EVO,\u003c/li\u003e\u003cli\u003efrom 24.2-EVO before 24.2R2-EVO,\u003c/li\u003e\u003cli\u003efrom 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "An Expected Behavior Violation\u00a0vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).\u00a0\n\nContinuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nThis issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.\n\nThis issue affects Junos OS:\n\n\n * All versions before 21.2R3-S9,\n * from 21.4 before 21.4R3-S11,\n * from 22.2 before 22.2R3-S7,\n * from 22.4 before 22.4R3-S7,\n * from 23.2 before 23.2R2-S4,\n * from 23.4 before 23.4R2-S4,\n * from 24.2 before 24.2R2,\n * from 24.4 before 24.4R1-S3, 24.4R2\n\n\nJunos OS Evolved:\n\n\n\n * All versions before 22.2R3-S7-EVO,\n * from 22.4-EVO before 22.4R3-S7-EVO,\n * from 23.2-EVO before 23.2R2-S4-EVO,\n * from 23.4-EVO before 23.4R2-S4-EVO,\n * from 24.2-EVO before 24.2R2-EVO,\n * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "AUTOMATIC",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:04:55.140Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://supportportal.juniper.net/JSA100059"
},
{
"tags": [
"technical-description"
],
"url": "https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/task/routing-protocol-bgp-security-configuring.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003eJunos OS: 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S4, 24.2R2, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\u003cbr\u003eJunos OS Evolved: 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u0026nbsp;and all subsequent releases.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "The following software releases have been updated to resolve this specific issue:\nJunos OS: 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S7, 23.2R2-S4, 23.4R2-S4, 24.2R2, 24.4R1-S3, 24.4R2, 25.2R1, and all subsequent releases.\nJunos OS Evolved: 22.2R3-S7-EVO, 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-S3-EVO, 24.4R2-EVO, 25.2R1-EVO,\u00a0and all subsequent releases."
}
],
"source": {
"advisory": "JSA100059",
"defect": [
"1855477"
],
"discovery": "USER"
},
"title": "Junos OS and Junos OS Evolved: An unauthenticated adjacent attacker sending a valid BGP UPDATE packet forces a BGP session reset",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There are no known workarounds for this issue."
}
],
"value": "There are no known workarounds for this issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2025-52953",
"datePublished": "2025-07-11T15:04:55.140Z",
"dateReserved": "2025-06-23T13:16:01.409Z",
"dateUpdated": "2025-07-11T20:11:26.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6211 (GCVE-0-2025-6211)
Vulnerability from cvelistv5 – Published: 2025-07-10 13:04 – Updated: 2025-07-10 15:13
VLAI
Title
MD5 Hash Collision in run-llama/llama_index
Summary
A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.
Severity
6.5 (Medium)
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| run-llama | run-llama/llama_index |
Affected:
unspecified , < 0.3.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T15:13:09.766316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T15:13:12.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "run-llama/llama_index",
"vendor": "run-llama",
"versions": [
{
"lessThan": "0.3.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T13:04:34.401Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389"
},
{
"url": "https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352"
}
],
"source": {
"advisory": "1a48a011-a3c5-4979-9ffc-9652280bc389",
"discovery": "EXTERNAL"
},
"title": "MD5 Hash Collision in run-llama/llama_index"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-6211",
"datePublished": "2025-07-10T13:04:34.401Z",
"dateReserved": "2025-06-17T17:36:01.333Z",
"dateUpdated": "2025-07-10T15:13:12.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8850 (GCVE-0-2025-8850)
Vulnerability from cvelistv5 – Published: 2025-10-30 19:59 – Updated: 2025-11-05 14:57
VLAI
Title
Insecure API Design in danny-avila/librechat
Summary
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.
Severity
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| danny-avila | danny-avila/librechat |
Affected:
unspecified , < v0.8.0-rc2
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:57:10.072224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:57:26.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "danny-avila/librechat",
"vendor": "danny-avila",
"versions": [
{
"lessThan": "v0.8.0-rc2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint \u0027/api/auth/2fa/disable\u0027 is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440 Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-30T19:59:36.327Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91ed7c75e"
},
{
"url": "https://github.com/danny-avila/librechat/commit/7e4c8a5d0d2dbe5bf8fd272ff6acafb27d24744f"
}
],
"source": {
"advisory": "8e615709-f4de-41e2-b194-f0d91ed7c75e",
"discovery": "EXTERNAL"
},
"title": "Insecure API Design in danny-avila/librechat"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-8850",
"datePublished": "2025-10-30T19:59:36.327Z",
"dateReserved": "2025-08-10T19:01:03.291Z",
"dateUpdated": "2025-11-05T14:57:26.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3344 (GCVE-0-2026-3344)
Vulnerability from cvelistv5 – Published: 2026-03-03 13:17 – Updated: 2026-03-04 15:22
VLAI
Title
WatchGuard Firebox System Integrity Check Bypass
Summary
A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.This issue affects Fireware OS 12.0 up to and including 12.11.7, 12.5.9 up to and including 12.5.16, and 2025.1 up to and including 2026.1.1.
