hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动

更新: 178 个文件 - 2026-03-18 07:47:37

浏览代码
这个提交包含在:
hao
2026-03-18 07:47:37 -07:00
父节点 63d89f2b0c
当前提交 91d6f4d04e
修改 178 个文件,包含 1690 行新增16615 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

82
08-threat-intel/registry/advisories/gitea--CVE-2018-15192.json
查看文件

@@ -1,82 +0,0 @@
{
"canonical_id": "gitea--CVE-2018-15192",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea",
"summary": "Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea",
"published_at": "2024-08-20T20:32:20Z",
"updated_at": "2026-03-03T04:54:04.686907Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-fg3x-rwq9-74cw",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-15192",
"https://github.com/go-gitea/gitea/commit/599ff1c054e436daa4dc3f049aa8661d9c2395f9",
"https://github.com/go-gitea/gitea/issues/4624",
"https://github.com/go-gitea/gitea/pull/17482",
"https://github.com/gogs/gogs/commit/22717a1c064511cf37c46af5e650baf7184cf25b",
"https://github.com/gogs/gogs/issues/5366",
"https://github.com/gogs/gogs/pull/6002"
],
"aliases": [
"CVE-2018-15192",
"GHSA-fg3x-rwq9-74cw",
"GO-2023-1971"
],
"cve_ids": [
"CVE-2018-15192"
],
"ghsa_ids": [
"GHSA-fg3x-rwq9-74cw"
],
"osv_ids": [
"GO-2023-1971"
],
"affected_versions": [
"introduced=0, fixed<1.16.0-rc1",
"introduced=0, fixed<0.12.0"
],
"fixed_versions": [
"1.16.0-rc1",
"0.12.0"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2018-15192.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"ssrf-url-validation"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:27:54+00:00",
"last_run_id": "gitea-gitea--CVE-2018-15192-20260318012749",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-15192-20260318012749",
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

99
08-threat-intel/registry/advisories/gitea--CVE-2018-18926.json
查看文件

@@ -1,99 +0,0 @@
{
"canonical_id": "gitea--CVE-2018-18926",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea Remote Code Execution (RCE) in code.gitea.io/gitea",
"summary": "Gitea Remote Code Execution (RCE) in code.gitea.io/gitea",
"published_at": "2024-08-21T15:29:04Z",
"updated_at": "2026-03-03T04:52:20.787387Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-hf6f-jq25-8gq9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-18926",
"https://github.com/go-gitea/gitea/commit/aeb5655c25053bdcd7eee94ea37df88468374162",
"https://github.com/go-gitea/gitea/issues/5140",
"https://github.com/go-gitea/gitea/pull/5177"
],
"aliases": [
"CVE-2018-18926",
"GHSA-hf6f-jq25-8gq9",
"GO-2022-0844"
],
"cve_ids": [
"CVE-2018-18926"
],
"ghsa_ids": [
"GHSA-hf6f-jq25-8gq9"
],
"osv_ids": [
"GO-2022-0844"
],
"affected_versions": [
"introduced=0, fixed<1.5.2"
],
"fixed_versions": [
"1.5.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2018-18926.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:25:45+00:00",
"last_run_id": "gitea-gitea--CVE-2018-18926-20260318012526",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318012526/logs/proof-page.json"
],
"baseline_title": "Gitea Proxy Boundary Fixture",
"proof_title": "Gitea Proxy Boundary Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

98
08-threat-intel/registry/advisories/gitea--CVE-2019-1010261.json
查看文件

@@ -1,98 +0,0 @@
{
"canonical_id": "gitea--CVE-2019-1010261",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea XSS Vulnerability in code.gitea.io/gitea",
"summary": "Gitea XSS Vulnerability in code.gitea.io/gitea",
"published_at": "2024-08-20T20:31:38Z",
"updated_at": "2026-03-03T04:53:57.848904Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-5rh7-6gfj-mc87",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-1010261",
"https://github.com/go-gitea/gitea/pull/5905"
],
"aliases": [
"CVE-2019-1010261",
"GHSA-5rh7-6gfj-mc87",
"GO-2023-1922"
],
"cve_ids": [
"CVE-2019-1010261"
],
"ghsa_ids": [
"GHSA-5rh7-6gfj-mc87"
],
"osv_ids": [
"GO-2023-1922"
],
"affected_versions": [
"introduced=0, fixed<1.7.1"
],
"fixed_versions": [
"1.7.1"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2019-1010261.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:26:30+00:00",
"last_run_id": "gitea-gitea--CVE-2019-1010261-20260318012624",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318012624/logs/proof-page.json"
],
"baseline_title": "Gitea Stored XSS Fixture",
"proof_title": "Gitea Stored XSS Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

100
08-threat-intel/registry/advisories/gitea--CVE-2020-13246.json
查看文件

@@ -1,100 +0,0 @@
{
"canonical_id": "gitea--CVE-2020-13246",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Denial of Service in Gitea in code.gitea.io/gitea",
"summary": "Denial of Service in Gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T15:29:04Z",
"updated_at": "2026-03-03T04:52:17.939867Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-g2qx-6ghw-67hm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-13246",
"https://github.com/go-gitea/gitea/issues/10549",
"https://github.com/go-gitea/gitea/pull/11438",
"https://www.youtube.com/watch?v=DmVgADSVS88"
],
"aliases": [
"BIT-gitea-2020-13246",
"CVE-2020-13246",
"GHSA-g2qx-6ghw-67hm",
"GO-2022-0830"
],
"cve_ids": [
"CVE-2020-13246"
],
"ghsa_ids": [
"GHSA-g2qx-6ghw-67hm"
],
"osv_ids": [
"GO-2022-0830"
],
"affected_versions": [
"introduced=0, fixed<1.12.0"
],
"fixed_versions": [
"1.12.0"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2020-13246.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:28:13+00:00",
"last_run_id": "gitea-gitea--CVE-2020-13246-20260318012806",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318012806/logs/proof-page.json"
],
"baseline_title": "Gitea Proxy Boundary Fixture",
"proof_title": "Gitea Proxy Boundary Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

102
08-threat-intel/registry/advisories/gitea--CVE-2021-28378.json
查看文件

@@ -1,102 +0,0 @@
{
"canonical_id": "gitea--CVE-2021-28378",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Cross-site Scripting in Gitea in code.gitea.io/gitea",
"summary": "Cross-site Scripting in Gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T15:29:04Z",
"updated_at": "2026-03-03T04:52:18.307544Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-g95p-88p4-76cm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-28378",
"https://blog.gitea.io/2021/03/gitea-1.13.4-is-released",
"https://github.com/PandatiX/CVE-2021-28378",
"https://github.com/go-gitea/gitea/pull/14898",
"https://github.com/go-gitea/gitea/pull/14899"
],
"aliases": [
"BIT-gitea-2021-28378",
"CVE-2021-28378",
"GHSA-g95p-88p4-76cm",
"GO-2022-0832"
],
"cve_ids": [
"CVE-2021-28378"
],
"ghsa_ids": [
"GHSA-g95p-88p4-76cm"
],
"osv_ids": [
"GO-2022-0832"
],
"affected_versions": [
"introduced=0, fixed<1.13.4"
],
"fixed_versions": [
"1.13.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2021-28378.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:28:19+00:00",
"last_run_id": "gitea-gitea--CVE-2021-28378-20260318012813",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318012813/logs/proof-page.json"
],
"baseline_title": "Gitea Stored XSS Fixture",
"proof_title": "Gitea Stored XSS Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2021-29134.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2021-29134",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Path Traversal in Gitea in code.gitea.io/gitea",
"summary": "Path Traversal in Gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T14:30:29Z",
"updated_at": "2026-03-03T04:50:06.638863Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-h3q4-vmw4-cpr5",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-29134",
"https://github.com/go-gitea/gitea/pull/15125/files",
"https://github.com/go-gitea/gitea/releases",
"https://github.com/go-gitea/gitea/releases/tag/v1.13.6"
],
"aliases": [
"BIT-gitea-2021-29134",
"CVE-2021-29134",
"GHSA-h3q4-vmw4-cpr5",
"GO-2022-0353"
],
"cve_ids": [
"CVE-2021-29134"
],
"ghsa_ids": [
"GHSA-h3q4-vmw4-cpr5"
],
"osv_ids": [
"GO-2022-0353"
],
"affected_versions": [
"introduced=0, fixed<1.13.6"
],
"fixed_versions": [
"1.13.6"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2021-29134.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"path-traversal-guard"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

69
08-threat-intel/registry/advisories/gitea--CVE-2021-3382.json
查看文件

@@ -1,69 +0,0 @@
{
"canonical_id": "gitea--CVE-2021-3382",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Buffer Overflow in gitea in code.gitea.io/gitea",
"summary": "Buffer Overflow in gitea in code.gitea.io/gitea",
"published_at": "2024-06-04T15:19:21Z",
"updated_at": "2026-03-03T04:55:15.307648Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-9f8c-pfvv-p4gm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3382",
"https://github.com/go-gitea/gitea/pull/14390"
],
"aliases": [
"BIT-gitea-2021-3382",
"CVE-2021-3382",
"GHSA-9f8c-pfvv-p4gm",
"GO-2024-2757"
],
"cve_ids": [
"CVE-2021-3382"
],
"ghsa_ids": [
"GHSA-9f8c-pfvv-p4gm"
],
"osv_ids": [
"GO-2024-2757"
],
"affected_versions": [
"introduced=1.9.0, fixed<1.13.2"
],
"fixed_versions": [
"1.13.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2021-3382.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2021-45327.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2021-45327",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Capture-replay in Gitea in code.gitea.io/gitea",
"summary": "Capture-replay in Gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T14:30:26Z",
"updated_at": "2026-03-03T04:52:07.840324Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-jrpg-35hw-m4p9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-45327",
"https://blog.gitea.io/2020/03/gitea-1.11.2-is-released",
"https://github.com/go-gitea/gitea/commit/4cb18601ff33dda5edb47d5b452cc8f2dc39dd67",
"https://github.com/go-gitea/gitea/commit/6f5656ab0ebec03fe63898208dabc802c4be46ab",
"https://github.com/go-gitea/gitea/commit/ed664a9e1dae4d4660e60c981173bbc5102e69ea",
"https://github.com/go-gitea/gitea/pull/10462",
"https://github.com/go-gitea/gitea/pull/10465",
"https://github.com/go-gitea/gitea/pull/10582"
],
"aliases": [
"BIT-gitea-2021-45327",
"CVE-2021-45327",
"GHSA-jrpg-35hw-m4p9",
"GO-2022-0310"
],
"cve_ids": [
"CVE-2021-45327"
],
"ghsa_ids": [
"GHSA-jrpg-35hw-m4p9"
],
"osv_ids": [
"GO-2022-0310"
],
"affected_versions": [
"introduced=0, fixed<1.11.2"
],
"fixed_versions": [
"1.11.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2021-45327.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/gitea--CVE-2021-45330.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "gitea--CVE-2021-45330",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Improper Privilege Management in Gitea in code.gitea.io/gitea",
"summary": "Improper Privilege Management in Gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T16:03:21Z",
"updated_at": "2026-03-03T04:52:33.136607Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-pg38-r834-g45j",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-45330",
"https://github.com/go-gitea/gitea/issues/4336",
"https://github.com/go-gitea/gitea/pull/4840"
],
"aliases": [
"BIT-gitea-2021-45330",
"CVE-2021-45330",
"GHSA-pg38-r834-g45j",
"GO-2022-0982"
],
"cve_ids": [
"CVE-2021-45330"
],
"ghsa_ids": [
"GHSA-pg38-r834-g45j"
],
"osv_ids": [
"GO-2022-0982"
],
"affected_versions": [
"introduced=0, fixed<1.6.0"
],
"fixed_versions": [
"1.6.0"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2021-45330.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/gitea--CVE-2021-45331.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "gitea--CVE-2021-45331",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea",
"summary": "Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T14:30:29Z",
"updated_at": "2026-03-03T04:52:07.604662Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-hfmf-q69j-6m5p",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-45331",
"https://blog.gitea.io/2018/08/gitea-1.5.0-is-released",
"https://github.com/go-gitea/gitea/pull/3878"
],
"aliases": [
"BIT-gitea-2021-45331",
"CVE-2021-45331",
"GHSA-hfmf-q69j-6m5p",
"GO-2022-0315"
],
"cve_ids": [
"CVE-2021-45331"
],
"ghsa_ids": [
"GHSA-hfmf-q69j-6m5p"
],
"osv_ids": [
"GO-2022-0315"
],
"affected_versions": [
"introduced=0, fixed<1.5.0"
],
"fixed_versions": [
"1.5.0"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2021-45331.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2022-0905.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-0905",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea Missing Authorization vulnerability in code.gitea.io/gitea",
"summary": "Gitea Missing Authorization vulnerability in code.gitea.io/gitea",
"published_at": "2024-08-21T15:11:40Z",
"updated_at": "2026-03-03T04:50:45.472605Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-jr9c-h74f-2v28",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-0905",
"https://github.com/go-gitea/gitea/commit/1314f38b59748397b3429fb9bc9f9d6bac85d2f2",
"https://github.com/go-gitea/gitea/commit/3e5c844a7758fa29126d201f4f98bf21bca6d314",
"https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb"
],
"aliases": [
"BIT-gitea-2022-0905",
"CVE-2022-0905",
"GHSA-jr9c-h74f-2v28",
"GO-2022-0609"
],
"cve_ids": [
"CVE-2022-0905"
],
"ghsa_ids": [
"GHSA-jr9c-h74f-2v28"
],
"osv_ids": [
"GO-2022-0609"
],
"affected_versions": [
"introduced=0, fixed<1.16.4"
],
"fixed_versions": [
"1.16.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-0905.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2022-1058.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-1058",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea Open Redirect in code.gitea.io/gitea",
"summary": "Gitea Open Redirect in code.gitea.io/gitea",
"published_at": "2024-06-04T15:19:21Z",
"updated_at": "2026-03-03T04:51:49.844240Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-4rqq-rxvc-v2rc",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-1058",
"https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48",
"https://github.com/go-gitea/gitea/pull/19175",
"https://github.com/go-gitea/gitea/pull/19186",
"https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
],
"aliases": [
"BIT-gitea-2022-1058",
"CVE-2022-1058",
"GHSA-4rqq-rxvc-v2rc",
"GO-2024-2752"
],
"cve_ids": [
"CVE-2022-1058"
],
"ghsa_ids": [
"GHSA-4rqq-rxvc-v2rc"
],
"osv_ids": [
"GO-2024-2752"
],
"affected_versions": [
"introduced=0, fixed<1.16.5"
],
"fixed_versions": [
"1.16.5"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-1058.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/gitea--CVE-2022-1928.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-1928",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Stored Cross-site Scripting in gitea in code.gitea.io/gitea",
"summary": "Stored Cross-site Scripting in gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T15:11:40Z",
"updated_at": "2026-03-03T04:50:45.577318Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-ph3w-2843-72mx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-1928",
"https://github.com/go-gitea/gitea",
"https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c",
"https://github.com/go-gitea/gitea/pull/19825",
"https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2",
"https://security.gentoo.org/glsa/202210-14"
],
"aliases": [
"BIT-gitea-2022-1928",
"CVE-2022-1928",
"GHSA-ph3w-2843-72mx",
"GO-2022-0612"
],
"cve_ids": [
"CVE-2022-1928"
],
"ghsa_ids": [
"GHSA-ph3w-2843-72mx"
],
"osv_ids": [
"GO-2022-0612"
],
"affected_versions": [
"introduced=0, fixed<1.16.9"
],
"fixed_versions": [
"1.16.9"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-1928.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/gitea--CVE-2022-27313.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-27313",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Arbitrary file deletion in gitea in code.gitea.io/gitea",
"summary": "Arbitrary file deletion in gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T15:11:31Z",
"updated_at": "2026-03-03T04:50:19.647131Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-g7p7-x6w7-w6qg",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-27313",
"https://github.com/go-gitea/gitea/pull/19072",
"https://github.com/go-gitea/gitea/releases/tag/v1.16.4"
],
"aliases": [
"BIT-gitea-2022-27313",
"CVE-2022-27313",
"GHSA-g7p7-x6w7-w6qg",
"GO-2022-0442"
],
"cve_ids": [
"CVE-2022-27313"
],
"ghsa_ids": [
"GHSA-g7p7-x6w7-w6qg"
],
"osv_ids": [
"GO-2022-0442"
],
"affected_versions": [
"introduced=0, fixed<1.16.4"
],
"fixed_versions": [
"1.16.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-27313.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

