    github.com/docker/docker 28.5.2+incompatible (golang)
pkg:golang/github.com/docker/docker@28.5.2%2Bincompatible
| Affected range | >=19.0.0
<19.03.16
| | Fixed version | 19.03.16 | | EPSS Score | 4.028% | | EPSS Percentile | 88th percentile |
Description
Moby authz zero length regression in github.com/moby/moby
 Authentication Bypass Using an Alternate Path or Channel
| Affected range | <29.3.1 | | Fixed version | Not Fixed | | CVSS Score | 8.8 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | | EPSS Score | 0.014% | | EPSS Percentile | 2nd percentile |
Description
Summary
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
This is an incomplete fix for CVE-2024-41110.
Impact
If you don't use AuthZ plugins, you are not affected.
Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.
Workarounds
If unable to update immediately:
- Avoid using AuthZ plugins that rely on request body inspection for security decisions.
- Restrict access to the Docker API to trusted parties, following the principle of least privilege.
Credits
Resources
 Off-by-one Error
| Affected range | <29.3.1 | | Fixed version | Not Fixed | | CVSS Score | 6.8 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | | EPSS Score | 0.013% | | EPSS Percentile | 2nd percentile |
Description
Summary
A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user.
Plugins that request exactly one privilege are also affected, because no comparison is performed at all.
Impact
If plugins are not in use, there is no impact.
When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved.
Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted.
Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access.
For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins.
Workarounds
If unable to update immediately:
- Do not install plugins from untrusted sources
- Carefully review all privileges requested during
docker plugin install
- Restrict access to the Docker daemon to trusted parties, following the principle of least privilege
- Avoid relying on plugin privilege approval as the only control boundary for sensitive environments
Credits
|
  github.com/jackc/pgx/v5 5.9.1 (golang)
pkg:golang/github.com/jackc/pgx/v5@5.9.1
| Affected range | >=0 | | Fixed version | Not Fixed | | EPSS Score | 0.056% | | EPSS Percentile | 18th percentile |
Description
Memory-safety vulnerability in github.com/jackc/pgx/v5.
|
   github.com/nats-io/nats-server/v2 2.12.5 (golang)
pkg:golang/github.com/nats-io/nats-server/v2@2.12.5
 Plaintext Storage of a Password
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 8.6 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | | EPSS Score | 0.044% | | EPSS Percentile | 13th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
 Improper Input Validation
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.166% | | EPSS Percentile | 38th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
 Insertion of Sensitive Information Into Debugging Code
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | | EPSS Score | 0.033% | | EPSS Percentile | 10th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.
Problem Description
If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.
The /debug/vars end-point contains an unredacted copy of argv.
Patches
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.
Configure credentials inside a configuration file instead of via argv.
Do not enable the monitoring port if using secrets in argv.
Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
 Incorrect Authorization
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N | | EPSS Score | 0.027% | | EPSS Percentile | 8th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L | | EPSS Score | 0.015% | | EPSS Percentile | 3rd percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
Sessions and Messages can by hijacked via MQTT Client ID malfeasance.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
Resources
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | | EPSS Score | 0.026% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.
Problem Description
The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.
A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.
Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.
Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Authentication Bypass by Spoofing
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | | EPSS Score | 0.026% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a Nats-Request-Info: message header, providing information about a request.
Problem Description
The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Allocation of Resources Without Limits or Throttling
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 5.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | | EPSS Score | 0.079% | | EPSS Percentile | 23rd percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Disable websockets if not required for project deployment.
 Improper Authorization
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.9 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N | | EPSS Score | 0.025% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
 Incorrect Authorization
| Affected range | >=2.12.0-preview.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | | EPSS Score | 0.027% | | EPSS Percentile | 8th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server supports telemetry on messages, using the per-message NATS headers.
Problem Description
A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.
The payload is a valid trace message and not chosen by the attacker.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.2 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N | | EPSS Score | 0.018% | | EPSS Percentile | 5th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
Problem Description
When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.
So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.
Affected Versions
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
Developers should review their CA issuing practices.
|
github.com/moby/spdystream 0.5.0 (golang)
pkg:golang/github.com/moby/spdystream@0.5.0
 Allocation of Resources Without Limits or Throttling
| Affected range | <=0.5.0 | | Fixed version | 0.5.1 | | CVSS Score | 8.7 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Description
The SPDY/3 frame parser in spdystream does not validate
attacker-controlled counts and lengths before allocating memory. A
remote peer that can send SPDY frames to a service using spdystream can
cause the process to allocate gigabytes of memory with a small number of
malformed control frames, leading to an out-of-memory crash.
Three allocation paths in the receive side are affected:
- SETTINGS entry count -- The SETTINGS frame reader reads a 32-bit
numSettings from the payload and allocates a slice of that size
without checking it against the declared frame length. An attacker
can set numSettings to a value far exceeding the actual payload,
triggering a large allocation before any setting data is read.
- Header count --
parseHeaderValueBlock reads a 32-bit
numHeaders from the decompressed header block and allocates an
http.Header map of that size with no upper bound.
- Header field size -- Individual header name and value lengths are
read as 32-bit integers and used directly as allocation sizes with
no validation.
Because SPDY header blocks are zlib-compressed, a small on-the-wire
payload can decompress into attacker-controlled bytes that the parser
interprets as 32-bit counts and lengths. A single crafted frame is
enough to exhaust process memory.
