Skip to content

Commit 7d47c66

Browse files
1 parent 42aaed8 commit 7d47c66

3 files changed

Lines changed: 170 additions & 0 deletions

File tree

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fhp4-pr5j-46m5",
4+
"modified": "2026-06-26T20:55:18Z",
5+
"published": "2026-06-26T20:55:18Z",
6+
"aliases": [],
7+
"summary": "Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key",
8+
"details": "## Summary\n\nA NULL pointer dereference vulnerability exists in `PDFParser::CreateFilterForStream()` when processing a PDF stream with `/Filter /LZWDecode` and a `/DecodeParms` dictionary that does not contain the `EarlyChange` key. This causes an access violation (0xC0000005) and crashes the process.\n\n## Affected Version\n\nmuhammara <= 6.0.4 (latest)\n\n## Vulnerability Details\n\n**File:** `src/deps/PDFWriter/PDFParser.cpp` line 2107\n\n```cpp\nif (inDecodeParams)\n{\n PDFObjectCastPtr<PDFInteger> earlyObj(\n QueryDictionaryObject(inDecodeParams, \"EarlyChange\")\n );\n early = earlyObj->GetValue(); // NULL dereference when EarlyChange key is absent\n}\n```\n\nWhen `inDecodeParams` is non-NULL but lacks the `EarlyChange` key:\n1. `QueryDictionaryObject()` returns NULL\n2. `PDFObjectCastPtr<PDFInteger>(NULL)` wraps NULL\n3. `earlyObj->GetValue()` dereferences NULL → crash\n\n## PoC\n\n460-byte malicious PDF triggers crash via `startReadingFromStream()`:\n\n- PDF contains `/Filter /LZWDecode` with `/DecodeParms << >>` (empty, no EarlyChange)\n- Exit code: `0xC0000005` (Access Violation)\n\n## Fix\n\n```cpp\nif (earlyObj)\n early = earlyObj->GetValue();\n```\n\n## Impact\n\nAny application accepting untrusted PDFs and using muhammara to read stream contents is vulnerable to DoS.\n\nSimilar to: CVE-2022-41957, CVE-2022-39381\n\n## PoC File\n[poc_muhammara_lzw_null.js](https://github.com/user-attachments/files/27186113/poc_muhammara_lzw_null.js)",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "muhammara"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "6.0.5"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 6.0.4"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-fhp4-pr5j-46m5"
43+
},
44+
{
45+
"type": "WEB",
46+
"url": "https://github.com/julianhille/MuhammaraJS/commit/a98c07780241353334eb65bfca1df025f14be70b"
47+
},
48+
{
49+
"type": "PACKAGE",
50+
"url": "https://github.com/julianhille/MuhammaraJS"
51+
}
52+
],
53+
"database_specific": {
54+
"cwe_ids": [
55+
"CWE-476"
56+
],
57+
"severity": "HIGH",
58+
"github_reviewed": true,
59+
"github_reviewed_at": "2026-06-26T20:55:18Z",
60+
"nvd_published_at": null
61+
}
62+
}
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-j7f5-gfqm-pcx3",
4+
"modified": "2026-06-26T20:54:38Z",
5+
"published": "2026-06-26T20:54:38Z",
6+
"aliases": [],
7+
"summary": "Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system",
8+
"details": "### Summary\nAn unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.\n\n### Details\nThe account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely.\nAn attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.\n\nThis is concerning because:\n\n- The login and password reset pages correctly implement protections against enumeration\n- The account page has no reCAPTCHA option available\n- No rate limiting exists in the panel for this endpoint\n- Authentication is required, but any valid account (including free tier/trial accounts) can exploit this\n\n### PoC\n- Log into the Pterodactyl panel with any valid account\n- Navigate to Account Settings\n- Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it\n- Attempt to change your email address and capture the POST request\n- Send the captured request to Repeater\n- Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)\n- Send multiple requests in rapid succession\n- Observe the response messages which confirm whether each email exists or not \n- Repeat indefinitely without encountering rate limits or CAPTCHA challenges\n\n\n### Impact\nThis is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).\n\nWho is impacted:\n\n- All Pterodactyl panel installations are affected\n- Any registered user's email address can be discovered\n- Particularly impacts administrators and high-value accounts\n\nPotential consequences:\n\n- Attackers can build a complete database of registered users\n- Enumerated emails can be used for targeted phishing campaigns\n- Combined with other attacks (credential stuffing, social engineering)\n- Privacy violation for all users on the platform\n- Competitive intelligence gathering (identifying which companies/individuals use specific panels)",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Packagist",
19+
"name": "pterodactyl/panel"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "1.12.3"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-j7f5-gfqm-pcx3"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/pterodactyl/panel"
44+
}
45+
],
46+
"database_specific": {
47+
"cwe_ids": [
48+
"CWE-204"
49+
],
50+
"severity": "MODERATE",
51+
"github_reviewed": true,
52+
"github_reviewed_at": "2026-06-26T20:54:38Z",
53+
"nvd_published_at": null
54+
}
55+
}
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-rhq6-9rgh-v45c",
4+
"modified": "2026-06-26T20:53:00Z",
5+
"published": "2026-06-26T20:53:00Z",
6+
"aliases": [],
7+
"summary": "Pterodactyl Wings: Chmod operation can be used to change permissions of files outside of the server container",
8+
"details": "In `wings/internal/ufs/fs_unix.go` (line 92-94), this function is defined and is used to change permissions of files in the server:\n\n```go\nfunc (fs *UnixFS) fchmodat(op string, dirfd int, name string, mode FileMode) error {\n return ensurePathError(unix.Fchmodat(dirfd, name, uint32(mode), 0), op, name)\n}\n```\n\nThis call to the unix function `fchmodat(int fd, char* name, mode_t mode, int flags)` does not have the flag `AT_SYMLINK_NOFOLLOW` set, and Wings neither checks or validate if the target file is a symlink. This allows one to change permissions of files or folders outside of the server container by making symlinks to existing files in the host and then chmoding it.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "github.com/pterodactyl/wings"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "1.11.9"
27+
},
28+
{
29+
"fixed": "1.12.2"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/pterodactyl/wings/security/advisories/GHSA-rhq6-9rgh-v45c"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/pterodactyl/wings"
44+
}
45+
],
46+
"database_specific": {
47+
"cwe_ids": [],
48+
"severity": "MODERATE",
49+
"github_reviewed": true,
50+
"github_reviewed_at": "2026-06-26T20:53:00Z",
51+
"nvd_published_at": null
52+
}
53+
}

0 commit comments

Comments
 (0)