mod_http2: DoS by null pointer in websocket over HTTP/2

A flaw was found in the Apache HTTP Server. Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a NULL pointer dereference, leading to a crash of the server process...

Denial Of Service (DoS)

github.com/envoyproxy/envoy is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of the filter's lifecycle or crash when a local reply is sent to the external server, allows an attacker to trigger a DoS by forcing a failed WebSocket handshake or another scenario...

Denial Of Service (DoS)

Aimhubio/aim is vulnerable to a Denial Of Service DoS. The vulnerability is due to the tracking server overriding the maximum size for websocket messages, allowing very large images to be tracked, which causes the server to become unresponsive to other requests...

SUSE CVE-2025-30157

Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket...

SUSE-SU-2025:20252-1 Security update for libsoup

This update for libsoup fixes the following issues: - CVE-2024-52530: strictly don't allow NUL bytes in headers bsc1233285 glgoGNOME/libsoup377. - CVE-2024-52532: websocket: Process the frame as soon as we read data bsc1233287 glgoGNOME/libsoup391. - CVE-2024-52531: be more robust against invalid...

Security update for libsoup

This update for libsoup fixes the following issues: CVE-2024-52530: strictly don't allow NUL bytes in headers bsc1233285 glgoGNOME/libsoup377. CVE-2024-52532: websocket: Process the frame as soon as we read data bsc1233287 glgoGNOME/libsoup391. CVE-2024-52531: be more robust against invalid input...

CVE-2024-10037

A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated and the test mode function of RTU500 must be enabled...

CVE-2024-10037

A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated and the test mode function of RTU500 must be enabled...

CVE-2024-10037

CVE-2024-10037 affects Hitachi Energy RTU500 web server component and can cause a denial of service to the RTU500 CMU application when a specially crafted WebSocket message sequence is processed. Exploitation requires proper authentication and the RTU500 test mode to be enabled; the affected CMU ...

CVE-2024-10037

A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated and the test mode function of RTU500 must be enabled...

CVE-2024-10037

A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated and the test mode function of RTU500 must be enabled...

BIT-ENVOY-2025-30157 Envoy crashes when HTTP ext_proc processes local replies

Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket...

CVE-2025-30157

Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket...

CVE-2024-10948

A vulnerability in the upload function of binary-husky/gptacademic allows any user to read arbitrary files on the system, including sensitive files such as config.py. This issue affects the latest version of the product. An attacker can exploit this vulnerability by intercepting the websocket...

CVE-2025-0189

In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large...

CVE-2024-10956

GPT Academy version 3.83 in the binary-husky/gptacademic repository is vulnerable to Cross-Site WebSocket Hijacking CSWSH. This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting...

CVE-2024-11045

A Cross-Site WebSocket Hijacking CSWSH vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows an attacker to clone a malicious server extension from a GitHub repository. The vulnerability arises from the lack of proper validation on WebSocket connections at...

Envoy crashes when HTTP ext_proc processes local replies

Summary Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy. PoC If both websocket and extproc are...

GHSA-CF3Q-GQG7-3FM9 Envoy crashes when HTTP ext_proc processes local replies

Summary Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the fail of a websocket handshake will trigger a local reply leading to the crash of Envoy. PoC If both websocket and extproc are...

CVE-2025-30157 Envoy crashes when HTTP ext_proc processes local replies

Envoy is a cloud-native high-performance edge/middle/service proxy. Prior to 1.33.1, 1.32.4, 1.31.6, and 1.30.10, Envoy's extproc HTTP filter is at risk of crashing if a local reply is sent to the external server due to the filter's life time issue. A known situation is the failure of a websocket...