Impact
Any program that accepts SPDY connections using spdystream -- directly
or through a dependent library -- is affected. A remote peer that can
send SPDY frames to the service can crash the process with a single
crafted SPDY control frame, causing denial of service.
Affected versions
github.com/moby/spdystream <= v0.5.0
Fix
v0.5.1 addresses the receive-side allocation bugs and adds related
hardening:
Core fixes:
- SETTINGS entry-count validation -- The SETTINGS frame reader now
checks that
numSettings is consistent with the declared frame
length (numSettings <= (length-4)/8) before allocating.
- Header count limit --
parseHeaderValueBlock enforces a maximum
number of headers per frame (default: 1000).
- Header field size limit -- Individual header name and value
lengths are checked against a per-field size limit (default: 1 MiB)
before allocation.
- Connection closure on protocol error -- The connection read loop
now closes the underlying
net.Conn when it encounters an
InvalidControlFrame error, preventing further exploitation on the
same connection.
Additional hardening:
- Write-side bounds checks -- All frame write methods now verify
that payloads fit within the 24-bit length field, preventing the
library from producing invalid frames.
Configurable limits:
- Callers can adjust the defaults using
NewConnectionWithOptions or
the lower-level spdy.NewFramerWithOptions with functional options:
WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, and
WithMaxHeaderCount.
|
github.com/buger/jsonparser 1.1.1 (golang)
pkg:golang/github.com/buger/jsonparser@1.1.1
 Out-of-bounds Read
| Affected range | <=1.1.1 | | Fixed version | 1.1.2 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.054% | | EPSS Percentile | 17th percentile |
Description
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
|
go.opentelemetry.io/otel/sdk 1.42.0 (golang)
pkg:golang/go.opentelemetry.io/otel/sdk@1.42.0
 Untrusted Search Path
| Affected range | >=1.15.0
<=1.42.0
| | Fixed version | 1.43.0 | | CVSS Score | 7.3 | | CVSS Vector | CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | | EPSS Score | 0.006% | | EPSS Percentile | 0th percentile |
Description
Summary
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.
Root Cause
sdk/resource/host_id.go line 42:
if result, err := r.execCommand("kenv", "-q", "smbios.system.uuid"); err == nil {
Compare with the fixed Darwin path at line 58:
result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice")
The execCommand helper at sdk/resource/host_id_exec.go uses exec.Command(name, arg...) which searches $PATH when the command name contains no path separator.
Affected platforms (per build tag in host_id_bsd.go:4): DragonFly BSD, FreeBSD, NetBSD, OpenBSD, Solaris.
The kenv path is reached when /etc/hostid does not exist (line 38-40), which is common on FreeBSD systems.
Attack
- Attacker has local access to a system running a Go application that imports
go.opentelemetry.io/otel/sdk
- Attacker places a malicious
kenv binary earlier in $PATH
- Application initializes OpenTelemetry resource detection at startup
hostIDReaderBSD.read() calls exec.Command("kenv", ...) which resolves to the malicious binary- Arbitrary code executes in the context of the application
Same attack vector and impact as CVE-2026-24051.
Suggested Fix
Use the absolute path:
if result, err := r.execCommand("/bin/kenv", "-q", "smbios.system.uuid"); err == nil {
On FreeBSD, kenv is located at /bin/kenv.
|
github.com/go-jose/go-jose/v4 4.1.3 (golang)
pkg:golang/github.com/go-jose/go-jose/v4@4.1.3
 Uncaught Exception
| Affected range | <4.1.4 | | Fixed version | 4.1.4 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.019% | | EPSS Percentile | 5th percentile |
Description
Impact
Decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key.
This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() followed by Decrypt() on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected.
This panic is also reachable by calling cipher.KeyUnwrap() directly with any ciphertext parameter less than 16 bytes long, but calling this function directly is less common.
Panics can lead to denial of service.
Fixed In
4.1.4 and v3.0.5
Workarounds
If the list of keyAlgorithms passed to ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() does not include key wrapping algorithms (those ending in KW), your application is unaffected.
If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the encrypted_key field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second .).
Thanks
Thanks to Datadog's Security team for finding this issue.
|
 github.com/go-git/go-git/v5 5.16.5 (golang)
pkg:golang/github.com/go-git/go-git/v5@5.16.5
 Integer Underflow (Wrap or Wraparound)
| Affected range | >=5.0.0
<=5.17.0
| | Fixed version | 5.17.1 | | CVSS Score | 5 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H | | EPSS Score | 0.013% | | EPSS Percentile | 2nd percentile |
Description
Impact
A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.
Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
 Improper Validation of Array Index
| Affected range | <=5.17.0 | | Fixed version | 5.17.1 | | CVSS Score | 2.8 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L | | EPSS Score | 0.014% | | EPSS Percentile | 2nd percentile |
Description
Impact
go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue.
An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition.
Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
|
github.com/cloudflare/circl 1.6.1 (golang)
pkg:golang/github.com/cloudflare/circl@1.6.1
 Incorrect Calculation
| Affected range | <1.6.3 | | Fixed version | 1.6.3 | | CVSS Score | 2.9 | | CVSS Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber | | EPSS Score | 0.022% | | EPSS Percentile | 6th percentile |
Description
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in v1.6.3.
|