73
08-threat-intel/registry/advisories/gitea--CVE-2022-30781.json
查看文件

@@ -1,73 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-30781",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Shell command injection in gitea in code.gitea.io/gitea",
"summary": "Shell command injection in gitea in code.gitea.io/gitea",
"published_at": "2024-08-21T15:11:31Z",
"updated_at": "2026-03-03T04:50:23.949796Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-p5f9-c9j9-g8qx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-30781",
"http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html",
"http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html",
"https://blog.gitea.io/2022/05/gitea-1.16.7-is-released",
"https://github.com/go-gitea/gitea/pull/19487",
"https://github.com/go-gitea/gitea/pull/19490"
],
"aliases": [
"BIT-gitea-2022-30781",
"CVE-2022-30781",
"GHSA-p5f9-c9j9-g8qx",
"GO-2022-0450"
],
"cve_ids": [
"CVE-2022-30781"
],
"ghsa_ids": [
"GHSA-p5f9-c9j9-g8qx"
],
"osv_ids": [
"GO-2022-0450"
],
"affected_versions": [
"introduced=0, fixed<1.16.7"
],
"fixed_versions": [
"1.16.7"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-30781.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2022-38183.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-38183",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
"summary": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
"published_at": "2024-06-10T16:38:54Z",
"updated_at": "2026-03-03T04:55:04.505871Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-fhv8-m4j4-cww2",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-38183",
"https://blog.gitea.io/2022/07/gitea-1.16.9-is-released",
"https://github.com/go-gitea/gitea/pull/20133",
"https://github.com/go-gitea/gitea/pull/20196",
"https://herolab.usd.de/security-advisories/usd-2022-0015"
],
"aliases": [
"BIT-gitea-2022-38183",
"CVE-2022-38183",
"GHSA-fhv8-m4j4-cww2",
"GO-2024-2769"
],
"cve_ids": [
"CVE-2022-38183"
],
"ghsa_ids": [
"GHSA-fhv8-m4j4-cww2"
],
"osv_ids": [
"GO-2024-2769"
],
"affected_versions": [
"introduced=0, fixed<1.16.9"
],
"fixed_versions": [
"1.16.9"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-38183.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2022-38795.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-38795",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea erroneous repo clones in code.gitea.io/gitea",
"summary": "Gitea erroneous repo clones in code.gitea.io/gitea",
"published_at": "2024-08-21T14:17:52Z",
"updated_at": "2026-03-03T04:54:07.076900Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-8j3v-68w3-3848",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-38795",
"https://blog.gitea.com/release-of-1.17.2",
"https://github.com/go-gitea/gitea/pull/20869",
"https://github.com/go-gitea/gitea/pull/20892"
],
"aliases": [
"BIT-gitea-2022-38795",
"CVE-2022-38795",
"GHSA-8j3v-68w3-3848",
"GO-2023-1999"
],
"cve_ids": [
"CVE-2022-38795"
],
"ghsa_ids": [
"GHSA-8j3v-68w3-3848"
],
"osv_ids": [
"GO-2023-1999"
],
"affected_versions": [
"introduced=0, fixed<1.17.2"
],
"fixed_versions": [
"1.17.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-38795.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2022-42968.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2022-42968",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea",
"summary": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea",
"published_at": "2024-08-21T16:03:24Z",
"updated_at": "2026-03-03T04:52:41.181693Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-w8xw-7crf-h23x",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-42968",
"https://github.com/go-gitea/gitea/pull/21463",
"https://github.com/go-gitea/gitea/releases/tag/v1.17.3",
"https://security.gentoo.org/glsa/202210-14"
],
"aliases": [
"BIT-gitea-2022-42968",
"CVE-2022-42968",
"GHSA-w8xw-7crf-h23x",
"GO-2022-1065"
],
"cve_ids": [
"CVE-2022-42968"
],
"ghsa_ids": [
"GHSA-w8xw-7crf-h23x"
],
"osv_ids": [
"GO-2022-1065"
],
"affected_versions": [
"introduced=0, fixed<1.17.3"
],
"fixed_versions": [
"1.17.3"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2022-42968.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2025-68938.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68938",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea",
"summary": "Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:49.095775Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-cm54-pfmc-xrwx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68938",
"https://blog.gitea.com/release-of-1.25.2",
"https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
],
"aliases": [
"BIT-gitea-2025-68938",
"CVE-2025-68938",
"GHSA-cm54-pfmc-xrwx",
"GO-2025-4258"
],
"cve_ids": [
"CVE-2025-68938"
],
"ghsa_ids": [
"GHSA-cm54-pfmc-xrwx"
],
"osv_ids": [
"GO-2025-4258"
],
"affected_versions": [
"introduced=0, fixed<1.25.2"
],
"fixed_versions": [
"1.25.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68938.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/gitea--CVE-2025-68939.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68939",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea",
"summary": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:48.777563Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-263q-5cv3-xq9g",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68939",
"https://blog.gitea.com/release-of-1.23.0",
"https://github.com/go-gitea/gitea/pull/32151",
"https://github.com/go-gitea/gitea/releases/tag/v1.23.0"
],
"aliases": [
"BIT-gitea-2025-68939",
"CVE-2025-68939",
"GHSA-263q-5cv3-xq9g",
"GO-2025-4261"
],
"cve_ids": [
"CVE-2025-68939"
],
"ghsa_ids": [
"GHSA-263q-5cv3-xq9g"
],
"osv_ids": [
"GO-2025-4261"
],
"affected_versions": [
"introduced=0"
],
"fixed_versions": null,
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68939.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "blocked-artifact",
"verification_mode": "real",
"last_verified_at": "2026-03-17T07:02:56+00:00",
"last_run_id": "gitea-livecheck-20260316",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-livecheck-20260316",
"browser_evidence": {
"required": true,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "official-image",
"blocked_reason": "unable to get image 'gitea/gitea:1.22.6': Cannot connect to the Docker daemon at unix:///Users/x/.docker/run/docker.sock. Is the docker daemon running?",
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

77
08-threat-intel/registry/advisories/gitea--CVE-2025-68940.json
查看文件

@@ -1,77 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68940",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea",
"summary": "Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.087298Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-rrcw-5rjv-vj26",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68940",
"https://blog.gitea.com/release-of-1.22.5",
"https://github.com/go-gitea/gitea/pull/32654",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.5"
],
"aliases": [
"BIT-gitea-2025-68940",
"CVE-2025-68940",
"GHSA-rrcw-5rjv-vj26",
"GO-2025-4267"
],
"cve_ids": [
"CVE-2025-68940"
],
"ghsa_ids": [
"GHSA-rrcw-5rjv-vj26"
],
"osv_ids": [
"GO-2025-4267"
],
"affected_versions": [
"introduced=0, fixed<1.22.5"
],
"fixed_versions": [
"1.22.5"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68940.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:27:12+00:00",
"last_run_id": "gitea-gitea--CVE-2025-68940-20260318012708",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68940-20260318012708",
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2025-68941.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68941",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea",
"summary": "Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.339953Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-xfq3-qj7j-4565",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68941",
"https://blog.gitea.com/release-of-1.22.3",
"https://github.com/go-gitea/gitea/pull/32218",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.3"
],
"aliases": [
"BIT-gitea-2025-68941",
"CVE-2025-68941",
"GHSA-xfq3-qj7j-4565",
"GO-2025-4268"
],
"cve_ids": [
"CVE-2025-68941"
],
"ghsa_ids": [
"GHSA-xfq3-qj7j-4565"
],
"osv_ids": [
"GO-2025-4268"
],
"affected_versions": [
"introduced=0, fixed<1.22.3"
],
"fixed_versions": [
"1.22.3"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68941.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2025-68942.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68942",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea",
"summary": "Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:49.781753Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-898p-hh3p-hf9r",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68942",
"https://blog.gitea.com/release-of-1.22.2",
"https://github.com/go-gitea/gitea/pull/31966",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
],
"aliases": [
"BIT-gitea-2025-68942",
"CVE-2025-68942",
"GHSA-898p-hh3p-hf9r",
"GO-2025-4263"
],
"cve_ids": [
"CVE-2025-68942"
],
"ghsa_ids": [
"GHSA-898p-hh3p-hf9r"
],
"osv_ids": [
"GO-2025-4263"
],
"affected_versions": [
"introduced=0, fixed<1.22.2"
],
"fixed_versions": [
"1.22.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68942.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2025-68943.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68943",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea",
"summary": "Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:49.213758Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-jhx5-4vr4-f327",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68943",
"https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10",
"https://github.com/go-gitea/gitea/pull/29430",
"https://github.com/go-gitea/gitea/releases/tag/v1.21.8"
],
"aliases": [
"BIT-gitea-2025-68943",
"CVE-2025-68943",
"GHSA-jhx5-4vr4-f327",
"GO-2025-4266"
],
"cve_ids": [
"CVE-2025-68943"
],
"ghsa_ids": [
"GHSA-jhx5-4vr4-f327"
],
"osv_ids": [
"GO-2025-4266"
],
"affected_versions": [
"introduced=0, fixed<1.21.8"
],
"fixed_versions": [
"1.21.8"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68943.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2025-68944.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68944",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea",
"summary": "Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.526913Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-f85h-c7m6-cfpm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68944",
"https://blog.gitea.com/release-of-1.22.2",
"https://github.com/go-gitea/gitea/pull/31967",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
],
"aliases": [
"BIT-gitea-2025-68944",
"CVE-2025-68944",
"GHSA-f85h-c7m6-cfpm",
"GO-2025-4264"
],
"cve_ids": [
"CVE-2025-68944"
],
"ghsa_ids": [
"GHSA-f85h-c7m6-cfpm"
],
"osv_ids": [
"GO-2025-4264"
],
"affected_versions": [
"introduced=0, fixed<1.22.2"
],
"fixed_versions": [
"1.22.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68944.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/gitea--CVE-2025-68945.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68945",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea: anonymous user can visit private user's project in code.gitea.io/gitea",
"summary": "Gitea: anonymous user can visit private user's project in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:51.457970Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-7xq4-mwcp-q8fx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68945",
"https://blog.gitea.com/release-of-1.21.2",
"https://github.com/go-gitea/gitea/pull/28423",
"https://github.com/go-gitea/gitea/releases/tag/v1.21.2"
],
"aliases": [
"BIT-gitea-2025-68945",
"CVE-2025-68945",
"GHSA-7xq4-mwcp-q8fx",
"GO-2025-4262"
],
"cve_ids": [
"CVE-2025-68945"
],
"ghsa_ids": [
"GHSA-7xq4-mwcp-q8fx"
],
"osv_ids": [
"GO-2025-4262"
],
"affected_versions": [
"introduced=0, fixed<1.21.2"
],
"fixed_versions": [
"1.21.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68945.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2025-68946.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-68946",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea",
"summary": "Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.473303Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-hq57-c72x-4774",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68946",
"https://blog.gitea.com/release-of-1.20.1",
"https://github.com/go-gitea/gitea/pull/25960",
"https://github.com/go-gitea/gitea/releases/tag/v1.20.1"
],
"aliases": [
"BIT-gitea-2025-68946",
"CVE-2025-68946",
"GHSA-hq57-c72x-4774",
"GO-2025-4265"
],
"cve_ids": [
"CVE-2025-68946"
],
"ghsa_ids": [
"GHSA-hq57-c72x-4774"
],
"osv_ids": [
"GO-2025-4265"
],
"affected_versions": [
"introduced=0, fixed<1.20.1"
],
"fixed_versions": [
"1.20.1"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-68946.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/gitea--CVE-2025-69413.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "gitea--CVE-2025-69413",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea",
"summary": "Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea",
"published_at": "2026-01-12T17:39:39Z",
"updated_at": "2026-03-03T04:57:49.801641Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-pc73-rj2c-wvf9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-69413",
"https://blog.gitea.com/release-of-1.25.2",
"https://github.com/go-gitea/gitea/issues/35984",
"https://github.com/go-gitea/gitea/pull/36002",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
],
"aliases": [
"BIT-gitea-2025-69413",
"CVE-2025-69413",
"GHSA-pc73-rj2c-wvf9",
"GO-2026-4274"
],
"cve_ids": [
"CVE-2025-69413"
],
"ghsa_ids": [
"GHSA-pc73-rj2c-wvf9"
],
"osv_ids": [
"GO-2026-4274"
],
"affected_versions": [
"introduced=0, fixed<1.25.2"
],
"fixed_versions": [
"1.25.2"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2025-69413.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

