Monthly
CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from `baggage.Parse`, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.
Memory exhaustion in the Perl Archive::Tar module before version 3.10 lets remote attackers cause a denial of service by supplying a crafted tar archive whose per-entry header declares an arbitrarily large size, which the module trusts and uses to drive allocation before reading. The flaw is unauthenticated and network-reachable (CVSS 7.5, A:H only - no confidentiality or integrity impact) but affects only applications that parse untrusted tarballs with this module. There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 4th percentile); the vendor shipped a fix in 3.10.
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-service via excessive resource consumption. Unauthenticated network attackers can trigger the flaw against versions prior to 2025.0.11 and 2025.1.x prior to 2025.1.7, resulting in availability loss with no confidentiality or integrity impact per the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis; risk is moderated by high attack complexity.
Excessive memory allocation in Samsung's Escargot JavaScript engine (commit 590345cc) triggers a denial-of-service condition via integer underflow in the TypedArray.prototype.copyWithin implementation, causing the engine to request a massive heap allocation and subsequently abort the process. Affected deployments include Samsung TV and appliance firmware that embeds Escargot as a scripting runtime. No public exploit code and no CISA KEV listing are present; EPSS data was not provided in available intelligence. Risk is bounded by the local attack vector and user interaction requirement in the CVSS vector.
Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.
Stack overflow in ParquetSharp versions 18.1.0 through 23.0.0.0 allows remote unauthenticated attackers to cause denial of service by supplying a maliciously crafted Parquet file with a decimal column declaring an unreasonably large width, triggering unbounded stack allocation in the DecimalConverter.ReadDecimal method. This impacts network services that parse untrusted Parquet files. The vulnerability has been patched in version 23.0.0.1.
Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a `StackOverflowException`, which is not catchable by user code and terminates the process. Applications are impacted if they deserialize MessagePack data from untrusted or attacker-controlled sources using Nerdbank.MessagePack and the target type contains a `DateTime` value. A small malicious payload can cause process termination, resulting in a denial of service. This may affect services, APIs, workers, message consumers, or other long-running processes that deserialize untrusted MessagePack input. The issue occurs because DateTime timestamp extension decoding derives `tokenSize` from the attacker-controlled extension length before validating that the timestamp length is one of the legal MessagePack timestamp sizes: 4, 8, or 12 bytes. When the buffer is incomplete, that unvalidated size is propagated to the streaming reader slow path, where it is used in a `stackalloc`. The 1.1.62 version contains the fix for this security vulnerability. If upgrading is not yet possible, avoid deserializing untrusted MessagePack payloads into type graphs that may contain `DateTime` fields or properties. Input byte-size limits alone may not fully mitigate this issue, because the malicious payload can be small while declaring a very large extension length. Possible mitigations include: - Pre-validating MessagePack extension headers before deserialization and rejecting timestamp extensions whose length is not 4, 8, or 12 bytes. - Rejecting or filtering extension type `-1` timestamp values from untrusted input unless they are known to be valid. - Running deserialization of untrusted payloads in an isolated process that can be safely restarted after termination. - Restricting MessagePack deserialization to trusted producers until a patched version is available. - CWE-789: Uncontrolled Memory Allocation: https://cwe.mitre.org/data/definitions/789.html - MessagePack timestamp extension specification: https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
OpenTelemetry OpAMP client allocates unbounded buffers when reading HTTP responses from an OpAMP server, enabling memory exhaustion denial-of-service attacks if the configured server is attacker-controlled or subject to network interception. An attacker can send an extremely large HTTP response body that forces the client application to allocate memory without limits, exhausting available memory and crashing the application. CVSS 5.9 reflects moderate severity; exploitation requires network positioning (man-in-the-middle or control of the OpAMP server endpoint), which limits real-world attack surface. Upstream fix available in version 0.2.0-alpha.1.
CPU and log amplification in opentelemetry-go's baggage parser allows remote unauthenticated attackers to trigger denial-of-service by submitting oversized or malformed W3C baggage headers to any instrumented Go service. PR #7880 inadvertently removed the upfront raw-length check and per-member size guard from `baggage.Parse`, meaning the parser now fully tokenizes and percent-decodes every member of an arbitrarily large input rather than rejecting it early. A publicly available proof-of-concept exists (GHSA-5wrp-cwcj-q835); the vulnerability is not yet listed in CISA KEV, and impact is bounded to availability with no confirmed confidentiality or integrity consequence.
