Security
Headlines
HeadlinesLatestCVEs

Tag

#nginx

Under the engineering hood: Why Malwarebytes chose WordPress as its CMS

It might surprise some that a security company would choose WordPress as the backbone of its digital content operations. Here's what we considered when choosing it.

Malwarebytes
Open in Source
#sql#xss#csrf#vulnerability#web#windows#microsoft#ddos#redis#js#git#java#wordpress#intel#php#nginx#auth#ssl
GHSA-5ff5-9fcw-vg88: Astro's `X-Forwarded-Host` is reflected without validation

### Summary When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwarded-Host` header that is reflected when using the recommended `Astro.url` property as there is no validation that the value is safe. ### Details Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As such as malicious request can be sent with both a `Host` header and an `X-Forwarded-Host` header where the values do not match and the `X-Forwarded-Host` header is malicious. Astro will then return the malicious value. This could result in any usages of the `Astro.url` value in code being manipulated by a request. For example if a user follows guidance and uses `Astro.url` for a canonical link the canonical link can be manipulated to another site. It is not impossible to...

GHSA-6xw4-3v39-52mm: Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

## Summary `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. ## Details When handling non-multipart form submissions, Rack’s request parser performs: ```ruby form_vars = get_header(RACK_INPUT).read ``` Since `read` is called with no argument, the entire request body is loaded into a Ruby `String`. This occurs before query parameter parsing or enforcement of any `params_limit`. As a result, Rack applications without an upstream body-size limit can experience unbounded memory allocation proportional to request size. ## Impact Attackers can send large `application/x-www-form-urlencoded` bodies to consume process memory, causing slowdowns or termination by the operating system (OOM). The effect sca...

GHSA-r657-rxjc-j557: Rack has a Possible Information Disclosure Vulnerability

## Summary A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. ## Details When `Rack::Sendfile` received untrusted `x-sendfile-type` or `x-accel-mapping` headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was **not subject to the proxy's access controls**. An attacker could exploit this by: 1. Setting a crafted `x-sendfile-type: x-accel-redirect` header. 2. Setting a crafted `x-accel-mapping` header. 3. Requesting a path that qualifies for proxy-based acceleration. ## Impact Attackers could bypass proxy-enforced restrictions and access inte...

GHSA-wpv5-97wm-hp9c: Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)

## Summary `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). ## Details While reading multipart headers, the parser waits for `CRLFCRLF` using: ```ruby @sbuf.scan_until(/(.*?\r\n)\r\n/m) ``` If the terminator never appears, it continues appending data (`@sbuf.concat(content)`) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size. ## Impact Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. ## Mitigation * Upgrade to a patched Rack vers...

GHSA-w9pc-fmgc-vxvw: Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

## Summary `Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). ## Details During multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory: ```ruby body = String.new # non-file → in-RAM buffer @mime_parts[mime_index].body << content ``` There is no size limit on these in-memory buffers. As a result, any large text field—while technically valid—will be loaded fully into process memory before being added to `params`. ## Impact Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications p...

GHSA-625h-95r8-8xpm: Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

## Summary `Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended. ## Details The issue arises because `Rack::QueryParser#check_query_string` counts only `&` characters when determining the number of parameters, but the default separator regex `DEFAULT_SEP = /[&;] */n` splits on both `&` and `;`. This mismatch means that queries using `;` separators were not included in the parameter count, allowing `params_limit` to be bypassed. Other safeguards (`bytesize_limit` and `key_space_limit`) still applied, but did not prevent this particular bypass. ## Impact Applications or middleware that directly invoke `Rack::QueryParser` with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited...

GHSA-9hp6-4448-45g2: Hono's flaw in URL path parsing could cause path confusion

### Summary A flaw in the `getPath` utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location blocks). ### Details The original implementation relied on fixed character offsets when parsing request URLs. Under certain malformed absolute-form Request-URIs, this could lead to incorrect path extraction. Most standards-compliant runtimes and reverse proxies reject such malformed requests with a 400 Bad Request, so the impact depends on the application and environment. ### Impact If proxy ACLs are used to protect sensitive endpoints such as `/admin`, this flaw could have allowed unauthorized access. The confidentiality impact depends on what data is exposed: if sensitive administrative data is exposed, the impact may be High (CVSS 7.5); otherwise it may be Medium (CVSS 5.3). ### Resolution The implementation has been updated to correctly locate the first slash after "://", preventing such path confusion.

GHSA-v2ch-c8v8-fgr7: Versity panic induced by AWS chunked data sent to port

Sending AWS chunk data with no Content-Length HTTP header causes the panic, every time. ### Reproduction Setup versity server running on port 7071, no SSL (for ease of packet tracing with tshark). Problem can be reproduced with or without SSL on the versity end. Use nginx to reverse proxy on port 7070. This does have to be SSL enabled for the repro to occur. nginx config: ``` upstream tony_versity { server 127.0.0.1:7071; keepalive 15; } server { listen 7070 ssl ; access_log /var/log/nginx/tony_versity_proxy.access.log; error_log /var/log/nginx/tony_versity_proxy.error.log; # Allow any size file to be uploaded. client_max_body_size 0; # Allow special characters in headers ignore_invalid_headers off; # Disable buffering proxy_buffering off; proxy_request_buffering off; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; ssl_certificate "/WS/TEMP/lh.crt"; ss...

GHSA-4h45-jpvh-6p5j: Rancher affected by unauthenticated Denial of Service

### Impact A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing. This could result in: - Denial of Service (DoS): The server process may crash or become unresponsive when memory consumption exceeds available resources. - Unauthenticated and authenticated exploitation: While the issue was initially observed in unauthenticated `/v3-public/*` endpoints, the absence of request body size limits also affected several authenticated APIs, broadening the potential attack surface. It's worth noting that other areas in Rancher do implement safeguards: requests proxied to Kubernetes APIs are subject to built-in size limits enforced by the [Kubernetes API server itself](https://github.com/kubernetes/kubernetes/blob/v1.33.4/staging/src/k8s...