73
08-threat-intel/registry/advisories/gitea--CVE-2026-0798.json
查看文件

@@ -1,73 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-0798",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea",
"summary": "Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.518308Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-8fwc-qjw5-rvgp",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-0798",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/pull/36319",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-0798",
"CVE-2026-0798",
"GHSA-8fwc-qjw5-rvgp",
"GHSA-f4wq-6ww5-m56p",
"GO-2026-4365"
],
"cve_ids": [
"CVE-2026-0798"
],
"ghsa_ids": [
"GHSA-8fwc-qjw5-rvgp",
"GHSA-f4wq-6ww5-m56p"
],
"osv_ids": [
"GO-2026-4365"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-0798.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2026-20736.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20736",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea has improper access control for uploaded attachments in code.gitea.io/gitea",
"summary": "Gitea has improper access control for uploaded attachments in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:53.977351Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-hgr3-x44x-33hx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20736",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30",
"https://github.com/go-gitea/gitea/pull/36320",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20736",
"CVE-2026-20736",
"GHSA-hgr3-x44x-33hx",
"GHSA-jr6h-pwwp-c8g6",
"GO-2026-4367"
],
"cve_ids": [
"CVE-2026-20736"
],
"ghsa_ids": [
"GHSA-hgr3-x44x-33hx",
"GHSA-jr6h-pwwp-c8g6"
],
"osv_ids": [
"GO-2026-4367"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20736.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"file-upload-validation"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2026-20750.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20750",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea",
"summary": "Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:57.697708Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-rw22-5hhq-pfpf",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20750",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/7b5de594cd92e30b9c3d40ffda119acad794cc64",
"https://github.com/go-gitea/gitea/pull/36318",
"https://github.com/go-gitea/gitea/pull/36373",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20750",
"CVE-2026-20750",
"GHSA-h4fh-pc4w-8w27",
"GHSA-rw22-5hhq-pfpf",
"GO-2026-4370"
],
"cve_ids": [
"CVE-2026-20750"
],
"ghsa_ids": [
"GHSA-h4fh-pc4w-8w27",
"GHSA-rw22-5hhq-pfpf"
],
"osv_ids": [
"GO-2026-4370"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20750.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/gitea--CVE-2026-20800.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20800",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea",
"summary": "Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.012782Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-2vgv-hgv4-22mh",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20800",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/67e75f30a83d2523cedc37ad7b03bcba66947833",
"https://github.com/go-gitea/gitea/pull/36339",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20800",
"CVE-2026-20800",
"GHSA-2vgv-hgv4-22mh",
"GHSA-g54m-9f6g-wj7q",
"GO-2026-4362"
],
"cve_ids": [
"CVE-2026-20800"
],
"ghsa_ids": [
"GHSA-2vgv-hgv4-22mh",
"GHSA-g54m-9f6g-wj7q"
],
"osv_ids": [
"GO-2026-4362"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20800.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2026-20883.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20883",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea",
"summary": "Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.692700Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-j8xr-c56q-m8jj",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20883",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/95ea2df00a70176c516b12f3cfee8c84a310280f",
"https://github.com/go-gitea/gitea/pull/36340",
"https://github.com/go-gitea/gitea/pull/36368",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20883",
"CVE-2026-20883",
"GHSA-644v-xv3j-xgqg",
"GHSA-j8xr-c56q-m8jj",
"GO-2026-4368"
],
"cve_ids": [
"CVE-2026-20883"
],
"ghsa_ids": [
"GHSA-644v-xv3j-xgqg",
"GHSA-j8xr-c56q-m8jj"
],
"osv_ids": [
"GO-2026-4368"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20883.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/gitea--CVE-2026-20888.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20888",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea",
"summary": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:56.025932Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-9cgq-wp42-4rpq",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20888",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/pull/36341",
"https://github.com/go-gitea/gitea/pull/36356",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20888",
"CVE-2026-20888",
"GHSA-9cgq-wp42-4rpq",
"GHSA-ccq9-c5hv-cf64",
"GO-2026-4366"
],
"cve_ids": [
"CVE-2026-20888"
],
"ghsa_ids": [
"GHSA-9cgq-wp42-4rpq",
"GHSA-ccq9-c5hv-cf64"
],
"osv_ids": [
"GO-2026-4366"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20888.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2026-20897.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20897",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea",
"summary": "Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:55.339967Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-393c-qgvj-3xph",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20897",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f",
"https://github.com/go-gitea/gitea/pull/36344",
"https://github.com/go-gitea/gitea/pull/36349",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20897",
"CVE-2026-20897",
"GHSA-393c-qgvj-3xph",
"GHSA-rrq5-r9h5-pc7c",
"GO-2026-4363"
],
"cve_ids": [
"CVE-2026-20897"
],
"ghsa_ids": [
"GHSA-393c-qgvj-3xph",
"GHSA-rrq5-r9h5-pc7c"
],
"osv_ids": [
"GO-2026-4363"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20897.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2026-20904.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20904",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea",
"summary": "Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.244003Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-qqgv-v353-cv8p",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20904",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22",
"https://github.com/go-gitea/gitea/pull/36346",
"https://github.com/go-gitea/gitea/pull/36361",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20904",
"CVE-2026-20904",
"GHSA-jrpc-w85r-hgqx",
"GHSA-qqgv-v353-cv8p",
"GO-2026-4369"
],
"cve_ids": [
"CVE-2026-20904"
],
"ghsa_ids": [
"GHSA-jrpc-w85r-hgqx",
"GHSA-qqgv-v353-cv8p"
],
"osv_ids": [
"GO-2026-4369"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20904.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/gitea--CVE-2026-20912.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "gitea--CVE-2026-20912",
"system_id": "gitea",
"display_name": "Gitea",
"category": "platforms",
"advisory_mode": "core",
"title": "Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea",
"summary": "Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:55.747880Z",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/advisories/GHSA-4xx9-vc8v-87hv",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20912",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30",
"https://github.com/go-gitea/gitea/pull/36320",
"https://github.com/go-gitea/gitea/pull/36355",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20912",
"CVE-2026-20912",
"GHSA-4xx9-vc8v-87hv",
"GHSA-vfmv-f93v-37mw",
"GO-2026-4364"
],
"cve_ids": [
"CVE-2026-20912"
],
"ghsa_ids": [
"GHSA-4xx9-vc8v-87hv",
"GHSA-vfmv-f93v-37mw"
],
"osv_ids": [
"GO-2026-4364"
],
"affected_versions": [
"introduced=0, fixed<1.25.4"
],
"fixed_versions": [
"1.25.4"
],
"package_name": "code.gitea.io/gitea",
"render_markdown": true,
"case_path": "07-framework-security/platforms/gitea/cases/gitea-cve-2026-20912.md",
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "gitea-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

95
08-threat-intel/registry/advisories/nextjs--CVE-2020-15242.json
查看文件

@@ -1,95 +0,0 @@
{
"canonical_id": "nextjs--CVE-2020-15242",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Open Redirect in Next.js versions",
"summary": "Open Redirect in Next.js versions",
"published_at": "2020-10-08T19:28:07Z",
"updated_at": "2026-03-13T22:14:13.665535Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15242",
"https://github.com/vercel/next.js",
"https://github.com/zeit/next.js/releases/tag/v9.5.4"
],
"aliases": [
"CVE-2020-15242",
"GHSA-x56p-c8cg-q435"
],
"cve_ids": [
"CVE-2020-15242"
],
"ghsa_ids": [
"GHSA-x56p-c8cg-q435"
],
"osv_ids": [],
"affected_versions": [
"introduced=9.5.0, fixed<9.5.4"
],
"fixed_versions": [
"9.5.4"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-15242.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:28:37+00:00",
"last_run_id": "nextjs-nextjs--CVE-2020-15242-20260318012830",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318012830/logs/proof-page.json"
],
"baseline_title": "Next.js Proxy Boundary Fixture",
"proof_title": "Next.js Proxy Boundary Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

67
08-threat-intel/registry/advisories/nextjs--CVE-2020-5284.json
查看文件

@@ -1,67 +0,0 @@
{
"canonical_id": "nextjs--CVE-2020-5284",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Directory Traversal in Next.js",
"summary": "Directory Traversal in Next.js",
"published_at": "2020-03-30T20:40:50Z",
"updated_at": "2025-09-26T17:49:56Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5284",
"https://github.com/zeit/next.js/releases/tag/v9.3.2",
"https://www.npmjs.com/advisories/1503"
],
"aliases": [
"CVE-2020-5284",
"GHSA-fq77-7p7r-83rj"
],
"cve_ids": [
"CVE-2020-5284"
],
"ghsa_ids": [
"GHSA-fq77-7p7r-83rj"
],
"osv_ids": [],
"affected_versions": [
"introduced=0.9.9, fixed<9.3.2"
],
"fixed_versions": [
"9.3.2"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2020-5284.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"path-traversal-guard"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

67
08-threat-intel/registry/advisories/nextjs--CVE-2021-37699.json
查看文件

@@ -1,67 +0,0 @@
{
"canonical_id": "nextjs--CVE-2021-37699",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Open Redirect in Next.js",
"summary": "Open Redirect in Next.js",
"published_at": "2021-08-12T14:51:14Z",
"updated_at": "2026-03-13T22:00:08.038285Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-37699",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v11.1.0"
],
"aliases": [
"CVE-2021-37699",
"GHSA-vxf5-wxwp-m7g9"
],
"cve_ids": [
"CVE-2021-37699"
],
"ghsa_ids": [
"GHSA-vxf5-wxwp-m7g9"
],
"osv_ids": [],
"affected_versions": [
"introduced=0.9.9, fixed<11.1.0"
],
"fixed_versions": [
"11.1.0"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-37699.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

