29 matches found
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
Impact PROXY protocol support for Puma was added in version 5.5.0. When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes...
GHSA-444R-CWP2-X5XF fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...
CVE-2026-3635
A flaw was found in fastify. When the trustProxy option is configured with a restrictive trust function, such as a specific IP, a subnet, a hop count or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection,...
CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...
CVE-2026-3635
Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...
CVE-2026-3635
CVE-2026-3635 : In Fastify (affected: fastify
CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...
PT-2026-27132
Name of the Vulnerable Software and Affected Versions fastify versions through 5.8.2 Description When the trustProxy setting is configured with a restrictive trust function—such as a specific IP address, a subnet, a hop count, or a custom function—the request.protocol and request.host getters...
EUVD-2023-1578
Malicious code in bioql PyPI...
EUVD-2024-17108
Malicious code in bioql PyPI...
BIT-MONGODB-2024-1351 MongoDB Server may allow successful untrusted connection
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...
MongoDB Certificate Validation Vulnerability (SERVER-72839) - Windows
MongoDB is prone to a certificate validation vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mongodb:mongodb"; if...
Input validation
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...
CVE-2024-1351
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...
CVE-2024-1351 MongoDB Server may allow successful untrusted connection
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...
CVE-2024-1351 MongoDB Server may allow successful untrusted connection
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...
MongoDB Server may allow successful untrusted connection
Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failin...
GHSA-QVQG-6RP8-4P9H github.com/ipfs/kubo affected by DOS Bitswap unbounded persistent memory leak
Impact An attacker is able allocate arbitrarily many bytes in the Bitswap server by sending many WANTBLOCK and or WANTHAVE requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed. This affects users accepting or connecting untrusted...
github.com/ipfs/kubo affected by DOS Bitswap unbounded persistent memory leak
Impact An attacker is able allocate arbitrarily many bytes in the Bitswap server by sending many WANTBLOCK and or WANTHAVE requests which are queued in an unbounded queue, with allocations that persist even if the connection is closed. This affects users accepting or connecting untrusted...