Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 13:26

Modified

2026-05-12 12:08

Summary

Security fixes for CVE-2026-22815, CVE-2026-30922, CVE-2026-31958, CVE-2026-32597, CVE-2026-33175, CVE-2026-34052, CVE-2026-34073, CVE-2026-34513, CVE-2026-34514, CVE-2026-34515, CVE-2026-34516, CVE-2026-34517, CVE-2026-34518, CVE-2026-34519, CVE-2026-34520, CVE-2026-34525, CVE-2026-44431, CVE-2026-44432, ghsa-752w-5fwx-jx9f, ghsa-78cv-mqj4-43f7, ghsa-gc5v-m9x4-r6x2, ghsa-jr27-m4p2-rc6r, ghsa-m959-cc7f-wv43, ghsa-qjxf-f2mg-c6mc applied in versions: 4.3.2-r0, 4.3.2-r1, 4.3.2-r2, 4.3.2-r3

Details

Multiple security vulnerabilities affect the jupyterhub-k8s-hub package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2026-22815	WEB
	https://osv.dev/vulnerability/CVE-2026-30922	WEB
	https://osv.dev/vulnerability/CVE-2026-31958	WEB
	https://osv.dev/vulnerability/CVE-2026-32597	WEB
	https://osv.dev/vulnerability/CVE-2026-33175	WEB
	https://osv.dev/vulnerability/CVE-2026-34052	WEB
	https://osv.dev/vulnerability/CVE-2026-34073	WEB
	https://osv.dev/vulnerability/CVE-2026-34513	WEB
	https://osv.dev/vulnerability/CVE-2026-34514	WEB
	https://osv.dev/vulnerability/CVE-2026-34515	WEB
	https://osv.dev/vulnerability/CVE-2026-34516	WEB
	https://osv.dev/vulnerability/CVE-2026-34517	WEB
	https://osv.dev/vulnerability/CVE-2026-34518	WEB
	https://osv.dev/vulnerability/CVE-2026-34519	WEB
	https://osv.dev/vulnerability/CVE-2026-34520	WEB
	https://osv.dev/vulnerability/CVE-2026-34525	WEB
	https://osv.dev/vulnerability/CVE-2026-44431	WEB
	https://osv.dev/vulnerability/CVE-2026-44432	WEB
	https://osv.dev/vulnerability/ghsa-752w-5fwx-jx9f	WEB
	https://osv.dev/vulnerability/ghsa-78cv-mqj4-43f7	WEB
	https://osv.dev/vulnerability/ghsa-gc5v-m9x4-r6x2	WEB
	https://osv.dev/vulnerability/ghsa-jr27-m4p2-rc6r	WEB
	https://osv.dev/vulnerability/ghsa-m959-cc7f-wv43	WEB
	https://osv.dev/vulnerability/ghsa-qjxf-f2mg-c6mc	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-22815	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-30922	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-31958	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32597	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33175	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34052	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34073	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34513	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34514	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34515	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34516	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34517	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34518	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34519	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34520	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-34525	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44431	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-44432	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "jupyterhub-k8s-hub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.2-r3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the jupyterhub-k8s-hub package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-AN27706",
  "modified": "2026-05-12T12:08:41Z",
  "published": "2026-05-18T13:26:17.643663Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-AN27706.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-22815"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-30922"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-31958"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32597"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33175"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34052"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34073"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34513"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34514"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34515"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34516"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34517"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34518"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34519"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34520"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-34525"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44431"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-44432"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-752w-5fwx-jx9f"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-78cv-mqj4-43f7"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-gc5v-m9x4-r6x2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jr27-m4p2-rc6r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m959-cc7f-wv43"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qjxf-f2mg-c6mc"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22815"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30922"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32597"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33175"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34052"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34513"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34514"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34515"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34516"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34517"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34518"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34519"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34520"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34525"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44431"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44432"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2026-22815, CVE-2026-30922, CVE-2026-31958, CVE-2026-32597, CVE-2026-33175, CVE-2026-34052, CVE-2026-34073, CVE-2026-34513, CVE-2026-34514, CVE-2026-34515, CVE-2026-34516, CVE-2026-34517, CVE-2026-34518, CVE-2026-34519, CVE-2026-34520, CVE-2026-34525, CVE-2026-44431, CVE-2026-44432, ghsa-752w-5fwx-jx9f, ghsa-78cv-mqj4-43f7, ghsa-gc5v-m9x4-r6x2, ghsa-jr27-m4p2-rc6r, ghsa-m959-cc7f-wv43, ghsa-qjxf-f2mg-c6mc applied in versions: 4.3.2-r0, 4.3.2-r1, 4.3.2-r2, 4.3.2-r3",
  "upstream": [
    "CVE-2026-22815",
    "CVE-2026-30922",
    "CVE-2026-31958",
    "CVE-2026-32597",
    "CVE-2026-33175",
    "CVE-2026-34052",
    "CVE-2026-34073",
    "CVE-2026-34513",
    "CVE-2026-34514",
    "CVE-2026-34515",
    "CVE-2026-34516",
    "CVE-2026-34517",
    "CVE-2026-34518",
    "CVE-2026-34519",
    "CVE-2026-34520",
    "CVE-2026-34525",
    "CVE-2026-44431",
    "CVE-2026-44432",
    "ghsa-752w-5fwx-jx9f",
    "ghsa-78cv-mqj4-43f7",
    "ghsa-gc5v-m9x4-r6x2",
    "ghsa-jr27-m4p2-rc6r",
    "ghsa-m959-cc7f-wv43",
    "ghsa-qjxf-f2mg-c6mc"
  ]
}