98
08-threat-intel/registry/advisories/nextjs--CVE-2021-39178.json
查看文件

@@ -1,98 +0,0 @@
{
"canonical_id": "nextjs--CVE-2021-39178",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "XSS in Image Optimization API for Next.js",
"summary": "XSS in Image Optimization API for Next.js",
"published_at": "2021-09-01T18:24:22Z",
"updated_at": "2026-03-13T22:00:20.154452Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-39178",
"https://github.com/vercel/next.js/pull/28620",
"https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v11.1.1"
],
"aliases": [
"CVE-2021-39178",
"GHSA-9gr3-7897-pp7m"
],
"cve_ids": [
"CVE-2021-39178"
],
"ghsa_ids": [
"GHSA-9gr3-7897-pp7m"
],
"osv_ids": [],
"affected_versions": [
"introduced=10.0.0, fixed<11.1.1"
],
"fixed_versions": [
"11.1.1"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-39178.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"xss-output-encoding"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:30:38+00:00",
"last_run_id": "nextjs-nextjs--CVE-2021-39178-20260318013032",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318013032/logs/proof-page.json"
],
"baseline_title": "Next.js XSS Fixture",
"proof_title": "Next.js XSS Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/nextjs--CVE-2021-43803.json
查看文件

@@ -1,72 +0,0 @@
{
"canonical_id": "nextjs--CVE-2021-43803",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Unexpected server crash in Next.js.",
"summary": "Unexpected server crash in Next.js.",
"published_at": "2021-12-07T21:12:09Z",
"updated_at": "2026-03-13T22:00:36.554552Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-43803",
"https://github.com/vercel/next.js/pull/32080",
"https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v11.1.3",
"https://github.com/vercel/next.js/releases/v12.0.5"
],
"aliases": [
"CVE-2021-43803",
"GHSA-25mp-g6fv-mqxx"
],
"cve_ids": [
"CVE-2021-43803"
],
"ghsa_ids": [
"GHSA-25mp-g6fv-mqxx"
],
"osv_ids": [],
"affected_versions": [
"introduced=12.0.0, fixed<12.0.5",
"introduced=0.9.9, fixed<11.1.3"
],
"fixed_versions": [
"12.0.5",
"11.1.3"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2021-43803.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/nextjs--CVE-2024-34351.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "nextjs--CVE-2024-34351",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Server-Side Request Forgery in Server Actions",
"summary": "Next.js Server-Side Request Forgery in Server Actions",
"published_at": "2024-05-09T21:18:57Z",
"updated_at": "2026-02-04T03:32:36.434669Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-34351",
"https://github.com/vercel/next.js/pull/62561",
"https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-34351",
"GHSA-fr5h-rqp8-mj6g"
],
"cve_ids": [
"CVE-2024-34351"
],
"ghsa_ids": [
"GHSA-fr5h-rqp8-mj6g"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.4.0, fixed<14.1.1"
],
"fixed_versions": [
"14.1.1"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-34351.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"ssrf-url-validation"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:29:57+00:00",
"last_run_id": "nextjs-nextjs--CVE-2024-34351-20260318012953",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-34351-20260318012953",
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

69
08-threat-intel/registry/advisories/nextjs--CVE-2024-46982.json
查看文件

@@ -1,69 +0,0 @@
{
"canonical_id": "nextjs--CVE-2024-46982",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Cache Poisoning",
"summary": "Next.js Cache Poisoning",
"published_at": "2024-09-17T21:58:09Z",
"updated_at": "2026-02-04T03:45:33.402195Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
"https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
"https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-46982",
"GHSA-gp8f-8m3g-qvj9"
],
"cve_ids": [
"CVE-2024-46982"
],
"ghsa_ids": [
"GHSA-gp8f-8m3g-qvj9"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.5.1, fixed<13.5.7",
"introduced=14.0.0, fixed<14.2.10"
],
"fixed_versions": [
"13.5.7",
"14.2.10"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-46982.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

66
08-threat-intel/registry/advisories/nextjs--CVE-2024-47831.json
查看文件

@@ -1,66 +0,0 @@
{
"canonical_id": "nextjs--CVE-2024-47831",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Denial of Service condition in Next.js image optimization",
"summary": "Denial of Service condition in Next.js image optimization",
"published_at": "2024-10-14T19:45:21Z",
"updated_at": "2026-02-04T03:25:43.295558Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-47831",
"https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-47831",
"GHSA-g77x-44xx-532m"
],
"cve_ids": [
"CVE-2024-47831"
],
"ghsa_ids": [
"GHSA-g77x-44xx-532m"
],
"osv_ids": [],
"affected_versions": [
"introduced=10.0.0, fixed<14.2.7"
],
"fixed_versions": [
"14.2.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-47831.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

73
08-threat-intel/registry/advisories/nextjs--CVE-2024-51479.json
查看文件

@@ -1,73 +0,0 @@
{
"canonical_id": "nextjs--CVE-2024-51479",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js authorization bypass vulnerability",
"summary": "Next.js authorization bypass vulnerability",
"published_at": "2024-12-17T15:09:06Z",
"updated_at": "2025-09-10T21:12:24Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-51479",
"https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v14.2.15"
],
"aliases": [
"CVE-2024-51479",
"GHSA-7gfc-8cq8-jh5f"
],
"cve_ids": [
"CVE-2024-51479"
],
"ghsa_ids": [
"GHSA-7gfc-8cq8-jh5f"
],
"osv_ids": [],
"affected_versions": [
"introduced=9.5.5, fixed<14.2.15"
],
"fixed_versions": [
"14.2.15"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-51479.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:29:17+00:00",
"last_run_id": "nextjs-nextjs--CVE-2024-51479-20260318012913",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-51479-20260318012913",
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

69
08-threat-intel/registry/advisories/nextjs--CVE-2024-56332.json
查看文件

@@ -1,69 +0,0 @@
{
"canonical_id": "nextjs--CVE-2024-56332",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Allows a Denial of Service (DoS) with Server Actions",
"summary": "Next.js Allows a Denial of Service (DoS) with Server Actions",
"published_at": "2025-01-03T20:19:29Z",
"updated_at": "2026-02-04T04:36:04.252972Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-56332",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-56332",
"GHSA-7m27-7ghc-44w9"
],
"cve_ids": [
"CVE-2024-56332"
],
"ghsa_ids": [
"GHSA-7m27-7ghc-44w9"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.0.0, fixed<13.5.8",
"introduced=14.0.0, fixed<14.2.21",
"introduced=15.0.0, fixed<15.1.2"
],
"fixed_versions": [
"13.5.8",
"14.2.21",
"15.1.2"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2024-56332.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/nextjs--CVE-2025-29927.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-29927",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Authorization Bypass in Next.js Middleware",
"summary": "Authorization Bypass in Next.js Middleware",
"published_at": "2025-03-21T15:20:12Z",
"updated_at": "2026-03-04T15:06:29.993197Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-29927",
"https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2",
"https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v12.3.5",
"https://github.com/vercel/next.js/releases/tag/v13.5.9",
"https://security.netapp.com/advisory/ntap-20250328-0002",
"https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware",
"http://www.openwall.com/lists/oss-security/2025/03/23/3",
"http://www.openwall.com/lists/oss-security/2025/03/23/4"
],
"aliases": [
"CVE-2025-29927",
"GHSA-f82v-jwr5-mffw"
],
"cve_ids": [
"CVE-2025-29927"
],
"ghsa_ids": [
"GHSA-f82v-jwr5-mffw"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.0.0, fixed<13.5.9",
"introduced=14.0.0, fixed<14.2.25",
"introduced=15.0.0, fixed<15.2.3",
"introduced=12.0.0, fixed<12.3.5"
],
"fixed_versions": [
"13.5.9",
"14.2.25",
"15.2.3",
"12.3.5"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-29927.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "real",
"last_verified_at": "2026-03-17T06:30:47+00:00",
"last_run_id": "nextjs-nextjs--CVE-2025-29927-20260317063047",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-29927-20260317063047",
"browser_evidence": null,
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "official-source",
"blocked_reason": "dry-run only",
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

76
08-threat-intel/registry/advisories/nextjs--CVE-2025-30218.json
查看文件

@@ -1,76 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-30218",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js may leak x-middleware-subrequest-id to external hosts",
"summary": "Next.js may leak x-middleware-subrequest-id to external hosts",
"published_at": "2025-04-02T22:35:37Z",
"updated_at": "2025-10-13T15:35:50Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-30218",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O"
],
"aliases": [
"CVE-2025-30218",
"GHSA-223j-4rm8-mrmf"
],
"cve_ids": [
"CVE-2025-30218"
],
"ghsa_ids": [
"GHSA-223j-4rm8-mrmf"
],
"osv_ids": [],
"affected_versions": [
"12.3.5",
"13.5.9",
"14.2.25",
"15.2.3",
"introduced=12.3.5, fixed<12.3.6",
"introduced=13.5.9, fixed<13.5.10",
"introduced=14.2.25, fixed<14.2.26",
"introduced=15.2.3, fixed<15.2.4"
],
"fixed_versions": [
"12.3.6",
"13.5.10",
"14.2.26",
"15.2.4"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-30218.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

68
08-threat-intel/registry/advisories/nextjs--CVE-2025-32421.json
查看文件

@@ -1,68 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-32421",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Race Condition to Cache Poisoning",
"summary": "Next.js Race Condition to Cache Poisoning",
"published_at": "2025-05-15T14:12:26Z",
"updated_at": "2025-09-26T17:48:29Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-32421",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-32421"
],
"aliases": [
"CVE-2025-32421",
"GHSA-qpjv-v59x-3qc4"
],
"cve_ids": [
"CVE-2025-32421"
],
"ghsa_ids": [
"GHSA-qpjv-v59x-3qc4"
],
"osv_ids": [],
"affected_versions": [
"introduced=0.9.9, fixed<14.2.24",
"introduced=15.0.0, fixed<15.1.6"
],
"fixed_versions": [
"14.2.24",
"15.1.6"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-32421.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

68
08-threat-intel/registry/advisories/nextjs--CVE-2025-48068.json
查看文件

@@ -1,68 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-48068",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Information exposure in Next.js dev server due to lack of origin verification",
"summary": "Information exposure in Next.js dev server due to lack of origin verification",
"published_at": "2025-05-28T21:52:13Z",
"updated_at": "2025-06-13T14:41:21Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-48068",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-48068"
],
"aliases": [
"CVE-2025-48068",
"GHSA-3h52-269p-cp9r"
],
"cve_ids": [
"CVE-2025-48068"
],
"ghsa_ids": [
"GHSA-3h52-269p-cp9r"
],
"osv_ids": [],
"affected_versions": [
"introduced=15.0.0, fixed<15.2.2",
"introduced=13.0, fixed<14.2.30"
],
"fixed_versions": [
"15.2.2",
"14.2.30"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-48068.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/nextjs--CVE-2025-49005.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-49005",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js has a Cache poisoning vulnerability due to omission of the Vary header",
"summary": "Next.js has a Cache poisoning vulnerability due to omission of the Vary header",
"published_at": "2025-07-03T20:30:18Z",
"updated_at": "2026-02-04T02:37:18.974477Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-49005",
"https://github.com/vercel/next.js/issues/79346",
"https://github.com/vercel/next.js/pull/79939",
"https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.3.3",
"https://vercel.com/changelog/cve-2025-49005"
],
"aliases": [
"CVE-2025-49005",
"GHSA-r2fc-ccr8-96c4"
],
"cve_ids": [
"CVE-2025-49005"
],
"ghsa_ids": [
"GHSA-r2fc-ccr8-96c4"
],
"osv_ids": [],
"affected_versions": [
"introduced=15.3.0, fixed<15.3.3"
],
"fixed_versions": [
"15.3.3"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-49005.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

69
08-threat-intel/registry/advisories/nextjs--CVE-2025-49826.json
查看文件

@@ -1,69 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-49826",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.JS vulnerability can lead to DoS via cache poisoning ",
"summary": "Next.JS vulnerability can lead to DoS via cache poisoning ",
"published_at": "2025-07-03T21:14:48Z",
"updated_at": "2025-07-03T21:49:52Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-49826",
"https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2",
"https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.1.8",
"https://vercel.com/changelog/cve-2025-49826"
],
"aliases": [
"CVE-2025-49826",
"GHSA-67rr-84xm-4c7r"
],
"cve_ids": [
"CVE-2025-49826"
],
"ghsa_ids": [
"GHSA-67rr-84xm-4c7r"
],
"osv_ids": [],
"affected_versions": [
"introduced=15.0.4-canary.51, fixed<15.1.8"
],
"fixed_versions": [
"15.1.8"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-49826.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/nextjs--CVE-2025-55173.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-55173",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Content Injection Vulnerability for Image Optimization",
"summary": "Next.js Content Injection Vulnerability for Image Optimization",
"published_at": "2025-08-29T21:59:55Z",
"updated_at": "2026-02-04T04:35:34.538107Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-55173",
"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-55173",
"http://vercel.com/changelog/cve-2025-55173"
],
"aliases": [
"CVE-2025-55173",
"GHSA-xv57-4mr9-wg8v"
],
"cve_ids": [
"CVE-2025-55173"
],
"ghsa_ids": [
"GHSA-xv57-4mr9-wg8v"
],
"osv_ids": [],
"affected_versions": [
"introduced=0.9.9, fixed<14.2.31",
"introduced=15.0.0, fixed<15.4.5"
],
"fixed_versions": [
"14.2.31",
"15.4.5"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-55173.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/nextjs--CVE-2025-57752.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-57752",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
"summary": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
"published_at": "2025-08-29T22:06:22Z",
"updated_at": "2026-02-04T02:50:08.291668Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-57752",
"https://github.com/vercel/next.js/pull/82114",
"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-57752"
],
"aliases": [
"CVE-2025-57752",
"GHSA-g5qg-72qw-gw5v"
],
"cve_ids": [
"CVE-2025-57752"
],
"ghsa_ids": [
"GHSA-g5qg-72qw-gw5v"
],
"osv_ids": [],
"affected_versions": [
"introduced=0.9.9, fixed<14.2.31",
"introduced=15.0.0, fixed<15.4.5"
],
"fixed_versions": [
"14.2.31",
"15.4.5"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-57752.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

