Publish Advisories

GHSA-887w-45rq-vxgf
GHSA-32q2-hhr5-6qvv
GHSA-77vg-94rm-hx3p
GHSA-9rmh-mm8f-r9h6
GHSA-pr6f-5x2q-rwfp
GHSA-rcqx-6q8c-2c42
GHSA-w4c6-7r69-w7j9

Author: advisory-database[bot]

advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-887w-45rq-vxgf",
-  "modified": "2026-04-24T16:37:33Z",
+  "modified": "2026-06-09T18:41:13Z",
   "published": "2019-04-16T15:50:41Z",
   "aliases": [
     "CVE-2019-7164"

advisories/github-reviewed/2026/05/GHSA-32q2-hhr5-6qvv/GHSA-32q2-hhr5-6qvv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-32q2-hhr5-6qvv",
-  "modified": "2026-05-21T17:57:32Z",
+  "modified": "2026-06-09T18:41:40Z",
   "published": "2026-05-21T17:57:32Z",
   "aliases": [
     "CVE-2026-46492"
@@ -40,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46492"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/commenthol/md-fileserver"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3"
     }
   ],
   "database_specific": {
@@ -53,6 +61,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-05-21T17:57:32Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-06-09T17:17:33Z"
   }
 }

advisories/github-reviewed/2026/05/GHSA-77vg-94rm-hx3p/GHSA-77vg-94rm-hx3p.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-77vg-94rm-hx3p",
-  "modified": "2026-05-14T20:23:47Z",
+  "modified": "2026-06-09T18:41:24Z",
   "published": "2026-05-14T20:23:47Z",
   "aliases": [
     "CVE-2026-42570"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/sveltejs/devalue/security/advisories/GHSA-77vg-94rm-hx3p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42570"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/sveltejs/devalue/commit/206ca6712fbc380a4571c59de9ab04b91110792d"
@@ -63,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-05-14T20:23:47Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-06-09T17:17:07Z"
   }
 }

advisories/github-reviewed/2026/05/GHSA-9rmh-mm8f-r9h6/GHSA-9rmh-mm8f-r9h6.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9rmh-mm8f-r9h6",
-  "modified": "2026-05-14T20:29:05Z",
+  "modified": "2026-06-09T18:41:19Z",
   "published": "2026-05-14T20:29:05Z",
   "aliases": [
     "CVE-2026-42567"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42567"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/sveltejs/svelte"
@@ -59,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-05-14T20:29:05Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-06-09T17:17:07Z"
   }
 }

advisories/github-reviewed/2026/05/GHSA-pr6f-5x2q-rwfp/GHSA-pr6f-5x2q-rwfp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pr6f-5x2q-rwfp",
-  "modified": "2026-05-14T20:19:42Z",
+  "modified": "2026-06-09T18:41:32Z",
   "published": "2026-05-14T20:19:42Z",
   "aliases": [
     "CVE-2026-42599"
@@ -47,6 +47,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27121"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42599"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/sveltejs/svelte"
@@ -63,6 +67,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-05-14T20:19:42Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-06-09T17:17:07Z"
   }
 }

advisories/github-reviewed/2026/05/GHSA-rcqx-6q8c-2c42/GHSA-rcqx-6q8c-2c42.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rcqx-6q8c-2c42",
-  "modified": "2026-05-14T20:29:13Z",
+  "modified": "2026-06-09T18:41:27Z",
   "published": "2026-05-14T20:29:13Z",
   "aliases": [
     "CVE-2026-42573"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-rcqx-6q8c-2c42"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42573"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/sveltejs/svelte"
@@ -59,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-05-14T20:29:13Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-06-09T17:17:07Z"
   }
 }

