Skip to content

Commit 7c6bf11

Browse files
1 parent 238a8ad commit 7c6bf11

3 files changed

Lines changed: 211 additions & 0 deletions

File tree

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-hg3w-7f8c-63hp",
4+
"modified": "2026-06-26T21:49:22Z",
5+
"published": "2026-06-26T21:49:22Z",
6+
"aliases": [
7+
"CVE-2026-48995"
8+
],
9+
"summary": "pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile",
10+
"details": "### Summary\n\nA malicious `codeload.github.com` server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile.\n\n### Details\n\nThe lockfile does not store the hash of the dependencies from https://codeload.github.com\n\nThis means that if this server was compromised or a person's machine configuration was compromised, pnpm would download and install these dependencies.\n\n### PoC\n\n```sh\n> pnpm -v \n10.28.2\n```\n\nGiven the following package.json:\n\n```json\n{\n \"dependencies\": {\n \"add\": \"git://github.com/dsherret/npm-git-dep.git#b3eeb9b\"\n }\n}\n```\n\nThis produces a lockfile like so:\n\n```yaml\nlockfileVersion: '9.0'\n\nsettings:\n autoInstallPeers: true\n excludeLinksFromLockfile: false\n\nimporters:\n\n .:\n dependencies:\n add:\n specifier: git://github.com/dsherret/npm-git-dep.git#b3eeb9b\n version: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b\n\npackages:\n\n add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b:\n resolution: {tarball: https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b}\n version: 1.0.0\n\nsnapshots:\n\n add@https://codeload.github.com/dsherret/npm-git-dep/tar.gz/b3eeb9b: {}\n```\n\nNotice that there is no hash. The `b3eeb9b` is not sufficient because I can configure my machine to resolve a compromised tarball from that url (I tested it out and pnpm just installs it).\n\n### Impact\n\nAnyone relying on github git dependencies.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "pnpm"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "10.33.4"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "pnpm"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "11.0.0"
48+
},
49+
{
50+
"fixed": "11.0.7"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-hg3w-7f8c-63hp"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48995"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/pnpm/pnpm"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-353"
74+
],
75+
"severity": "MODERATE",
76+
"github_reviewed": true,
77+
"github_reviewed_at": "2026-06-26T21:49:22Z",
78+
"nvd_published_at": "2026-06-25T18:16:38Z"
79+
}
80+
}
Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jq42-7mfv-hm57",
4+
"modified": "2026-06-26T21:48:43Z",
5+
"published": "2026-06-26T21:48:43Z",
6+
"aliases": [
7+
"CVE-2026-5223"
8+
],
9+
"summary": "Cargo crates in third party registries can override the cached source of other crates",
10+
"details": "The Rust Security Response Team was notified that Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry.\n\nThis vulnerability is tracked as CVE-2026-5223. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink.\n\n## Overview\n\nWhen building a crate, Cargo extracts its source code in a local cache (stored within `~/.cargo`), reusing it for any future build. Cargo includes protections to prevent any file from being extracted outside of the crate's own cache directory.\n\nIt was discovered that it's possible to craft a malicious tarball able to extract files one level below the crate's own cache directory. With the way the cache is structured, that allowed the malicious crate to override the cache of other crates belonging to the same registry.\n\n## Mitigations\n\nRust 1.96.0, to be released on May 28th, 2026, will update Cargo to reject extracting *any* symlink within crate tarballs, regardless of whether they come from crates.io (which already forbids them) or third-party registries. Note that Cargo never added symlinks when running `cargo package` or `cargo publish`, so the impact of this should be minimal.\n\nUsers who are not able to upgrade to the most recent Rust version are recommended to audit the contents of their registry for the presence of any symlink, and to configure their registry to reject symlink (if such option is available).\n\n## Affected versions\n\nAll versions of Cargo shipped before Rust 1.96.0 are affected.\n\n## Acknowledgements\n\nCargo would like to thank Christos Papakonstantinou for reporting this to us according to the [Rust security policy][1].\n\nCargo also wants to thank the members of the Rust project who helped address the vulnerability: Josh Triplett for developing the fix; Arlo Siemsen for reviewing the fix; Emily Albini for writing this advisory; Emily Albini, Josh Stone and Manish Goregaokar for coordinating the disclosure; Ed Page and Eric Huss for advising during the disclosure.\n\n[1]: https://rust-lang.org/policies/security",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "crates.io",
21+
"name": "cargo"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.97.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/rust-lang/cargo/security/advisories/GHSA-jq42-7mfv-hm57"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5223"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/rust-lang/cargo/pull/17031"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://blog.rust-lang.org/2026/05/25/cve-2026-5223"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/rust-lang/cargo"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8"
62+
}
63+
],
64+
"database_specific": {
65+
"cwe_ids": [
66+
"CWE-61"
67+
],
68+
"severity": "MODERATE",
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-06-26T21:48:43Z",
71+
"nvd_published_at": "2026-05-25T10:16:15Z"
72+
}
73+
}
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mmj8-wcvw-6789",
4+
"modified": "2026-06-26T21:50:10Z",
5+
"published": "2026-06-26T21:50:10Z",
6+
"aliases": [
7+
"CVE-2026-49262"
8+
],
9+
"summary": "Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy",
10+
"details": "### Summary\nThe administrative proxy route (`cmsproxy`) in Aimeos Pagible CMS is vulnerable to a Server-Side Request Forgery (SSRF) attack via DNS Rebinding. A Time-of-Check to Time-of-Use (TOCTOU) race condition exists between the URL validation phase and the actual HTTP request phase, allowing attackers to access internal network resources and cloud metadata endpoints.\n\n### Details\nBefore executing an HTTP request to fetch external content, the `AdminController::proxy` controller validates the target URL using `\\Aimeos\\Cms\\Utils::isValidUrl($url)`. This function performs a DNS query to verify that the hostname does not resolve to private or reserved IP ranges (e.g., `127.0.0.1`, `10.0.0.0/8`, `169.254.169.254`). \n\nIf the validation passes, the application proceeds to the \"Use\" phase, invoking Guzzle/cURL to send the request. However, Guzzle performs a *second* DNS lookup to establish the socket connection. \n\nAn attacker can exploit this by setting up a malicious DNS server for a domain they control and configuring it with a TTL of 0. \n1. During the validation \"Check\", the DNS server returns a safe, public IP.\n2. During the Guzzle \"Use\", the DNS server returns an internal/private IP.\n\n ### POC\n1. Attacker registers `rebound.test.com with a custom nameserver.\n2. Attacker generates a valid proxy token (assuming basic authenticated access).\n3. Attacker requests `/cmsproxy?url=http://rebound.test.com`.\n4. `isValidUrl` checks `rebound.test.com`. DNS returns `8.8.8.8`. Validation passes.\n5. Guzzle requests `http://rebound.test.com`. DNS returns `169.254.169.254`.\n6. The CMS fetches AWS Instance Metadata and returns it to the attacker.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "aimeos/pagible"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.10.4"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/aimeos/pagible/security/advisories/GHSA-mmj8-wcvw-6789"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/aimeos/pagible"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-367",
51+
"CWE-918"
52+
],
53+
"severity": "LOW",
54+
"github_reviewed": true,
55+
"github_reviewed_at": "2026-06-26T21:50:10Z",
56+
"nvd_published_at": null
57+
}
58+
}

0 commit comments

Comments
 (0)