70
08-threat-intel/registry/advisories/nextjs--CVE-2025-57822.json
查看文件

@@ -1,70 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-57822",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js Improper Middleware Redirect Handling Leads to SSRF",
"summary": "Next.js Improper Middleware Redirect Handling Leads to SSRF",
"published_at": "2025-08-29T21:33:09Z",
"updated_at": "2026-02-04T04:20:45.658010Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-57822",
"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-57822"
],
"aliases": [
"CVE-2025-57822",
"GHSA-4342-x723-ch2f"
],
"cve_ids": [
"CVE-2025-57822"
],
"ghsa_ids": [
"GHSA-4342-x723-ch2f"
],
"osv_ids": [],
"affected_versions": [
"introduced=0.9.9, fixed<14.2.32",
"introduced=15.0.0-canary.0, fixed<15.4.7"
],
"fixed_versions": [
"14.2.32",
"15.4.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-57822.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"ssrf-url-validation"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/nextjs--CVE-2025-59471.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-59471",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
"summary": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
"published_at": "2026-01-27T19:18:25Z",
"updated_at": "2026-02-10T01:28:46.973023Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-59471",
"https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c",
"https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.5.10",
"https://github.com/vercel/next.js/releases/tag/v16.1.5"
],
"aliases": [
"CVE-2025-59471",
"GHSA-9g9p-9gw9-jx7f"
],
"cve_ids": [
"CVE-2025-59471"
],
"ghsa_ids": [
"GHSA-9g9p-9gw9-jx7f"
],
"osv_ids": [],
"affected_versions": [
"introduced=10.0.0, fixed<15.5.10",
"introduced=15.6.0-canary.0, fixed<16.1.5"
],
"fixed_versions": [
"15.5.10",
"16.1.5"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-59471.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

68
08-threat-intel/registry/advisories/nextjs--CVE-2025-59472.json
查看文件

@@ -1,68 +0,0 @@
{
"canonical_id": "nextjs--CVE-2025-59472",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",
"summary": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",
"published_at": "2026-01-28T15:20:55Z",
"updated_at": "2026-02-06T13:13:43.709252Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-59472",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472"
],
"aliases": [
"CVE-2025-59472",
"GHSA-5f7q-jpqc-wp7h"
],
"cve_ids": [
"CVE-2025-59472"
],
"ghsa_ids": [
"GHSA-5f7q-jpqc-wp7h"
],
"osv_ids": [],
"affected_versions": [
"introduced=15.0.0-canary.0, fixed<15.6.0-canary.61",
"introduced=16.0.0-beta.0, fixed<16.1.5"
],
"fixed_versions": [
"15.6.0-canary.61",
"16.1.5"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2025-59472.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/nextjs--CVE-2026-27977.json 普通文件
查看文件

@@ -0,0 +1,72 @@
{
"canonical_id": "nextjs--CVE-2026-27977",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: null origin can bypass dev HMR websocket CSRF checks",
"summary": "## Summary\nIn `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.\n\n## Impact\nIf a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.\nApps without a configured [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) still allow connections from any origin.\n\n## Patches\nFixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Do not expose `next dev` to untrusted networks.\n- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at your proxy.",
"published_at": "2026-03-17T15:29:48Z",
"updated_at": "2026-03-17T15:46:26.028580Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36",
"secondary_source_urls": [
"https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
],
"aliases": [
"CVE-2026-27977",
"GHSA-jcc7-9wpm-mj36"
],
"cve_ids": [
"CVE-2026-27977"
],
"ghsa_ids": [
"GHSA-jcc7-9wpm-mj36"
],
"osv_ids": [
"GHSA-jcc7-9wpm-mj36"
],
"affected_versions": [
"introduced=16.0.1, fixed<16.1.7"
],
"fixed_versions": [
"16.1.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27977.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-proxy-boundary",
"artifact_mode": "official-source",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Next.js"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/nextjs--CVE-2026-27978.json 普通文件
查看文件

@@ -0,0 +1,72 @@
{
"canonical_id": "nextjs--CVE-2026-27978",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: null origin can bypass Server Actions CSRF checks",
"summary": "## Summary\n`origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.\n\n## Impact\nAn attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).\n\n## Patches\nFixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Add CSRF tokens for sensitive Server Actions.\n- Prefer `SameSite=Strict` on sensitive auth cookies.\n- Do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.",
"published_at": "2026-03-17T15:30:14Z",
"updated_at": "2026-03-17T15:46:43.484729Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx",
"secondary_source_urls": [
"https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
],
"aliases": [
"CVE-2026-27978",
"GHSA-mq59-m269-xvcx"
],
"cve_ids": [
"CVE-2026-27978"
],
"ghsa_ids": [
"GHSA-mq59-m269-xvcx"
],
"osv_ids": [
"GHSA-mq59-m269-xvcx"
],
"affected_versions": [
"introduced=16.0.1, fixed<16.1.7"
],
"fixed_versions": [
"16.1.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27978.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-proxy-boundary",
"artifact_mode": "official-source",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Next.js"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/nextjs--CVE-2026-27979.json 普通文件
查看文件

@@ -0,0 +1,72 @@
{
"canonical_id": "nextjs--CVE-2026-27979",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: Unbounded postponed resume buffering can lead to DoS",
"summary": "## Summary\nA request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.\n\n## Impact\nIn applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.\n\n## Patches\nFixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.",
"published_at": "2026-03-17T16:16:49Z",
"updated_at": "2026-03-17T16:31:34.160932Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq",
"secondary_source_urls": [
"https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
],
"aliases": [
"CVE-2026-27979",
"GHSA-h27x-g6w4-24gq"
],
"cve_ids": [
"CVE-2026-27979"
],
"ghsa_ids": [
"GHSA-h27x-g6w4-24gq"
],
"osv_ids": [
"GHSA-h27x-g6w4-24gq"
],
"affected_versions": [
"introduced=16.0.1, fixed<16.1.7"
],
"fixed_versions": [
"16.1.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27979.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-proxy-boundary",
"artifact_mode": "official-source",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Next.js"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1
}
}

72
08-threat-intel/registry/advisories/nextjs--CVE-2026-27980.json 普通文件
查看文件

@@ -0,0 +1,72 @@
{
"canonical_id": "nextjs--CVE-2026-27980",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: Unbounded next/image disk cache growth can exhaust storage",
"summary": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
"published_at": "2026-03-17T16:17:06Z",
"updated_at": "2026-03-17T16:31:33.597080Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8",
"secondary_source_urls": [
"https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
],
"aliases": [
"CVE-2026-27980",
"GHSA-3x4c-7xq6-9pq8"
],
"cve_ids": [
"CVE-2026-27980"
],
"ghsa_ids": [
"GHSA-3x4c-7xq6-9pq8"
],
"osv_ids": [
"GHSA-3x4c-7xq6-9pq8"
],
"affected_versions": [
"introduced=10.0.0, fixed<16.1.7"
],
"fixed_versions": [
"16.1.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-27980.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-proxy-boundary",
"artifact_mode": "official-source",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Next.js"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1
}
}

77
08-threat-intel/registry/advisories/nextjs--CVE-2026-29057.json 普通文件
查看文件

@@ -0,0 +1,77 @@
{
"canonical_id": "nextjs--CVE-2026-29057",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js: HTTP request smuggling in rewrites",
"summary": "## Summary\nWhen Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.\n\n## Impact\nAn attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. \n\n## Patches\nThe vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency\u2019s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path.\n\n## Workarounds\nIf upgrade is not immediately possible:\n- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy.\n- Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).",
"published_at": "2026-03-17T16:17:15Z",
"updated_at": "2026-03-17T16:31:26.646070Z",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8",
"secondary_source_urls": [
"https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.5.13",
"https://github.com/vercel/next.js/releases/tag/v16.1.7"
],
"aliases": [
"CVE-2026-29057",
"GHSA-ggv3-7p47-pfv8"
],
"cve_ids": [
"CVE-2026-29057"
],
"ghsa_ids": [
"GHSA-ggv3-7p47-pfv8"
],
"osv_ids": [
"GHSA-ggv3-7p47-pfv8"
],
"affected_versions": [
"introduced=16.0.0-beta.0, fixed<16.1.7",
"introduced=9.5.0, fixed<15.5.13"
],
"fixed_versions": [
"16.1.7",
"15.5.13"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-cve-2026-29057.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"request-smuggling-boundary",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": null,
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "request-smuggling-generic",
"artifact_mode": "official-source",
"blocked_reason": null,
"metadata": {
"source_names": [
"OSV Next.js"
],
"source_kinds": [
"osv-batch"
],
"candidate_count": 1
}
}

84
08-threat-intel/registry/advisories/nextjs--GHSA-5j59-xgg2-r9c4.json
查看文件

@@ -1,84 +0,0 @@
{
"canonical_id": "nextjs--GHSA-5j59-xgg2-r9c4",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
"summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
"published_at": "2025-12-12T17:21:57Z",
"updated_at": "2026-02-04T02:46:38.768104Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-67779",
"https://github.com/vercel/next.js",
"https://nextjs.org/blog/security-update-2025-12-11",
"https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components",
"https://www.cve.org/CVERecord?id=CVE-2025-55184",
"https://www.facebook.com/security/advisories/cve-2025-67779"
],
"aliases": [
"GHSA-5j59-xgg2-r9c4"
],
"cve_ids": [],
"ghsa_ids": [
"GHSA-5j59-xgg2-r9c4"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.3.1-canary.0, fixed<14.2.35",
"introduced=15.0.6, fixed<15.0.7",
"introduced=15.1.10, fixed<15.1.11",
"introduced=15.2.7, fixed<15.2.8",
"introduced=15.3.7, fixed<15.3.8",
"introduced=15.4.9, fixed<15.4.10",
"introduced=15.5.8, fixed<15.5.9",
"introduced=15.6.0-canary.59, fixed<15.6.0-canary.60",
"introduced=16.0.9, fixed<16.0.10",
"introduced=16.1.0-canary.17, fixed<16.1.0-canary.19"
],
"fixed_versions": [
"14.2.35",
"15.0.7",
"15.1.11",
"15.2.8",
"15.3.8",
"15.4.10",
"15.5.9",
"15.6.0-canary.60",
"16.0.10",
"16.1.0-canary.19"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-5j59-xgg2-r9c4.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

77
08-threat-intel/registry/advisories/nextjs--GHSA-9qr9-h5gf-34mp.json
查看文件

@@ -1,77 +0,0 @@
{
"canonical_id": "nextjs--GHSA-9qr9-h5gf-34mp",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js is vulnerable to RCE in React flight protocol",
"summary": "Next.js is vulnerable to RCE in React flight protocol",
"published_at": "2025-12-03T19:07:11Z",
"updated_at": "2026-02-04T03:45:15.823345Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r",
"secondary_source_urls": [
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp",
"https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp",
"https://nvd.nist.gov/vuln/detail/CVE-2025-55182",
"https://github.com/vercel/next.js"
],
"aliases": [
"GHSA-9qr9-h5gf-34mp"
],
"cve_ids": [],
"ghsa_ids": [
"GHSA-9qr9-h5gf-34mp"
],
"osv_ids": [],
"affected_versions": [
"introduced=14.3.0-canary.77, fixed<15.0.5",
"introduced=15.1.0-canary.0, fixed<15.1.9",
"introduced=15.2.0-canary.0, fixed<15.2.6",
"introduced=15.3.0-canary.0, fixed<15.3.6",
"introduced=15.4.0-canary.0, fixed<15.4.8",
"introduced=15.5.0-canary.0, fixed<15.5.7",
"introduced=16.0.0-canary.0, fixed<16.0.7"
],
"fixed_versions": [
"15.0.5",
"15.1.9",
"15.2.6",
"15.3.6",
"15.4.8",
"15.5.7",
"16.0.7"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-9qr9-h5gf-34mp.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