GHSA-GC5V-M9X4-R6X2

Vulnerability from github – Published: 2026-03-25 16:56 – Updated: 2026-03-27 22:07

Summary

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity ?

4.4 (Medium)


                  
                    CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "requests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T16:56:28Z",
    "nvd_published_at": "2026-03-25T17:16:52Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.\n\n### Affected usages\n**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.\n\n### Remediation\nUpgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.\n\nIf developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.",
  "id": "GHSA-gc5v-m9x4-r6x2",
  "modified": "2026-03-27T22:07:42Z",
  "published": "2026-03-25T16:56:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/psf/requests"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psf/requests/releases/tag/v2.33.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"
}

GHSA-JR27-M4P2-RC6R

Vulnerability from github – Published: 2026-03-17 16:17 – Updated: 2026-05-01 18:31

Summary

Denial of Service in pyasn1 via Unbounded Recursion

Details

Summary

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.

Details

The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations: 1. indefLenValueDecoder (Line 998): for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options): This method handles indefinite-length constructed types. It sits inside a while True loop and recursively calls the decoder for every nested tag.

valueDecoder (Lines 786 and 907): for component in decodeFun(substrate, componentType, **options): This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of SEQUENCE or SET types. Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types.
_decodeComponentsSchemaless (Line 661): for component in decodeFun(substrate, **options): This method handles decoding when no schema is provided.

In all three cases, decodeFun is invoked without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit.

PoC

import sys
from pyasn1.codec.ber import decoder

sys.setrecursionlimit(100000)

print("[*] Generating Recursion Bomb Payload...")
depth = 50_000
chunk = b'\x30\x80' 
payload = chunk * depth

print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering Decoder...")

try:
    decoder.decode(payload)
except RecursionError:
    print("[!] Crashed: Recursion Limit Hit")
except MemoryError:
    print("[!] Crashed: Out of Memory")
except Exception as e:
    print(f"[!] Crashed: {e}")

[*] Payload size: 9.77 KB
[*] Triggering Decoder...
[!] Crashed: Recursion Limit Hit

Impact

This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
Service Crash: Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.

Credits

Vulnerability discovered by Kevin Tu of TMIR at ByteDance.

