Vulnerabilities

Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5.

IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service.

Strapi is an open source headless CMS. The @strapi/core package before version 5.10.3 does not enforce a maximum password length when using bcryptjs for password hashing. Bcryptjs ignores any bytes beyond 72, so passwords longer than 72 bytes are silently truncated. A user can create an account with a password exceeding 72 bytes and later authenticate with only the first 72 bytes. This reduces the effective entropy of overlong passwords and may mislead users who believe characters beyond 72 bytes are required, creating a low likelihood of unintended authentication if an attacker can obtain or guess the truncated portion. Long over‑length inputs can also impose unnecessary processing overhead. The issue is fixed in version 5.10.3. No known workarounds exist.

Strapi is an open source headless content management system. Strapi versions prior to 5.20.0 contain a CORS misconfiguration vulnerability in default installations. By default, Strapi reflects the value of the Origin header back in the Access-Control-Allow-Origin response header without proper validation or whitelisting. This allows an attacker-controlled site to send credentialed requests to the Strapi backend. An attacker can exploit this by hosting a malicious site on a different origin (e.g., different port) and sending requests with credentials to the Strapi API. The vulnerability is fixed in version 5.20.0. No known workarounds exist.

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-22381. Reason: This candidate is a reservation duplicate of CVE-2025-22381. Notes: All CVE users should reference CVE-2025-22381 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.<br /> <br /> * The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\text{size}\_\text{t}$ (an unsigned type, typically 64-bit) for its size member.<br /> <br /> <br /> * However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\text{size}\_\text{t}$ value into a signed int (typically 32-bit).<br /> <br /> <br /> * When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).<br /> <br /> <br /> * This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.<br /> <br /> <br /> * This negative offset is then incorrectly added to the buffer pointer (s-&gt;byte\_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:<br /> <br /> put_u32(s-&gt;byte_code.buf + pos, len);

A vulnerability exists in the QuickJS engine&amp;#39;s BigInt string parsing logic (js_bigint_from_string) when attempting to create a BigInt from a string with an excessively large number of digits.<br /> <br /> The function calculates the necessary number of bits (n_bits) required to store the BigInt using the formula:<br /> <br /> $$\text{n\_bits} = (\text{n\_digits} \times 27 + 7) / 8 \quad (\text{for radix 10})$$<br /> <br /> * For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\text{n\_digits} \times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an Integer Overflow.<br /> <br /> <br /> * The resulting n_bits value becomes unexpectedly small or even negative due to this wrap-around.<br /> <br /> <br /> * This flawed n_bits is then used to compute n_limbs, the number of memory "limbs" needed for the BigInt object. Since n_bits is too small, the calculated n_limbs is also significantly underestimated.<br /> <br /> <br /> * The function proceeds to allocate a JSBigInt object using this underestimated n_limbs.<br /> <br /> <br /> * When the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a Heap Out-of-Bounds Write as data is written past the end of the allocated r-&gt;tab array.

Pega Platform versions 8.7.5 to Infinity 24.2.2 are affected by a Insecure Direct Object Reference issue in a user interface component that can only be used to read data.

A type confusion vulnerability exists in the handling of the string addition (+) operation within the QuickJS engine.<br /> <br /> * The code first checks if the left-hand operand is a string.<br /> <br /> <br /> * It then attempts to convert the right-hand operand to a primitive value using JS_ToPrimitiveFree. This conversion can trigger a callback (e.g., toString or valueOf).<br /> <br /> <br /> * During this callback, an attacker can modify the type of the left-hand operand in memory, changing it from a string to a different type (e.g., an object or an array).<br /> <br /> <br /> * The code then proceeds to call JS_ConcatStringInPlace, which still treats the modified left-hand value as a string.<br /> <br /> <br /> This mismatch between the assumed type (string) and the actual type allows an attacker to control the data structure being processed by the concatenation logic, resulting in a type confusion condition. This can lead to out-of-bounds memory access, potentially resulting in memory corruption and arbitrary code execution in the context of the QuickJS runtime.

A vulnerability exists in the QuickJS engine&amp;#39;s BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.<br /> <br /> * The function determines the number of characters (n_digits) needed for the string representation by calculating:<br /> <br /> $$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$<br /> <br /> $$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$.<br /> <br /> <br /> * The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$).<br /> <br /> <br /> * The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits.<br /> <br /> <br /> * In the final iterations of the loop, the code attempts to read data that spans two limbs:<br /> <br /> C<br /> <br /> <br /> <br /> c = (r-&gt;tab[pos] &gt;&gt; shift) | (r-&gt;tab[pos + 1]

A vulnerability stemming from floating-point arithmetic precision errors exists in the QuickJS engine&amp;#39;s implementation of TypedArray.prototype.indexOf() when a negative fromIndex argument is supplied.<br /> <br /> * The fromIndex argument (read as a double variable, $d$) is used to calculate the starting position for the search.<br /> <br /> <br /> * If d is negative, the index is calculated relative to the end of the array by adding the array&amp;#39;s length (len) to d:<br /> <br /> <br /> <br /> $$d_{new} = d + \text{len}$$<br /> <br /> <br /> * Due to the inherent limitations of floating-point arithmetic, if the negative value $d$ is extremely small (e.g., $-1 \times 10^{-20}$), the addition $d + \text{len}$ can result in a loss of precision, yielding an outcome that is exactly equal to $\text{len}$.<br /> <br /> <br /> * The result is then converted to an integer index $k$: $k = \text{len}$.<br /> <br /> <br /> * The search function proceeds to read array elements starting from index $k$. Since valid indices are $0$ to $\text{len}-1$, starting the read at index $\text{len}$ is one element past the end of the array.<br /> <br /> <br /> This allows an attacker to cause an Out-of-Bounds Read of one element immediately following the buffer. While the scope of this read is small (one element), it can potentially lead to Information Disclosure of adjacent memory contents, depending on the execution environment.

A Use-After-Free (UAF) vulnerability exists in the QuickJS engine&amp;#39;s standard library when iterating over the global list of unhandled rejected promises (ts-&gt;rejected_promise_list).<br /> <br /> * The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.<br /> <br /> <br /> * The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp-&gt;reason).<br /> <br /> <br /> * If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.<br /> <br /> <br /> * The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.<br /> <br /> <br /> * Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.<br /> <br /> <br /> * Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.