SUSE CVE-2026-40924

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

CVE-2026-40924

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

CVE-2026-40924

CVE-2026-40924 – Tekton Pipelines HTTP Resolver Unbounded Read Leads to DoS . The vulnerability affects Tekton Pipelines where, prior to 1.11.1, the HTTP resolver’s FetchHttpResource calls io.ReadAll on resp.Body with no size limit. A tenant with permission to create TaskRuns or PipelineRuns refe...

CVE-2026-40924

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

CVE-2026-40924 Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

CVE-2026-40924 Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the HTTP resolver process. An attacker can cause excessive memory consumption and termination of the tekton-pipelines-resolvers pod by directing it to retrieve a very large HT...

GHSA-M2CX-GPQF-QF74 Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Summary The HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response...

Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Summary The HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response...

PT-2026-34177

Name of the Vulnerable Software and Affected Versions Tekton Pipelines versions prior to 1.11.1 Description The HTTP resolver's FetchHttpResource function reads response bodies without a size limit. A user with permissions to create TaskRuns or PipelineRuns can point the resolver to a malicious...

DEBIAN-CVE-2025-68458

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...

CVE-2025-68458

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...

CVE-2025-68157

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...

CVE-2025-68458

Webpack CVE-2025-68458 affects Webpack’s HTTP(S) resolver (HttpUriPlugin) when experiments.buildHttp is enabled. A crafted URL containing userinfo (username:password@host) can bypass allowedUris checks and cause the build process to request resources from internal or non-whitelisted hosts, enabli...

CVE-2025-68458

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...

EUVD-2025-206877

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...