Skip to content

[GHSA-9583-h5hc-x8cw] React Router has Path Traversal in File Session Storage #6749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ivanm696 wants to merge 1 commit into from
Closed

[GHSA-9583-h5hc-x8cw] React Router has Path Traversal in File Session Storage #6749

ivanm696 wants to merge 1 commit into from
+2 −2

Conversation

@ivanm696
Copy link

@ivanm696 ivanm696 commented Feb 1, 2026

Updates

  • Description

Comments
pnpm update @remix-run/node@2.17.2 @remix-run/react@2.17.2 @remix-run/serve@2.17.2 --latest

@github
Copy link
Collaborator

github commented Feb 1, 2026

Hi there @brophdawg11! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@github-actions github-actions bot changed the base branch from main to ivanm696/advisory-improvement-6749 February 1, 2026 05:45
@ivanm696
Copy link
Author

ivanm696 commented Feb 2, 2026

#6749 (comment)

Hi there @brophdawg11! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@ivanm696
Copy link
Author

ivanm696 commented Feb 2, 2026

Skip to content
advisory-database
Repository navigation
Code
Issues
79
(79)
Comparing changes
Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.
...
Able to merge. These branches can be automatically merged.
Discuss and review the changes in this comparison with others. Learn about pull requests
1 commit
14 files changed
1 contributor
Commits on Feb 2, 2026
Publish Advisories