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pyasn1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T16:17:33Z",
    "nvd_published_at": "2026-03-18T04:17:18Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application.\n\n### Details\nThe vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.\nVulnerable Code Locations:\n1. `indefLenValueDecoder` (Line 998):\n```for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):```\nThis method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag.\n\n2. `valueDecoder` (Lines 786 and 907):\n```for component in decodeFun(substrate, componentType, **options):```\nThis method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types.\n\n4. `_decodeComponentsSchemaless` (Line 661):\n```for component in decodeFun(substrate, **options):```\nThis method handles decoding when no schema is provided.\n\nIn all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit.\n\n### PoC\n```\nimport sys\nfrom pyasn1.codec.ber import decoder\n\nsys.setrecursionlimit(100000)\n\nprint(\"[*] Generating Recursion Bomb Payload...\")\ndepth = 50_000\nchunk = b\u0027\\x30\\x80\u0027 \npayload = chunk * depth\n\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering Decoder...\")\n\ntry:\n    decoder.decode(payload)\nexcept RecursionError:\n    print(\"[!] Crashed: Recursion Limit Hit\")\nexcept MemoryError:\n    print(\"[!] Crashed: Out of Memory\")\nexcept Exception as e:\n    print(f\"[!] Crashed: {e}\")\n```\n\n```\n[*] Payload size: 9.77 KB\n[*] Triggering Decoder...\n[!] Crashed: Recursion Limit Hit\n```\n\n### Impact\n- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (\u003c100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.\n- Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.\n- Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (\u003c200KB) can consume hundreds of megabytes of RAM or exhaust the stack.\n\n### Credits\nVulnerability discovered by Kevin Tu of TMIR at ByteDance.",
  "id": "GHSA-jr27-m4p2-rc6r",
  "modified": "2026-05-01T18:31:19Z",
  "published": "2026-03-17T16:17:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-jr27-m4p2-rc6r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30922"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyasn1/pyasn1/commit/25ad481c19fdb006e20485ef3fc2e5b3eff30ef0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyasn1/pyasn1/commit/5a49bd1fe93b5b866a1210f6bf0a3924f21572c8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyasn1/pyasn1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/20/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in pyasn1 via Unbounded Recursion"
}

GHSA-M959-CC7F-WV43

Vulnerability from github – Published: 2026-03-27 19:56 – Updated: 2026-04-06 23:13

Summary

cryptography has incomplete DNS name constraint enforcement on peer names

Details

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @1seal

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

1.7 (Low)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptography"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "46.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:56:21Z",
    "nvd_published_at": "2026-03-31T03:15:59Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf\u0027s parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go\u0027s `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal",
  "id": "GHSA-m959-cc7f-wv43",
  "modified": "2026-04-06T23:13:00Z",
  "published": "2026-03-27T19:56:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyca/cryptography"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "cryptography has incomplete DNS name constraint enforcement on peer names"
}

GHSA-QJXF-F2MG-C6MC

Vulnerability from github – Published: 2026-03-12 14:19 – Updated: 2026-04-06 19:41

Summary

Tornado is vulnerable to DoS due to too many multipart parts

Details

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "tornado"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T14:19:52Z",
    "nvd_published_at": "2026-03-11T20:16:16Z",
    "severity": "HIGH"
  },
  "details": "In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. \n\nTornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.",
  "id": "GHSA-qjxf-f2mg-c6mc",
  "modified": "2026-04-06T19:41:28Z",
  "published": "2026-03-12T14:19:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tornadoweb/tornado"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Tornado is vulnerable to DoS due to too many multipart parts"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

GHSA-GC5V-M9X4-R6X2

Impact

Affected usages

Remediation

GHSA-JR27-M4P2-RC6R

Summary

Details

PoC

Impact

Credits

GHSA-M959-CC7F-WV43

Summary

Remediation

Attribution

GHSA-QJXF-F2MG-C6MC

Tags

Sightings

Nomenclature