88
08-threat-intel/registry/advisories/nextjs--GHSA-h25m-26qc-wcjf.json
查看文件

@@ -1,88 +0,0 @@
{
"canonical_id": "nextjs--GHSA-h25m-26qc-wcjf",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
"summary": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
"published_at": "2026-01-28T15:38:01Z",
"updated_at": "2026-02-13T00:43:52.836085Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg",
"secondary_source_urls": [
"https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf",
"https://nvd.nist.gov/vuln/detail/CVE-2026-23864",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/summary-of-cve-2026-23864"
],
"aliases": [
"GHSA-h25m-26qc-wcjf"
],
"cve_ids": [],
"ghsa_ids": [
"GHSA-h25m-26qc-wcjf"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.0.0, fixed<15.0.8",
"introduced=15.1.1-canary.0, fixed<15.1.12",
"introduced=15.2.0-canary.0, fixed<15.2.9",
"introduced=15.3.0-canary.0, fixed<15.3.9",
"introduced=15.4.0-canary.0, fixed<15.4.11",
"introduced=15.5.1-canary.0, fixed<15.5.10",
"introduced=15.6.0-canary.0, fixed<15.6.0-canary.61",
"introduced=16.0.0-beta.0, fixed<16.0.11",
"introduced=16.1.0-canary.0, fixed<16.1.5"
],
"fixed_versions": [
"15.0.8",
"15.1.12",
"15.2.9",
"15.3.9",
"15.4.11",
"15.5.10",
"15.6.0-canary.61",
"16.0.11",
"16.1.5"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-h25m-26qc-wcjf.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy",
"deserialization-safety"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:31:16+00:00",
"last_run_id": "nextjs-nextjs--GHSA-h25m-26qc-wcjf-20260318013112",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-h25m-26qc-wcjf-20260318013112",
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

82
08-threat-intel/registry/advisories/nextjs--GHSA-mwv6-3258-q52c.json
查看文件

@@ -1,82 +0,0 @@
{
"canonical_id": "nextjs--GHSA-mwv6-3258-q52c",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next Vulnerable to Denial of Service with Server Components",
"summary": "Next Vulnerable to Denial of Service with Server Components",
"published_at": "2025-12-11T22:49:27Z",
"updated_at": "2026-02-04T03:55:54.855562Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c",
"secondary_source_urls": [
"https://github.com/vercel/next.js",
"https://nextjs.org/blog/security-update-2025-12-11",
"https://www.cve.org/CVERecord?id=CVE-2025-55184"
],
"aliases": [
"GHSA-mwv6-3258-q52c"
],
"cve_ids": [],
"ghsa_ids": [
"GHSA-mwv6-3258-q52c"
],
"osv_ids": [],
"affected_versions": [
"introduced=13.3.0, fixed<14.2.34",
"introduced=15.0.0-canary.0, fixed<15.0.6",
"introduced=15.1.1-canary.0, fixed<15.1.10",
"introduced=15.2.0-canary.0, fixed<15.2.7",
"introduced=15.3.0-canary.0, fixed<15.3.7",
"introduced=15.4.0-canary.0, fixed<15.4.9",
"introduced=15.5.1-canary.0, fixed<15.5.8",
"introduced=15.6.0-canary.0, fixed<15.6.0-canary.59",
"introduced=16.0.0-beta.0, fixed<16.0.9",
"introduced=16.1.0-canary.0, fixed<16.1.0-canary.17"
],
"fixed_versions": [
"14.2.34",
"15.0.6",
"15.1.10",
"15.2.7",
"15.3.7",
"15.4.9",
"15.5.8",
"15.6.0-canary.59",
"16.0.9",
"16.1.0-canary.17"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-mwv6-3258-q52c.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

80
08-threat-intel/registry/advisories/nextjs--GHSA-w37m-7fhw-fmv9.json
查看文件

@@ -1,80 +0,0 @@
{
"canonical_id": "nextjs--GHSA-w37m-7fhw-fmv9",
"system_id": "nextjs",
"display_name": "Next.js",
"category": "frameworks",
"advisory_mode": "core",
"title": "Next Server Actions Source Code Exposure ",
"summary": "Next Server Actions Source Code Exposure ",
"published_at": "2025-12-11T22:49:56Z",
"updated_at": "2026-02-04T02:51:40.627151Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9",
"secondary_source_urls": [
"https://github.com/vercel/next.js",
"https://nextjs.org/blog/security-update-2025-12-11",
"https://www.cve.org/CVERecord?id=CVE-2025-55183"
],
"aliases": [
"GHSA-w37m-7fhw-fmv9"
],
"cve_ids": [],
"ghsa_ids": [
"GHSA-w37m-7fhw-fmv9"
],
"osv_ids": [],
"affected_versions": [
"introduced=15.0.0-canary.0, fixed<15.0.6",
"introduced=15.1.1-canary.0, fixed<15.1.10",
"introduced=15.2.0-canary.0, fixed<15.2.7",
"introduced=15.3.0-canary.0, fixed<15.3.7",
"introduced=15.4.0-canary.0, fixed<15.4.9",
"introduced=15.5.1-canary.0, fixed<15.5.8",
"introduced=15.6.0-canary.0, fixed<15.6.0-canary.59",
"introduced=16.0.0-beta.0, fixed<16.0.9",
"introduced=16.1.0-canary.0, fixed<16.1.0-canary.17"
],
"fixed_versions": [
"15.0.6",
"15.1.10",
"15.2.7",
"15.3.7",
"15.4.9",
"15.5.8",
"15.6.0-canary.59",
"16.0.9",
"16.1.0-canary.17"
],
"package_name": "next",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/nextjs/cases/nextjs-ghsa-w37m-7fhw-fmv9.md",
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "nextjs-authz-bypass",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

79
08-threat-intel/registry/advisories/undici--CVE-2022-31151.json
查看文件

@@ -1,79 +0,0 @@
{
"canonical_id": "undici--CVE-2022-31151",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect",
"summary": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect",
"published_at": "2022-07-21T20:31:05Z",
"updated_at": "2026-02-04T03:02:08.652391Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-31151",
"https://github.com/nodejs/undici/issues/872",
"https://github.com/nodejs/undici/pull/1441",
"https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d",
"https://hackerone.com/reports/1635514",
"https://github.com/nodejs/undici",
"https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189",
"https://github.com/nodejs/undici/releases/tag/v5.8.0",
"https://security.netapp.com/advisory/ntap-20220909-0006"
],
"aliases": [
"CVE-2022-31151",
"GHSA-q768-x9m6-m9qp"
],
"cve_ids": [
"CVE-2022-31151"
],
"ghsa_ids": [
"GHSA-q768-x9m6-m9qp"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<5.8.0"
],
"fixed_versions": [
"5.8.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2022-31151.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:31:55+00:00",
"last_run_id": "undici-undici--CVE-2022-31151-20260318013150",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/undici-undici--CVE-2022-31151-20260318013150",
"browser_evidence": {
"required": false,
"present": false,
"refs": [],
"baseline_refs": [],
"proof_refs": [],
"baseline_title": null,
"proof_title": null,
"error_kind": null,
"reason": null
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

65
08-threat-intel/registry/advisories/undici--CVE-2022-32210.json
查看文件

@@ -1,65 +0,0 @@
{
"canonical_id": "undici--CVE-2022-32210",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "ProxyAgent vulnerable to MITM",
"summary": "ProxyAgent vulnerable to MITM",
"published_at": "2022-06-17T01:02:29Z",
"updated_at": "2026-03-13T22:15:23.541247Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-32210",
"https://hackerone.com/reports/1583680",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2022-32210",
"GHSA-pgw7-wx7w-2w33"
],
"cve_ids": [
"CVE-2022-32210"
],
"ghsa_ids": [
"GHSA-pgw7-wx7w-2w33"
],
"osv_ids": [],
"affected_versions": [
"introduced=4.8.2, fixed<5.5.1"
],
"fixed_versions": [
"5.5.1"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2022-32210.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/undici--CVE-2023-45143.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "undici--CVE-2023-45143",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
"summary": "Undici's cookie header not cleared on cross-origin redirect in fetch",
"published_at": "2023-10-16T14:05:37Z",
"updated_at": "2026-02-04T02:35:56.289390Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"secondary_source_urls": [
"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
"https://nvd.nist.gov/vuln/detail/CVE-2023-45143",
"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
"https://hackerone.com/reports/2166948",
"https://github.com/nodejs/undici",
"https://github.com/nodejs/undici/releases/tag/v5.26.2",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"
],
"aliases": [
"CVE-2023-45143",
"GHSA-wqq4-5wpv-mx2g"
],
"cve_ids": [
"CVE-2023-45143"
],
"ghsa_ids": [
"GHSA-wqq4-5wpv-mx2g"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<5.26.2"
],
"fixed_versions": [
"5.26.2"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2023-45143.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"token-cookie-storage"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

73
08-threat-intel/registry/advisories/undici--CVE-2024-30260.json
查看文件

@@ -1,73 +0,0 @@
{
"canonical_id": "undici--CVE-2024-30260",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
"summary": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
"published_at": "2024-04-04T14:20:39Z",
"updated_at": "2025-11-04T19:44:28Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-30260",
"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
"https://hackerone.com/reports/2408074",
"https://github.com/nodejs/undici",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E",
"https://security.netapp.com/advisory/ntap-20240905-0008"
],
"aliases": [
"CVE-2024-30260",
"GHSA-m4v8-wqvr-p9f7"
],
"cve_ids": [
"CVE-2024-30260"
],
"ghsa_ids": [
"GHSA-m4v8-wqvr-p9f7"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<5.28.4",
"introduced=6.0.0, fixed<6.11.1"
],
"fixed_versions": [
"5.28.4",
"6.11.1"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2024-30260.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

73
08-threat-intel/registry/advisories/undici--CVE-2024-30261.json
查看文件

@@ -1,73 +0,0 @@
{
"canonical_id": "undici--CVE-2024-30261",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
"summary": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
"published_at": "2024-04-04T14:20:54Z",
"updated_at": "2025-11-04T19:44:42Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-30261",
"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
"https://hackerone.com/reports/2377760",
"https://github.com/nodejs/undici",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E",
"https://security.netapp.com/advisory/ntap-20240905-0008"
],
"aliases": [
"CVE-2024-30261",
"GHSA-9qxr-qj54-h672"
],
"cve_ids": [
"CVE-2024-30261"
],
"ghsa_ids": [
"GHSA-9qxr-qj54-h672"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<5.28.4",
"introduced=6.0.0, fixed<6.11.1"
],
"fixed_versions": [
"5.28.4",
"6.11.1"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2024-30261.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/undici--CVE-2025-22150.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "undici--CVE-2025-22150",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Use of Insufficiently Random Values in undici",
"summary": "Use of Insufficiently Random Values in undici",
"published_at": "2025-01-21T21:10:47Z",
"updated_at": "2026-02-04T02:29:26.373390Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-22150",
"https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0",
"https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a",
"https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385",
"https://hackerone.com/reports/2913312",
"https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f",
"https://github.com/nodejs/undici",
"https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
],
"aliases": [
"CVE-2025-22150",
"GHSA-c76h-2ccp-4975"
],
"cve_ids": [
"CVE-2025-22150"
],
"ghsa_ids": [
"GHSA-c76h-2ccp-4975"
],
"osv_ids": [],
"affected_versions": [
"introduced=4.5.0, fixed<5.28.5",
"introduced=6.0.0, fixed<6.21.1",
"introduced=7.0.0, fixed<7.2.3"
],
"fixed_versions": [
"5.28.5",
"6.21.1",
"7.2.3"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2025-22150.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/undici--CVE-2025-47279.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "undici--CVE-2025-47279",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "undici Denial of Service attack via bad certificate data",
"summary": "undici Denial of Service attack via bad certificate data",
"published_at": "2025-05-15T14:15:06Z",
"updated_at": "2026-02-06T22:08:08.311705Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-47279",
"https://github.com/nodejs/undici/issues/3895",
"https://github.com/nodejs/undici/pull/4088",
"https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2025-47279",
"GHSA-cxrh-j4jr-qwg3"
],
"cve_ids": [
"CVE-2025-47279"
],
"ghsa_ids": [
"GHSA-cxrh-j4jr-qwg3"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<5.29.0",
"introduced=6.0.0, fixed<6.21.2",
"introduced=7.0.0, fixed<7.5.0"
],
"fixed_versions": [
"5.29.0",
"6.21.2",
"7.5.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2025-47279.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/undici--CVE-2026-1525.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "undici--CVE-2026-1525",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici has an HTTP Request/Response Smuggling issue",
"summary": "Undici has an HTTP Request/Response Smuggling issue",
"published_at": "2026-03-13T20:07:03Z",
"updated_at": "2026-03-14T09:19:54.772219Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1525",
"https://hackerone.com/reports/3556037",
"https://cna.openjsf.org/security-advisories.html",
"https://cwe.mitre.org/data/definitions/444.html",
"https://github.com/nodejs/undici",
"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"
],
"aliases": [
"CVE-2026-1525",
"GHSA-2mjp-6q6p-2qxm"
],
"cve_ids": [
"CVE-2026-1525"
],
"ghsa_ids": [
"GHSA-2mjp-6q6p-2qxm"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<6.24.0",
"introduced=7.0.0, fixed<7.24.0"
],
"fixed_versions": [
"6.24.0",
"7.24.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-1525.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"request-smuggling-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/undici--CVE-2026-1526.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "undici--CVE-2026-1526",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
"summary": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
"published_at": "2026-03-13T20:41:56Z",
"updated_at": "2026-03-13T20:54:25.563997Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1526",
"https://hackerone.com/reports/3481206",
"https://cna.openjsf.org/security-advisories.html",
"https://datatracker.ietf.org/doc/html/rfc7692",
"https://github.com/nodejs/undici",
"https://owasp.org/www-community/attacks/Denial_of_Service"
],
"aliases": [
"CVE-2026-1526",
"GHSA-vrm6-8vpv-qv8q"
],
"cve_ids": [
"CVE-2026-1526"
],
"ghsa_ids": [
"GHSA-vrm6-8vpv-qv8q"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<6.24.0",
"introduced=7.0.0, fixed<7.24.0"
],
"fixed_versions": [
"6.24.0",
"7.24.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-1526.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