Memory exhaustion in the Perl Archive::Tar module before version 3.10 lets remote attackers cause a denial of service by supplying a crafted tar archive whose per-entry header declares an arbitrarily large size, which the module trusts and uses to drive allocation before reading. The flaw is unauthenticated and network-reachable (CVSS 7.5, A:H only - no confidentiality or integrity impact) but affects only applications that parse untrusted tarballs with this module. There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 4th percentile); the vendor shipped a fix in 3.10.
Denial of service in Mattermost server (versions 11.6.0, 11.5.0-11.5.3, 11.4.0-11.4.4, and 10.11.0-10.11.14) allows remote attackers to crash the server process by sending a crafted msgpack-encoded binary WebSocket frame to the public endpoint. The flaw stems from missing validation of frame sizes before memory allocation, enabling a full service outage for all users. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects the unauthenticated network-reachable nature of the attack with high availability impact.
Uncontrolled memory allocation in Progress Software MOVEit Automation exposes the application to remote denial-of-service via excessive resource consumption. Unauthenticated network attackers can trigger the flaw against versions prior to 2025.0.11 and 2025.1.x prior to 2025.1.7, resulting in availability loss with no confidentiality or integrity impact per the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis; risk is moderated by high attack complexity.
Excessive memory allocation in Samsung's Escargot JavaScript engine (commit 590345cc) triggers a denial-of-service condition via integer underflow in the TypedArray.prototype.copyWithin implementation, causing the engine to request a massive heap allocation and subsequently abort the process. Affected deployments include Samsung TV and appliance firmware that embeds Escargot as a scripting runtime. No public exploit code and no CISA KEV listing are present; EPSS data was not provided in available intelligence. Risk is bounded by the local attack vector and user interaction requirement in the CVSS vector.
Memory exhaustion denial of service in Mattermost Server versions 11.5.x through 11.5.1, 10.11.x through 10.11.13, and 11.4.x through 11.4.3 allows authenticated attackers to crash the server by uploading maliciously crafted 7zip archives containing excessive folder declarations. The vulnerability stems from insufficient validation of 7zip archive structure before decompression, enabling resource exhaustion attacks with low attack complexity. EPSS data not available, not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.
Stack overflow in ParquetSharp versions 18.1.0 through 23.0.0.0 allows remote unauthenticated attackers to cause denial of service by supplying a maliciously crafted Parquet file with a decimal column declaring an unreasonably large width, triggering unbounded stack allocation in the DecimalConverter.ReadDecimal method. This impacts network services that parse untrusted Parquet files. The vulnerability has been patched in version 23.0.0.1.
Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a `StackOverflowException`, which is not catchable by user code and terminates the process. Applications are impacted if they deserialize MessagePack data from untrusted or attacker-controlled sources using Nerdbank.MessagePack and the target type contains a `DateTime` value. A small malicious payload can cause process termination, resulting in a denial of service. This may affect services, APIs, workers, message consumers, or other long-running processes that deserialize untrusted MessagePack input. The issue occurs because DateTime timestamp extension decoding derives `tokenSize` from the attacker-controlled extension length before validating that the timestamp length is one of the legal MessagePack timestamp sizes: 4, 8, or 12 bytes. When the buffer is incomplete, that unvalidated size is propagated to the streaming reader slow path, where it is used in a `stackalloc`. The 1.1.62 version contains the fix for this security vulnerability. If upgrading is not yet possible, avoid deserializing untrusted MessagePack payloads into type graphs that may contain `DateTime` fields or properties. Input byte-size limits alone may not fully mitigate this issue, because the malicious payload can be small while declaring a very large extension length. Possible mitigations include: - Pre-validating MessagePack extension headers before deserialization and rejecting timestamp extensions whose length is not 4, 8, or 12 bytes. - Rejecting or filtering extension type `-1` timestamp values from untrusted input unless they are known to be valid. - Running deserialization of untrusted payloads in an isolated process that can be safely restarted after termination. - Restricting MessagePack deserialization to trusted producers until a patched version is available. - CWE-789: Uncontrolled Memory Allocation: https://cwe.mitre.org/data/definitions/789.html - MessagePack timestamp extension specification: https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
OpenTelemetry OpAMP client allocates unbounded buffers when reading HTTP responses from an OpAMP server, enabling memory exhaustion denial-of-service attacks if the configured server is attacker-controlled or subject to network interception. An attacker can send an extremely large HTTP response body that forces the client application to allocate memory without limits, exhausting available memory and crashing the application. CVSS 5.9 reflects moderate severity; exploitation requires network positioning (man-in-the-middle or control of the OpAMP server endpoint), which limits real-world attack surface. Upstream fix available in version 0.2.0-alpha.1.