@advisory-database
advisory-database[bot] committed 45 minutes ago
Showing with 447 additions and 3 deletions.
+5 −1 advisories/unreviewed/2025/05/GHSA-jx2m-wgq5-5qcj/GHSA-jx2m-wgq5-5qcj.json
+5 −1 advisories/unreviewed/2025/11/GHSA-v6c5-9mp4-mwq4/GHSA-v6c5-9mp4-mwq4.json
+5 −1 advisories/unreviewed/2025/12/GHSA-hrx4-rccm-xj6c/GHSA-hrx4-rccm-xj6c.json
+40 −0 advisories/unreviewed/2026/02/GHSA-3735-4fjf-vq4q/GHSA-3735-4fjf-vq4q.json
+40 −0 advisories/unreviewed/2026/02/GHSA-488g-hw5f-x29p/GHSA-488g-hw5f-x29p.json
+40 −0 advisories/unreviewed/2026/02/GHSA-4x5p-f36r-mxxr/GHSA-4x5p-f36r-mxxr.json
+40 −0 advisories/unreviewed/2026/02/GHSA-82fw-ch24-j34w/GHSA-82fw-ch24-j34w.json
+40 −0 advisories/unreviewed/2026/02/GHSA-crqj-2v3f-c8g9/GHSA-crqj-2v3f-c8g9.json
+40 −0 advisories/unreviewed/2026/02/GHSA-f662-3vxf-4mp9/GHSA-f662-3vxf-4mp9.json
+36 −0 advisories/unreviewed/2026/02/GHSA-hrx5-q3c8-jh7w/GHSA-hrx5-q3c8-jh7w.json
+40 −0 advisories/unreviewed/2026/02/GHSA-j7x9-7j54-2v3h/GHSA-j7x9-7j54-2v3h.json
+40 −0 advisories/unreviewed/2026/02/GHSA-r75x-2fcv-j4pm/GHSA-r75x-2fcv-j4pm.json
+40 −0 advisories/unreviewed/2026/02/GHSA-v7vr-xfpj-4f3m/GHSA-v7vr-xfpj-4f3m.json
+36 −0 advisories/unreviewed/2026/02/GHSA-wj3h-wx8g-x699/GHSA-wj3h-wx8g-x699.json
6 changes: 5 additions & 1 deletion6
advisories/unreviewed/2025/05/GHSA-jx2m-wgq5-5qcj/GHSA-jx2m-wgq5-5qcj.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-jx2m-wgq5-5qcj",
"modified": "2026-01-14T00:31:23Z",
"modified": "2026-02-02T12:31:14Z",
"published": "2025-05-30T15:30:31Z",
"aliases": [
"CVE-2025-4598"
@@ -39,6 +39,10 @@
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0414"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1652"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4598"
6 changes: 5 additions & 1 deletion6
advisories/unreviewed/2025/11/GHSA-v6c5-9mp4-mwq4/GHSA-v6c5-9mp4-mwq4.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v6c5-9mp4-mwq4",
"modified": "2026-02-02T06:30:51Z",
"modified": "2026-02-02T12:31:14Z",
"published": "2025-11-26T15:34:12Z",
"aliases": [
"CVE-2025-13601"
@@ -35,6 +35,10 @@
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13601"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1652"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1627"
6 changes: 5 additions & 1 deletion6
advisories/unreviewed/2025/12/GHSA-hrx4-rccm-xj6c/GHSA-hrx4-rccm-xj6c.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hrx4-rccm-xj6c",
"modified": "2025-12-05T18:31:11Z",
"modified": "2026-02-02T12:31:14Z",
"published": "2025-12-05T18:31:11Z",
"aliases": [
"CVE-2025-14104"
@@ -19,6 +19,10 @@
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14104"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1696"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-14104"
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-3735-4fjf-vq4q/GHSA-3735-4fjf-vq4q.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-3735-4fjf-vq4q",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2026-1751"
],
"details": "A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1751"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2980839"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/519340"
}
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"severity": "LOW",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T10:16:06Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-488g-hw5f-x29p/GHSA-488g-hw5f-x29p.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-488g-hw5f-x29p",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2025-6208"
],
"details": "The SimpleDirectoryReader component in llama_index.core version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (num_files_limit) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6208"
},
{
"type": "WEB",
"url": "https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a"
}
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"severity": "MODERATE",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:17Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-4x5p-f36r-mxxr/GHSA-4x5p-f36r-mxxr.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-4x5p-f36r-mxxr",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2025-10279"
],
"details": "In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10279"
},
{
"type": "WEB",
"url": "https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8"
}
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:16Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-82fw-ch24-j34w/GHSA-82fw-ch24-j34w.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-82fw-ch24-j34w",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2026-1117"
],
"details": "A vulnerability in the lollms_generation_events.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The add_events function registers event handlers such as generate_text, cancel_generation, generate_msg, and generate_msg_from without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (lollmsElfServer.busy, lollmsElfServer.cancel_gen) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1117"
},
{
"type": "WEB",
"url": "https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829"
}
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T10:16:06Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-crqj-2v3f-c8g9/GHSA-crqj-2v3f-c8g9.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-crqj-2v3f-c8g9",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2025-7105"
],
"details": "A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in /api/convos/fork to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7105"
},
{
"type": "WEB",
"url": "https://github.com/danny-avila/librechat/commit/97a99985fa339db0a21ad63604e0bb8db4442ffc"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e44f0740-48bd-443b-8826-528e6afe9e34"
}
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"severity": "MODERATE",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:17Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-f662-3vxf-4mp9/GHSA-f662-3vxf-4mp9.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-f662-3vxf-4mp9",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2024-4147"
],
"details": "In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4147"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad"
}
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:16Z"
}
}
36 changes: 36 additions & 0 deletions36
advisories/unreviewed/2026/02/GHSA-hrx5-q3c8-jh7w/GHSA-hrx5-q3c8-jh7w.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"schema_version": "1.4.0",
"id": "GHSA-hrx5-q3c8-jh7w",
"modified": "2026-02-02T12:31:13Z",
"published": "2026-02-02T12:31:13Z",
"aliases": [
"CVE-2024-54263"
],
"details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54263"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/spirit-framework/vulnerability/wordpress-spirit-framework-plugin-1-2-13-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"database_specific": {
"cwe_ids": [
"CWE-98"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T10:16:05Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-j7x9-7j54-2v3h/GHSA-j7x9-7j54-2v3h.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-j7x9-7j54-2v3h",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2026-0599"
],
"details": "A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0599"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/text-generation-inference/commit/24ee40d143d8d046039f12f76940a85886cbe152"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/1d3f2085-666c-4441-b265-22f6f7d8d9cd"
}
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"severity": "HIGH",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:17Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-r75x-2fcv-j4pm/GHSA-r75x-2fcv-j4pm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-r75x-2fcv-j4pm",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2024-5386"
],
"details": "In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5386"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1"
}
],
"database_specific": {
"cwe_ids": [
"CWE-1125"
],
"severity": "CRITICAL",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:16Z"
}
}
40 changes: 40 additions & 0 deletions40
advisories/unreviewed/2026/02/GHSA-v7vr-xfpj-4f3m/GHSA-v7vr-xfpj-4f3m.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
{
"schema_version": "1.4.0",
"id": "GHSA-v7vr-xfpj-4f3m",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2024-2356"
],
"details": "A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post(\"/reinstall_extension\") route. This vulnerability allows attackers to inject a malicious name parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of data.name directly with lollmsElfServer.lollms_paths.extensions_zoo_path and its use as an argument for ExtensionBuilder().build_extension(). The server's handling of the __init__.py file in arbitrary locations, facilitated by importlib.machinery.SourceFileLoader, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to 0.0.0.0 or in headless mode. No user interaction is required for exploitation.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2356"
},
{
"type": "WEB",
"url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/cb9867b4-28e3-4406-9031-f66fc28553d4"
}
],
"database_specific": {
"cwe_ids": [
"CWE-29"
],
"severity": "CRITICAL",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:15:52Z"
}
}
36 changes: 36 additions & 0 deletions36
advisories/unreviewed/2026/02/GHSA-wj3h-wx8g-x699/GHSA-wj3h-wx8g-x699.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"schema_version": "1.4.0",
"id": "GHSA-wj3h-wx8g-x699",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"aliases": [
"CVE-2024-5986"
],
"details": "A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the /3/Frames/framename/export endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5986"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3"
}
],
"database_specific": {
"cwe_ids": [
"CWE-73"
],
"severity": "CRITICAL",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:16Z"
}
}
Footer
© 2026 GitHub, Inc.
Footer navigation
Terms
Privacy
Security
Status
Community
Docs
Contact
Manage cookies
Do not share my personal information

