Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d39ac7299dce · 2026-03-25T21:04:38.000Z
GHSA-p2gh-cfq4-4wjc GHSA-v3rj-xjv7-4jmq
diff --git a/advisories/github-reviewed/2026/03/GHSA-p2gh-cfq4-4wjc/GHSA-p2gh-cfq4-4wjc.json b/advisories/github-reviewed/2026/03/GHSA-p2gh-cfq4-4wjc/GHSA-p2gh-cfq4-4wjc.json
@@ -0,0 +1,71 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p2gh-cfq4-4wjc",
+  "modified": "2026-03-25T21:02:08Z",
+  "published": "2026-03-25T21:02:08Z",
+  "aliases": [],
+  "summary": "Protobuf: Denial of Service issue through malicious messages containing negative varints or deep recursion",
+  "details": "### Impact\nA Denial of Service (DoS) vulnerability exists in the Protobuf PHP library during the parsing of untrusted input. Maliciously structured messages—specifically those containing negative `varint`s or deep recursion—can be used to crash the application, impacting service availability.\n\n### Patches\nPatches have been released to 5.34.0-RC1 and 4.33.6.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "google/protobuf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.33.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-p2gh-cfq4-4wjc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/issues/24159"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/issues/25067"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/commit/60e93d2d104f2af9cd345b1c6f3891d91430244a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/commit/c8e9b27d95c6ab2d0668b5889e7dac2c477b7038"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/protocolbuffers/protobuf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T21:02:08Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-v3rj-xjv7-4jmq/GHSA-v3rj-xjv7-4jmq.json b/advisories/github-reviewed/2026/03/GHSA-v3rj-xjv7-4jmq/GHSA-v3rj-xjv7-4jmq.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v3rj-xjv7-4jmq",
+  "modified": "2026-03-25T21:03:56Z",
+  "published": "2026-03-25T21:03:56Z",
+  "aliases": [],
+  "summary": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines",
+  "details": "### Summary\nAn attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.\n\nThe library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.\n\n### Proof of concept\n```js\nrequire(\"smol-toml\").parse('# comment\\n'.repeat(8000) + 'key = \"value\"')\n```\n\n### Impact\nApplications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.\n\nDue to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.\n\nAs a reminder, it is **strongly** advised when working with untrusted user input to expect errors to occur and to appropriately catch them.\n\n### Patches\nVersion 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.\n\n### Workarounds\nWrap all invocations of `parse` and `stringify` in a try/catch block when dealing with untrusted user input.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "smol-toml"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.6.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/squirrelchat/smol-toml/security/advisories/GHSA-v3rj-xjv7-4jmq"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/squirrelchat/smol-toml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/squirrelchat/smol-toml/releases/tag/v1.6.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T21:03:56Z",
+    "nvd_published_at": null
+  }
+}