advisories/github-reviewed/2026/06/GHSA-w4c6-7r69-w7j9/GHSA-w4c6-7r69-w7j9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w4c6-7r69-w7j9",
-  "modified": "2026-06-05T16:41:58Z",
+  "modified": "2026-06-09T18:40:44Z",
   "published": "2026-06-05T16:41:58Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-52880"
+  ],
   "summary": "klever-go: REST API slow-header connection exhaustion via Gin Engine.Run",
   "details": "### Summary\n\nThe Klever seednode REST API starts a Gin engine with `Engine.Run(restAPIInterface)`. In Gin v1.9.1, `Engine.Run` calls Go's default `http.ListenAndServe`, which constructs an HTTP server without application-level `ReadHeaderTimeout`, `ReadTimeout`, or `MaxHeaderBytes` limits.\n\nAn unauthenticated client that can reach a REST listener bound with Klever's documented `--rest-api-interface :8080` all-interface option can hold incomplete HTTP headers open indefinitely. In a local proof against the real `cmd/seednode/api.Start` path on `v1.7.17`, 120 slow-header connections caused 20/20 legitimate `/log` probes to fail with `accept: too many open files`. A fixed control using the same Gin router behind an explicit `http.Server` with `ReadHeaderTimeout`, `ReadTimeout`, and `MaxHeaderBytes` retained 0 slow connections and served 20/20 probes.\n\nThis report is distinct from the P2P advisories and from my direct-message goroutine report. This finding concerns Klever-owned HTTP REST startup code (`cmd/seednode/api` and `network/api`) using Gin `Engine.Run` without server-level header deadlines. It does not depend on `MultiDataInterceptor`, `Batch.Decompress`, libp2p, malformed P2P messages, or direct-message goroutine spawning.\n\n### Details\n\nSeednode REST API, latest release `v1.7.17`:\n\n- `cmd/seednode/api/api.go:17` defines `Start(restAPIInterface, marshalizer)`.\n- `cmd/seednode/api/api.go:18` creates `ws := gin.Default()`.\n- `cmd/seednode/api/api.go:23` returns `ws.Run(restAPIInterface)`.\n- `cmd/seednode/CLI.md:23` documents `--rest-api-interface`; it says `:8080` binds all interfaces and `off` disables the API.\n\nNode REST API, latest release `v1.7.17`:\n\n- `network/api/api.go:79` creates `ws = gin.Default()`.\n- `network/api/api.go:98` returns `ws.Run(kleverFacade.RestAPIInterface())`.\n- `cmd/node/main.go:147-150` documents the same `--rest-api-interface` flag and says `:8080` binds all interfaces.\n- `docker/README.md:56-61` and `docker/README.md:67-70` publish host port `8080` for full-node and validator Docker examples.\n- `README.md:264-268` documents that the node exposes a REST API for blockchain queries and operations.\n\nThe seednode REST API source is byte-identical across `v1.7.14` through `v1.7.17`; the captured runtime PoC was executed on `v1.7.17`.\n\nCurrent `develop` commit `10bcfd50` remains affected:\n\n- `network/api/api.go:98` still returns `ws.Run(kleverFacade.RestAPIInterface())`.\n- `cmd/seednode/api/api.go:59` still returns `ws.Run(restAPIInterface)`.\n\nGin v1.9.1 implements `Engine.Run` as:\n\n```go\nfunc (engine *Engine) Run(addr ...string) (err error) {\n    address := resolveAddress(addr)\n    err = http.ListenAndServe(address, engine.Handler())\n    return\n}\n```\n\nIn my source sweep, I did not find a production `http.Server{ReadHeaderTimeout: ...}` wrapper for either REST start path. The only `ReadHeaderTimeout` hit I found in the repository was a test helper under `network/api/websocket/routes_test.go`.\n\n### PoC\n\nGitHub Private Vulnerability Reporting does not appear to allow file attachments in this form, so I am including the reproduction command and captured output inline. I can paste the full 254-line Go test patch in a reply immediately if useful.\n\nThe test starts two local child servers:\n\n1. Vulnerable: the real `cmd/seednode/api.Start` path.\n2. Fixed control: the same Gin router served through `http.Server{ReadHeaderTimeout: 250ms, ReadTimeout: 250ms, MaxHeaderBytes: 4096}`.\n\nReproduction from a clean checkout:\n\n```bash\ngit clone https://github.com/klever-io/klever-go\ncd klever-go\ngit checkout v1.7.17\n\n# Apply the PoC patch to cmd/seednode/api.\n# I can provide the full patch in this advisory thread.\n\ngo test ./cmd/seednode/api -run TestPoC_SeednodeAPISlowlorisDifferential -count=1 -v -timeout 60s\n```\n\nCaptured output on `v1.7.17`:\n\n```text\nPOC_RESULT mode=vulnerable slow_connections_opened=120 slow_connections_still_open=111 legitimate_probe_ok=0 legitimate_probe_fail=20\nPOC_RESULT mode=fixed slow_connections_opened=120 slow_connections_still_open=0 legitimate_probe_ok=20 legitimate_probe_fail=0\n```\n\nThe vulnerable server also logs repeated accept failures:\n\n```text\nhttp: Accept error: accept tcp 127.0.0.1:56415: accept: too many open files; retrying in 1s\n```\n\n### Impact\n\nFor an externally reachable Klever REST listener, a single unauthenticated client can retain many server-side connections by never completing HTTP headers. Because the Go server has no read-header deadline, those connections persist until the client closes them or an external proxy/firewall intervenes.\n\nThe direct result is REST API unavailability for legitimate clients. The local proof demonstrates this as 0/20 legitimate `/log` probes succeeding while the vulnerable server is saturated, versus 20/20 succeeding with the fixed server wrapper.\n\nI am not claiming default public internet exposure. The default bind is `localhost:8080`. The affected condition is a REST API listener exposed through Klever's documented all-interface bind or Docker port-publish deployment shape.\n\nThis maps to the `SECURITY.md` High category: \"Denial of Service affecting network availability.\" If Klever treats externally reachable REST API unavailability as non-critical because the default bind is localhost, the conservative classification is Medium under \"Performance degradation attacks\" / \"Non-critical DoS vectors.\"\n\nAll testing was local loopback only. I did not contact Klever mainnet, public testnet, hosted RPCs, explorers, or third-party production infrastructure.\n\nSuggested fix:\n\nStart both REST APIs through explicit `http.Server` values instead of `Engine.Run`, for example:\n\n```go\nsrv := &http.Server{\n    Addr:              restAPIInterface,\n    Handler:           ws.Handler(),\n    ReadHeaderTimeout: 5 * time.Second,\n    ReadTimeout:       10 * time.Second,\n    WriteTimeout:      30 * time.Second,\n    IdleTimeout:       120 * time.Second,\n    MaxHeaderBytes:    32 << 10,\n}\nreturn srv.ListenAndServe()\n```\n\nApply the same pattern to:\n\n- `cmd/seednode/api.Start`\n- `network/api.Start`\n\nIf Klever expects deployments to expose the REST API through a reverse proxy, I still recommend setting server-level limits in the application. That keeps the binary safe when operators use the documented direct bind or Docker port-publish path.",
   "severity": [