68
08-threat-intel/registry/advisories/undici--CVE-2026-1527.json
查看文件

@@ -1,68 +0,0 @@
{
"canonical_id": "undici--CVE-2026-1527",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici has CRLF Injection in undici via `upgrade` option",
"summary": "Undici has CRLF Injection in undici via `upgrade` option",
"published_at": "2026-03-13T20:41:26Z",
"updated_at": "2026-03-13T20:54:25.572106Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1527",
"https://hackerone.com/reports/3487198",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-1527",
"GHSA-4992-7rv2-5pvq"
],
"cve_ids": [
"CVE-2026-1527"
],
"ghsa_ids": [
"GHSA-4992-7rv2-5pvq"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<6.24.0",
"introduced=7.0.0, fixed<7.24.0"
],
"fixed_versions": [
"6.24.0",
"7.24.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-1527.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

68
08-threat-intel/registry/advisories/undici--CVE-2026-1528.json
查看文件

@@ -1,68 +0,0 @@
{
"canonical_id": "undici--CVE-2026-1528",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"published_at": "2026-03-13T20:07:26Z",
"updated_at": "2026-03-14T09:17:45.838435Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1528",
"https://hackerone.com/reports/3537648",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-1528",
"GHSA-f269-vfmq-vjvj"
],
"cve_ids": [
"CVE-2026-1528"
],
"ghsa_ids": [
"GHSA-f269-vfmq-vjvj"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.0.0, fixed<6.24.0",
"introduced=7.0.0, fixed<7.24.0"
],
"fixed_versions": [
"6.24.0",
"7.24.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-1528.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

67
08-threat-intel/registry/advisories/undici--CVE-2026-22036.json
查看文件

@@ -1,67 +0,0 @@
{
"canonical_id": "undici--CVE-2026-22036",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"summary": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"published_at": "2026-01-14T21:06:08Z",
"updated_at": "2026-02-04T02:56:17.456091Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-22036",
"https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-22036",
"GHSA-g9mf-h72j-4rw9"
],
"cve_ids": [
"CVE-2026-22036"
],
"ghsa_ids": [
"GHSA-g9mf-h72j-4rw9"
],
"osv_ids": [],
"affected_versions": [
"introduced=7.0.0, fixed<7.18.2",
"introduced=0, fixed<6.23.0"
],
"fixed_versions": [
"7.18.2",
"6.23.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-22036.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

71
08-threat-intel/registry/advisories/undici--CVE-2026-2229.json
查看文件

@@ -1,71 +0,0 @@
{
"canonical_id": "undici--CVE-2026-2229",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
"summary": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
"published_at": "2026-03-13T20:41:41Z",
"updated_at": "2026-03-13T20:54:26.149214Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2229",
"https://hackerone.com/reports/3487486",
"https://cna.openjsf.org/security-advisories.html",
"https://datatracker.ietf.org/doc/html/rfc7692",
"https://github.com/nodejs/undici",
"https://nodejs.org/api/zlib.html#class-zlibinflateraw"
],
"aliases": [
"CVE-2026-2229",
"GHSA-v9p9-hfj2-hcw8"
],
"cve_ids": [
"CVE-2026-2229"
],
"ghsa_ids": [
"GHSA-v9p9-hfj2-hcw8"
],
"osv_ids": [],
"affected_versions": [
"introduced=0, fixed<6.24.0",
"introduced=7.0.0, fixed<7.24.0"
],
"fixed_versions": [
"6.24.0",
"7.24.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-2229.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

66
08-threat-intel/registry/advisories/undici--CVE-2026-2581.json
查看文件

@@ -1,66 +0,0 @@
{
"canonical_id": "undici--CVE-2026-2581",
"system_id": "undici",
"display_name": "Undici",
"category": "frameworks",
"advisory_mode": "core",
"title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
"summary": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
"published_at": "2026-03-13T20:37:58Z",
"updated_at": "2026-03-13T20:54:25.417862Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2581",
"https://hackerone.com/reports/3513473",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-2581",
"GHSA-phc3-fgpg-7m6h"
],
"cve_ids": [
"CVE-2026-2581"
],
"ghsa_ids": [
"GHSA-phc3-fgpg-7m6h"
],
"osv_ids": [],
"affected_versions": [
"introduced=7.17.0, fixed<7.24.0"
],
"fixed_versions": [
"7.24.0"
],
"package_name": "undici",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/undici/cases/undici-cve-2026-2581.md",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "undici-ssrf",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

106
08-threat-intel/registry/advisories/vite--CVE-2024-23331.json
查看文件

@@ -1,106 +0,0 @@
{
"canonical_id": "vite--CVE-2024-23331",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem",
"summary": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem",
"published_at": "2024-01-19T21:58:47Z",
"updated_at": "2026-02-04T04:17:01.410592Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-34092",
"https://nvd.nist.gov/vuln/detail/CVE-2024-23331",
"https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691",
"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
"https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278",
"https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb",
"https://github.com/vitejs/vite",
"https://vitejs.dev/config/server-options.html#server-fs-deny"
],
"aliases": [
"CVE-2024-23331",
"GHSA-c24v-8rfc-w8vw"
],
"cve_ids": [
"CVE-2024-23331"
],
"ghsa_ids": [
"GHSA-c24v-8rfc-w8vw"
],
"osv_ids": [],
"affected_versions": [
"introduced=2.7.0, fixed<2.9.17",
"introduced=3.0.0, fixed<3.2.8",
"introduced=4.0.0, fixed<4.5.2",
"introduced=5.0.0, fixed<5.0.12"
],
"fixed_versions": [
"2.9.17",
"3.2.8",
"4.5.2",
"5.0.12"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2024-23331.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:32:34+00:00",
"last_run_id": "vite-vite--CVE-2024-23331-20260318013228",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318013228/logs/proof-page.json"
],
"baseline_title": "Vite Proxy Boundary Fixture",
"proof_title": "Vite Proxy Boundary Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

80
08-threat-intel/registry/advisories/vite--CVE-2024-45811.json
查看文件

@@ -1,80 +0,0 @@
{
"canonical_id": "vite--CVE-2024-45811",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
"summary": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
"published_at": "2024-09-17T18:44:12Z",
"updated_at": "2026-02-04T04:05:31.919291Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-45811",
"https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249",
"https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34",
"https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd",
"https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6",
"https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2024-45811",
"GHSA-9cwx-2883-4wfx"
],
"cve_ids": [
"CVE-2024-45811"
],
"ghsa_ids": [
"GHSA-9cwx-2883-4wfx"
],
"osv_ids": [],
"affected_versions": [
"introduced=5.4.0, fixed<5.4.6",
"introduced=5.3.0, fixed<5.3.6",
"introduced=5.2.0, fixed<5.2.14",
"introduced=4.0.0, fixed<4.5.4",
"introduced=0, fixed<3.2.11",
"introduced=5.0.0, fixed<5.1.8"
],
"fixed_versions": [
"5.4.6",
"5.3.6",
"5.2.14",
"4.5.4",
"3.2.11",
"5.1.8"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2024-45811.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

115
08-threat-intel/registry/advisories/vite--CVE-2024-45812.json
查看文件

@@ -1,115 +0,0 @@
{
"canonical_id": "vite--CVE-2024-45812",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
"summary": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
"published_at": "2024-09-17T19:28:01Z",
"updated_at": "2026-02-04T04:04:22.977459Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3",
"secondary_source_urls": [
"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986",
"https://nvd.nist.gov/vuln/detail/CVE-2024-45812",
"https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af",
"https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675",
"https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd",
"https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad",
"https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3",
"https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e",
"https://github.com/vitejs/vite",
"https://research.securitum.com/xss-in-amp4email-dom-clobbering",
"https://scnps.co/papers/sp23_domclob.pdf"
],
"aliases": [
"CVE-2024-45812",
"GHSA-64vr-g452-qvp3"
],
"cve_ids": [
"CVE-2024-45812"
],
"ghsa_ids": [
"GHSA-64vr-g452-qvp3"
],
"osv_ids": [],
"affected_versions": [
"introduced=5.4.0, fixed<5.4.6",
"introduced=5.3.0, fixed<5.3.6",
"introduced=5.2.0, fixed<5.2.14",
"introduced=4.0.0, fixed<4.5.4",
"introduced=0, fixed<3.2.11",
"introduced=5.0.0, fixed<5.1.8"
],
"fixed_versions": [
"5.4.6",
"5.3.6",
"5.2.14",
"4.5.4",
"3.2.11",
"5.1.8"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2024-45812.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"xss-output-encoding",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:33:26+00:00",
"last_run_id": "vite-vite--CVE-2024-45812-20260318013320",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318013320/logs/proof-page.json"
],
"baseline_title": "Vite XSS Fixture",
"proof_title": "Vite XSS Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

101
08-threat-intel/registry/advisories/vite--CVE-2025-24010.json
查看文件

@@ -1,101 +0,0 @@
{
"canonical_id": "vite--CVE-2025-24010",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Websites were able to send any requests to the development server and read the response in vite",
"summary": "Websites were able to send any requests to the development server and read the response in vite",
"published_at": "2025-01-21T19:52:55Z",
"updated_at": "2026-02-04T04:37:03.076966Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-24010",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-24010",
"GHSA-vg6x-rcgg-rjx6"
],
"cve_ids": [
"CVE-2025-24010"
],
"ghsa_ids": [
"GHSA-vg6x-rcgg-rjx6"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.0.0, fixed<6.0.9",
"introduced=5.0.0, fixed<5.4.12",
"introduced=0, fixed<4.5.6"
],
"fixed_versions": [
"6.0.9",
"5.4.12",
"4.5.6"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-24010.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"dom-sink-hardening",
"token-cookie-storage",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "verified-real",
"verification_mode": "real",
"last_verified_at": "2026-03-18T01:33:00+00:00",
"last_run_id": "vite-vite--CVE-2025-24010-20260318013254",
"evidence_bundle": "/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254",
"browser_evidence": {
"required": true,
"present": true,
"refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/baseline-page.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/proof-page.json"
],
"baseline_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/baseline.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/baseline-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/baseline-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/baseline-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/baseline-page.json"
],
"proof_refs": [
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/proof.png",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/assets/proof-dom.html",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/proof-console.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/proof-network.json",
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318013254/logs/proof-page.json"
],
"baseline_title": "Vite File Upload Fixture",
"proof_title": "Vite File Upload Fixture - proof",
"error_kind": null,
"reason": null
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

78
08-threat-intel/registry/advisories/vite--CVE-2025-30208.json
查看文件

@@ -1,78 +0,0 @@
{
"canonical_id": "vite--CVE-2025-30208",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite bypasses server.fs.deny when using ?raw??",
"summary": "Vite bypasses server.fs.deny when using ?raw??",
"published_at": "2025-03-25T14:00:02Z",
"updated_at": "2026-02-04T03:13:24.371631Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-30208",
"https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
"https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
"https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
"https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
"https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-30208",
"GHSA-x574-m823-4x7w"
],
"cve_ids": [
"CVE-2025-30208"
],
"ghsa_ids": [
"GHSA-x574-m823-4x7w"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.2.0, fixed<6.2.3",
"introduced=6.1.0, fixed<6.1.2",
"introduced=6.0.0, fixed<6.0.12",
"introduced=5.0.0, fixed<5.4.15",
"introduced=0, fixed<4.5.10"
],
"fixed_versions": [
"6.2.3",
"6.1.2",
"6.0.12",
"5.4.15",
"4.5.10"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-30208.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/vite--CVE-2025-31125.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "vite--CVE-2025-31125",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
"summary": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
"published_at": "2025-03-31T17:31:54Z",
"updated_at": "2026-02-04T04:37:24.129476Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-31125",
"https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
"https://github.com/vitejs/vite",
"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
],
"aliases": [
"CVE-2025-31125",
"GHSA-4r4m-qw57-chr8"
],
"cve_ids": [
"CVE-2025-31125"
],
"ghsa_ids": [
"GHSA-4r4m-qw57-chr8"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.2.0, fixed<6.2.4",
"introduced=6.1.0, fixed<6.1.3",
"introduced=6.0.0, fixed<6.0.13",
"introduced=5.0.0, fixed<5.4.16",
"introduced=0, fixed<4.5.11"
],
"fixed_versions": [
"6.2.4",
"6.1.3",
"6.0.13",
"5.4.16",
"4.5.11"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-31125.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