@JonathanLEvans JonathanLEvans added the invalid This doesn't seem right label Feb 2, 2026
@github-actions github-actions bot deleted the ivanm696-GHSA-9583-h5hc-x8cw branch February 2, 2026 15:41
@ivanm696
Copy link
Author

ivanm696 commented Feb 2, 2026

Skip to content
GitHub Advisory Database Unreviewed CVE-2025-4598
A vulnerability was found in systemd-coredump. This flaw...
Moderate severity Unreviewed Published on May 30, 2025 to the GitHub Advisory Database • Updated 4 hours ago
Package
No package listed— Suggest a package
Affected versions
Unknown
Patched versions
Unknown
Description
A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

References
https://nvd.nist.gov/vuln/detail/CVE-2025-4598
https://access.redhat.com/security/cve/CVE-2025-4598
https://bugzilla.redhat.com/show_bug.cgi?id=2369242
https://www.openwall.com/lists/oss-security/2025/05/29/3
http://www.openwall.com/lists/oss-security/2025/06/05/1
http://www.openwall.com/lists/oss-security/2025/06/05/3
https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598
https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598
https://www.openwall.com/lists/oss-security/2025/08/18/3
https://lists.debian.org/debian-lts-announce/2025/07/msg00022.html
http://seclists.org/fulldisclosure/2025/Jun/9
http://www.openwall.com/lists/oss-security/2025/08/18/3
https://access.redhat.com/errata/RHSA-2025:22660
https://access.redhat.com/errata/RHSA-2025:22868
https://access.redhat.com/errata/RHSA-2025:23234
https://access.redhat.com/errata/RHSA-2025:23227
https://access.redhat.com/errata/RHSA-2026:0414
https://access.redhat.com/errata/RHSA-2026:1652
Published by the National Vulnerability Database on May 30, 2025
Published to the GitHub Advisory Database on May 30, 2025
Last updated 4 hours ago
Severity
Moderate
/ 10
CVSS v3 base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS score
(12th percentile)
Weaknesses
WeaknessCWE-364
CVE ID
CVE-2025-4598
GHSA ID
GHSA-jx2m-wgq5-5qcj
Source code
No known source code
Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

This advisory has been edited. See History.
See something to contribute? Suggest improvements for this vulnerability.
Footer
© 2026 GitHub, Inc.
Footer navigation
Terms
Privacy
Security
Status
Community
Docs
Contact
Manage cookies
Do not share my personal information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

invalid This doesn't seem right

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ivanm696 @github @JonathanLEvans @Claude @Codex