Severity
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WatchGuard | Fireware OS |
Affected:
12.0 , ≤ 12.11.7
(semver)
Affected: 12.5.9 , ≤ 12.5.16 (semver) Affected: 2025.1 , ≤ 2026.1.1 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T14:29:44.659550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T14:39:58.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fireware OS",
"vendor": "WatchGuard",
"versions": [
{
"lessThanOrEqual": "12.11.7",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "12.5.16",
"status": "affected",
"version": "12.5.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "2026.1.1",
"status": "affected",
"version": "2025.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.0",
"versionEndIncluding": "12.11.7",
"versionStartIncluding": "12.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:12.5.9",
"versionEndIncluding": "12.5.16",
"versionStartIncluding": "12.5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:watchguard:fireware_os:*:*:*:*:*:*:*:2025.1",
"versionEndIncluding": "2026.1.1",
"versionStartIncluding": "2025.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.\u003cp\u003eThis issue affects Fireware OS 12.0 up to and including 12.11.7, 12.5.9 up to and including 12.5.16, and 2025.1 up to and including 2026.1.1.\u003c/p\u003e"
}
],
"value": "A vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS filesystem integrity check and maintain limited persistence via a maliciously-crafted firmware update package.This issue affects Fireware OS 12.0 up to and including 12.11.7, 12.5.9 up to and including 12.5.16, and 2025.1 up to and including 2026.1.1."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WatchGuard is not aware of any exploitation of this issue in the wild.\u003cbr\u003e"
}
],
"value": "WatchGuard is not aware of any exploitation of this issue in the wild."
}
],
"impacts": [
{
"capecId": "CAPEC-184",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-184 Software Integrity Attack"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T15:22:41.878Z",
"orgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"shortName": "WatchGuard"
},
"references": [
{
"url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00005"
}
],
"source": {
"advisory": "WGSA-2026-00005",
"defect": [
"FBX-31205"
],
"discovery": "EXTERNAL"
},
"title": "WatchGuard Firebox System Integrity Check Bypass",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5d1c2695-1a31-4499-88ae-e847036fd7e3",
"assignerShortName": "WatchGuard",
"cveId": "CVE-2026-3344",
"datePublished": "2026-03-03T13:17:56.622Z",
"dateReserved": "2026-02-27T15:37:53.452Z",
"dateUpdated": "2026-03-04T15:22:41.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35040 (GCVE-0-2026-35040)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:52 – Updated: 2026-04-13 20:03
VLAI
Title
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Summary
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Severity
5.3 (Medium)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nearform/fast-jwt/security/adv… | x_refsource_CONFIRM |
| https://github.com/nearform/fast-jwt/pull/593 | x_refsource_MISC |
| https://github.com/nearform/fast-jwt/commit/18d25… | x_refsource_MISC |
| https://github.com/nearform/fast-jwt/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35040",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T20:03:24.317971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:03:41.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fast-jwt",
"vendor": "nearform",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:52:56.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-3j8v-cgw4-2g6q"
},
{
"name": "https://github.com/nearform/fast-jwt/pull/593",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nearform/fast-jwt/pull/593"
},
{
"name": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nearform/fast-jwt/commit/18d25904e4617e8753526d1b3ab5a2cccdea726a"
},
{
"name": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
}
],
"source": {
"advisory": "GHSA-3j8v-cgw4-2g6q",
"discovery": "UNKNOWN"
},
"title": "fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35040",
"datePublished": "2026-04-09T14:52:56.436Z",
"dateReserved": "2026-03-31T21:06:06.428Z",
"dateUpdated": "2026-04-13T20:03:41.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41136 (GCVE-0-2026-41136)
Vulnerability from cvelistv5 – Published: 2026-04-21 23:54 – Updated: 2026-04-22 13:11
VLAI
Title
free5GC AMF missing default case in Content-Type switch in HTTPUEContextTransfer
Summary
free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix.
Severity
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/free5gc/free5gc/security/advis… | x_refsource_CONFIRM |
| https://github.com/free5gc/amf/releases/tag/v1.4.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41136",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:11:04.474863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:11:10.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "amf",
"vendor": "free5gc",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "free5GC AMF provides Access \u0026 Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object. Version 1.4.3 contains a fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T23:54:36.727Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
},
{
"name": "https://github.com/free5gc/amf/releases/tag/v1.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/free5gc/amf/releases/tag/v1.4.3"
}
],
"source": {
"advisory": "GHSA-r99v-75p9-xqm5",
"discovery": "UNKNOWN"
},
"title": "free5GC AMF missing default case in Content-Type switch in HTTPUEContextTransfer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41136",
"datePublished": "2026-04-21T23:54:36.727Z",
"dateReserved": "2026-04-17T12:59:15.738Z",
"dateUpdated": "2026-04-22T13:11:10.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42534 (GCVE-0-2026-42534)
Vulnerability from cvelistv5 – Published: 2026-05-20 09:19 – Updated: 2026-05-20 12:10
VLAI
Title
Jostle logic bypass degrades resolution performance
Summary
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.
Severity
CWE
- CWE-440 - Expected Behavior Violation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/unbound/CVE-20… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | Unbound |
Affected:
0 , < 1.25.1
(semver)
|
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T12:10:33.391042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T12:10:40.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "1.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang (Palo Alto Networks)"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound\u0027s queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound\u0027s \u0027num-queries-per-thread\u0027 reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Amber",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-440",
"description": "CWE-440: Expected Behavior Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T09:19:37.920Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 1.25.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-05-08T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-05-20T00:00:00.000Z",
"value": "Fixes released with version 1.25.1"
}
],
"title": "Jostle logic bypass degrades resolution performance",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-42534",
"datePublished": "2026-05-20T09:19:37.920Z",
"dateReserved": "2026-05-07T10:07:51.811Z",
"dateUpdated": "2026-05-20T12:10:40.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.