76
08-threat-intel/registry/advisories/vite--CVE-2025-31486.json
查看文件

@@ -1,76 +0,0 @@
{
"canonical_id": "vite--CVE-2025-31486",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
"summary": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
"published_at": "2025-04-04T14:20:05Z",
"updated_at": "2026-02-04T03:51:38.412061Z",
"severity": "low",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-31486",
"https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
"https://github.com/vitejs/vite",
"https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
],
"aliases": [
"CVE-2025-31486",
"GHSA-xcj6-pq6g-qj4x"
],
"cve_ids": [
"CVE-2025-31486"
],
"ghsa_ids": [
"GHSA-xcj6-pq6g-qj4x"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.2.0, fixed<6.2.5",
"introduced=6.1.0, fixed<6.1.4",
"introduced=6.0.0, fixed<6.0.14",
"introduced=5.0.0, fixed<5.4.17",
"introduced=0, fixed<4.5.12"
],
"fixed_versions": [
"6.2.5",
"6.1.4",
"6.0.14",
"5.4.17",
"4.5.12"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-31486.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/vite--CVE-2025-32395.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "vite--CVE-2025-32395",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
"summary": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
"published_at": "2025-04-11T14:06:03Z",
"updated_at": "2026-02-04T04:11:44.900383Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-32395",
"https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-32395",
"GHSA-356w-63v5-8wf4"
],
"cve_ids": [
"CVE-2025-32395"
],
"ghsa_ids": [
"GHSA-356w-63v5-8wf4"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.2.0, fixed<6.2.6",
"introduced=6.1.0, fixed<6.1.5",
"introduced=6.0.0, fixed<6.0.15",
"introduced=5.0.0, fixed<5.4.18",
"introduced=0, fixed<4.5.13"
],
"fixed_versions": [
"6.2.6",
"6.1.5",
"6.0.15",
"5.4.18",
"4.5.13"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-32395.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

74
08-threat-intel/registry/advisories/vite--CVE-2025-46565.json
查看文件

@@ -1,74 +0,0 @@
{
"canonical_id": "vite--CVE-2025-46565",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite's server.fs.deny bypassed with /. for files under project root",
"summary": "Vite's server.fs.deny bypassed with /. for files under project root",
"published_at": "2025-04-30T17:40:27Z",
"updated_at": "2026-02-04T03:27:17.681639Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-46565",
"https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-46565",
"GHSA-859w-5945-r5v3"
],
"cve_ids": [
"CVE-2025-46565"
],
"ghsa_ids": [
"GHSA-859w-5945-r5v3"
],
"osv_ids": [],
"affected_versions": [
"introduced=6.3.0, fixed<6.3.4",
"introduced=6.2.0, fixed<6.2.7",
"introduced=6.0.0, fixed<6.1.6",
"introduced=5.0.0, fixed<5.4.19",
"introduced=0, fixed<4.5.14"
],
"fixed_versions": [
"6.3.4",
"6.2.7",
"6.1.6",
"5.4.19",
"4.5.14"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-46565.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

76
08-threat-intel/registry/advisories/vite--CVE-2025-58751.json
查看文件

@@ -1,76 +0,0 @@
{
"canonical_id": "vite--CVE-2025-58751",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite middleware may serve files starting with the same name with the public directory",
"summary": "Vite middleware may serve files starting with the same name with the public directory",
"published_at": "2025-09-09T20:55:56Z",
"updated_at": "2026-02-04T04:33:22.508417Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-58751",
"https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
"https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d",
"https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069",
"https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec",
"https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-58751",
"GHSA-g4jq-h2w9-997c"
],
"cve_ids": [
"CVE-2025-58751"
],
"ghsa_ids": [
"GHSA-g4jq-h2w9-997c"
],
"osv_ids": [],
"affected_versions": [
"introduced=7.1.0, fixed<7.1.5",
"introduced=7.0.0, fixed<7.0.7",
"introduced=6.0.0, fixed<6.3.6",
"introduced=0, fixed<5.4.20"
],
"fixed_versions": [
"7.1.5",
"7.0.7",
"6.3.6",
"5.4.20"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-58751.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

77
08-threat-intel/registry/advisories/vite--CVE-2025-58752.json
查看文件

@@ -1,77 +0,0 @@
{
"canonical_id": "vite--CVE-2025-58752",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "Vite's `server.fs` settings were not applied to HTML files",
"summary": "Vite's `server.fs` settings were not applied to HTML files",
"published_at": "2025-09-09T20:54:42Z",
"updated_at": "2026-02-04T04:35:16.287471Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-58752",
"https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
"https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
"https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
"https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
"https://github.com/vitejs/vite",
"https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
],
"aliases": [
"CVE-2025-58752",
"GHSA-jqfw-vq24-v9c3"
],
"cve_ids": [
"CVE-2025-58752"
],
"ghsa_ids": [
"GHSA-jqfw-vq24-v9c3"
],
"osv_ids": [],
"affected_versions": [
"introduced=7.1.0, fixed<7.1.5",
"introduced=7.0.0, fixed<7.0.7",
"introduced=6.0.0, fixed<6.3.6",
"introduced=0, fixed<5.4.20"
],
"fixed_versions": [
"7.1.5",
"7.0.7",
"6.3.6",
"5.4.20"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-58752.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

75
08-threat-intel/registry/advisories/vite--CVE-2025-62522.json
查看文件

@@ -1,75 +0,0 @@
{
"canonical_id": "vite--CVE-2025-62522",
"system_id": "vite",
"display_name": "Vite",
"category": "frameworks",
"advisory_mode": "core",
"title": "vite allows server.fs.deny bypass via backslash on Windows",
"summary": "vite allows server.fs.deny bypass via backslash on Windows",
"published_at": "2025-10-20T19:54:28Z",
"updated_at": "2026-02-04T04:13:38.886554Z",
"severity": "medium",
"cvss_score": null,
"exploit_status": "unknown",
"source_confidence": "official",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-62522",
"https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-62522",
"GHSA-93m4-6634-74q7"
],
"cve_ids": [
"CVE-2025-62522"
],
"ghsa_ids": [
"GHSA-93m4-6634-74q7"
],
"osv_ids": [],
"affected_versions": [
"introduced=7.1.0, fixed<7.1.11",
"introduced=7.0.0, fixed<7.0.8",
"introduced=6.0.0, fixed<6.4.1",
"introduced=2.9.18, fixed<5.4.21",
"introduced=3.2.9, fixed<5.4.21",
"introduced=4.5.3, fixed<5.4.21",
"introduced=5.2.6, fixed<5.4.21"
],
"fixed_versions": [
"7.1.11",
"7.0.8",
"6.4.1",
"5.4.21"
],
"package_name": "vite",
"render_markdown": true,
"case_path": "07-framework-security/frameworks/vite/cases/vite-cve-2025-62522.md",
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"status": "generated",
"triage_reasons": [],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"last_verified_at": null,
"last_run_id": "",
"evidence_bundle": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
},
"repro_profile_id": "vite-file-upload",
"artifact_mode": "synthetic",
"blocked_reason": null,
"metadata": {
"source_names": [],
"source_kinds": [],
"candidate_count": 1
}
}

41
08-threat-intel/registry/systems/gitea.json
查看文件

@@ -3,10 +3,10 @@
"display_name": "Gitea",
"category": "platforms",
"tier": "rolling-24m",
"total": 30,
"markdown_cases": 30,
"total": 0,
"markdown_cases": 0,
"triage_count": 0,
"latest_update": "2026-03-03T04:57:57.697708Z",
"latest_update": "",
"output_dir": "07-framework-security/platforms/gitea",
"secure_code_topics": [
"authz-server-side-recheck",
@@ -16,37 +16,6 @@
"verified_real": 0,
"verified_synthetic": 0,
"blocked_count": 0,
"manual_count": 30,
"items": [
"gitea--CVE-2026-0798",
"gitea--CVE-2026-20736",
"gitea--CVE-2026-20750",
"gitea--CVE-2026-20800",
"gitea--CVE-2026-20883",
"gitea--CVE-2026-20888",
"gitea--CVE-2026-20897",
"gitea--CVE-2026-20904",
"gitea--CVE-2026-20912",
"gitea--CVE-2025-69413",
"gitea--CVE-2025-68938",
"gitea--CVE-2025-68941",
"gitea--CVE-2025-68942",
"gitea--CVE-2025-68943",
"gitea--CVE-2025-68944",
"gitea--CVE-2025-68945",
"gitea--CVE-2025-68946",
"gitea--CVE-2022-42968",
"gitea--CVE-2021-45330",
"gitea--CVE-2022-0905",
"gitea--CVE-2022-1928",
"gitea--CVE-2022-27313",
"gitea--CVE-2022-30781",
"gitea--CVE-2021-29134",
"gitea--CVE-2021-45331",
"gitea--CVE-2021-45327",
"gitea--CVE-2022-38795",
"gitea--CVE-2022-38183",
"gitea--CVE-2021-3382",
"gitea--CVE-2022-1058"
]
"manual_count": 0,
"items": []
}

33
08-threat-intel/registry/systems/nextjs.json
查看文件

@@ -3,10 +3,10 @@
"display_name": "Next.js",
"category": "frameworks",
"tier": "history-full",
"total": 20,
"markdown_cases": 20,
"total": 5,
"markdown_cases": 5,
"triage_count": 0,
"latest_update": "2026-03-13T22:00:36.554552Z",
"latest_update": "2026-03-17T16:31:34.160932Z",
"output_dir": "07-framework-security/frameworks/nextjs",
"secure_code_topics": [
"authz-server-side-recheck",
@@ -16,27 +16,12 @@
"verified_real": 0,
"verified_synthetic": 0,
"blocked_count": 0,
"manual_count": 20,
"manual_count": 5,
"items": [
"nextjs--CVE-2025-59472",
"nextjs--CVE-2025-59471",
"nextjs--GHSA-5j59-xgg2-r9c4",
"nextjs--GHSA-w37m-7fhw-fmv9",
"nextjs--GHSA-mwv6-3258-q52c",
"nextjs--GHSA-9qr9-h5gf-34mp",
"nextjs--CVE-2025-57752",
"nextjs--CVE-2025-55173",
"nextjs--CVE-2025-57822",
"nextjs--CVE-2025-49826",
"nextjs--CVE-2025-49005",
"nextjs--CVE-2025-48068",
"nextjs--CVE-2025-32421",
"nextjs--CVE-2025-30218",
"nextjs--CVE-2024-56332",
"nextjs--CVE-2024-47831",
"nextjs--CVE-2024-46982",
"nextjs--CVE-2021-43803",
"nextjs--CVE-2021-37699",
"nextjs--CVE-2020-5284"
"nextjs--CVE-2026-29057",
"nextjs--CVE-2026-27980",
"nextjs--CVE-2026-27979",
"nextjs--CVE-2026-27978",
"nextjs--CVE-2026-27977"
]
}

27
08-threat-intel/registry/systems/undici.json
查看文件

@@ -3,33 +3,18 @@
"display_name": "Undici",
"category": "frameworks",
"tier": "rolling-24m",
"total": 14,
"markdown_cases": 14,
"total": 0,
"markdown_cases": 0,
"triage_count": 0,
"latest_update": "2026-03-14T09:19:54.772219Z",
"latest_update": "",
"output_dir": "07-framework-security/frameworks/undici",
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verified_real": 1,
"verified_real": 0,
"verified_synthetic": 0,
"blocked_count": 0,
"manual_count": 13,
"items": [
"undici--CVE-2026-1526",
"undici--CVE-2026-2229",
"undici--CVE-2026-1527",
"undici--CVE-2026-2581",
"undici--CVE-2026-1528",
"undici--CVE-2026-1525",
"undici--CVE-2026-22036",
"undici--CVE-2025-47279",
"undici--CVE-2025-22150",
"undici--CVE-2024-30261",
"undici--CVE-2024-30260",
"undici--CVE-2023-45143",
"undici--CVE-2022-31151",
"undici--CVE-2022-32210"
]
"manual_count": 0,
"items": []
}

23
08-threat-intel/registry/systems/vite.json
查看文件

@@ -3,10 +3,10 @@
"display_name": "Vite",
"category": "frameworks",
"tier": "history-full",
"total": 12,
"markdown_cases": 12,
"total": 0,
"markdown_cases": 0,
"triage_count": 0,
"latest_update": "2026-02-04T04:37:24.129476Z",
"latest_update": "",
"output_dir": "07-framework-security/frameworks/vite",
"secure_code_topics": [
"dependency-upgrade-policy",
@@ -16,19 +16,6 @@
"verified_real": 0,
"verified_synthetic": 0,
"blocked_count": 0,
"manual_count": 12,
"items": [
"vite--CVE-2025-62522",
"vite--CVE-2025-58751",
"vite--CVE-2025-58752",
"vite--CVE-2025-46565",
"vite--CVE-2025-32395",
"vite--CVE-2025-31486",
"vite--CVE-2025-31125",
"vite--CVE-2025-30208",
"vite--CVE-2025-24010",
"vite--CVE-2024-45812",
"vite--CVE-2024-45811",
"vite--CVE-2024-23331"
]
"manual_count": 0,
"items": []
}