Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
A cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones.
The cache key was constructed by concatenating the topic selector and topic with an underscore separator:
k = "m_" + topicSelector + "_" + topicBecause both topic selectors and topics can contain underscores, two distinct pairs can produce the same key:
selector="foo_bar" topic="baz" → key: "m_foo_bar_baz"
selector="foo" topic="bar_baz" → key: "m_foo_bar_baz"An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates.
Patches
The vulnerability is fixed by replacing string-encoded cache keys with typed Go struct keys that are inherently collision-free:
type matchCacheKey struct {
topicSelector string
topic string
}The internal TopicSelectorStoreCache interface and sharded cache abstraction have also been removed in favor of a single typed otter cache.
Users should upgrade to version 0.22.0 or later.
Workarounds
Disable the topic selector cache by setting topic_selector_cache to -1 in the Caddyfile, or by passing a cache size of 0 when using the library directly. This eliminates the vulnerability at the cost of reduced performance.
AnalysisAI
Cache key collision in Mercure hub TopicSelectorStore enables authorization bypass through crafted topic names. Attackers can poison the match result cache by exploiting underscore-based key concatenation, causing private updates to be delivered to unauthorized subscribers or blocking legitimate deliveries. Affects Go package github.com/dunglas/mercure prior to version 0.22.0. Exploitation requires ability to subscribe to the hub or publish updates with specially crafted topic/selector combinations. No public exploit identified at time of analysis.
Technical ContextAI
CWE-1289 collision stems from string concatenation cache key generation (topicSelector + "_" + topic). Underscore separator creates ambiguity: "foo_bar"+"baz" and "foo"+"bar_baz" produce identical key "m_foo_bar_baz". Fix replaces string keys with typed Go struct keys containing separate topicSelector and topic fields, eliminating concatenation-based collisions. Otter cache implementation replaces sharded cache abstraction.
RemediationAI
Vendor-released patch: upgrade to Mercure version 0.22.0 or later, which implements collision-free typed struct cache keys. Commit 4964a69be904fd61e35b5f1e691271663b6fdd64 contains the fix. Release available at https://github.com/dunglas/mercure/releases/tag/v0.22.0. Workaround for unpatched systems: disable topic selector cache by setting topic_selector_cache to -1 in Caddyfile configuration, or pass cache size 0 when using the library directly. This eliminates vulnerability but degrades performance. Vendor advisory: https://github.com/dunglas/mercure/security/advisories/GHSA-hwr4-mq23-wcv5
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20967
GHSA-hwr4-mq23-wcv5