@@ -27,7 +27,7 @@ public disclosure.
2727
2828## Known Vulnerabilities
2929
30- Last reviewed: 2026-04-21
30+ Last reviewed: 2026-05-20
3131
3232### [ HIGH] CVE-2026 -31790 · OpenSSL Vulnerability in Alpine Base Image
3333
@@ -195,6 +195,91 @@ attacker-controlled URLs. Charon's application logic does not use busybox wget.
195195Monitor Alpine 3.23 for a patched busybox APK. No immediate action required. Practical risk to
196196Charon users is negligible since the vulnerable code path is not exercised.
197197
198+ ---
199+
200+ ### [ HIGH] CVE-2026 -45135 · Caddy FastCGI Unsafe Unicode Handling in splitPos
201+
202+ | Field | Value |
203+ | --------------| -------|
204+ | ** ID** | CVE-2026 -45135 |
205+ | ** Severity** | High · 8.1 |
206+ | ** Status** | Fix in Dockerfile (v2.11.3) — Pending Image Rebuild |
207+
208+ ** What**
209+ Caddy v2.11.2 contains unsafe Unicode handling in the FastCGI ` splitPos ` function. A
210+ network-reachable attacker (no privileges required, high attack complexity) can trigger
211+ potential confidentiality and integrity impact through malformed Unicode in FastCGI requests.
212+
213+ ** Who**
214+
215+ - Discovered by: Automated scan (Trivy image scan)
216+ - Reported: 2026-05-20
217+ - Affects: Charon deployments using the FastCGI reverse proxy capability
218+
219+ ** Where**
220+
221+ - Component: ` github.com/caddyserver/caddy/v2 ` v2.11.2 (embedded in Charon binary via xcaddy)
222+ - Versions affected: Caddy < v2.11.3
223+
224+ ** When**
225+
226+ - Discovered: 2026-05-20
227+ - Disclosed (if public): Public
228+ - Target fix: v2.11.3 (available)
229+
230+ ** How**
231+ Caddy is not a Go module dependency — it is built from source via xcaddy in the Dockerfile
232+ multi-stage build. The ` CADDY_VERSION ` ARG in the Dockerfile ** is already pinned to 2.11.3** ,
233+ which contains the fix. The vulnerability only affects the stale ` charon:local ` image built
234+ before this Dockerfile change. A container image rebuild applies the fix.
235+
236+ ** Planned Remediation**
237+ Rebuild the container image. No code changes required. The fix is already present in the
238+ Dockerfile (` ARG CADDY_VERSION=2.11.3 ` ).
239+
240+ ---
241+
242+ ### [ HIGH] CVE-2026 -32286 · pgproto3 DoS via Negative DataRow Field Length
243+
244+ | Field | Value |
245+ | --------------| -------|
246+ | ** ID** | CVE-2026 -32286 |
247+ | ** Severity** | High · 7.5 |
248+ | ** Status** | Awaiting Upstream |
249+
250+ ** What**
251+ ` github.com/jackc/pgproto3/v2 ` v2.3.3 — ` DataRow.Decode ` does not validate field length
252+ before allocation. A malicious or compromised PostgreSQL server can send a DataRow message
253+ with a negative field length to trigger a panic or excessive memory allocation, causing denial
254+ of service (CWE-400).
255+
256+ ** Who**
257+
258+ - Discovered by: Automated scan (Trivy image scan)
259+ - Reported: 2026-05-20
260+ - Affects: Charon deployments connecting to an untrusted PostgreSQL server (non-default)
261+
262+ ** Where**
263+
264+ - Component: ` github.com/jackc/pgproto3/v2 ` v2.3.3 (transitive Go dependency)
265+ - Versions affected: pgproto3/v2 < patched version
266+
267+ ** When**
268+
269+ - Discovered: 2026-05-20
270+ - Disclosed (if public): Public
271+ - Target fix: When upstream publishes a patched release
272+
273+ ** How**
274+ Exploitation requires a malicious or compromised PostgreSQL server to send a crafted DataRow
275+ message. Charon's default installation uses SQLite and does not connect to PostgreSQL. Users
276+ deploying Charon with a PostgreSQL backend (non-standard configuration) may be exposed if the
277+ database server is untrusted. EPSS score not yet available.
278+
279+ ** Planned Remediation**
280+ Monitor https://github.com/jackc/pgproto3 for a fix release. Upgrade the indirect dependency
281+ once a patched version is available. Pre-existing; not introduced by PR #1031 .
282+
198283## Patched Vulnerabilities
199284
200285### ✅ [ HIGH] CVE-2026 -34040 · Docker AuthZ Plugin Bypass via Oversized Request Body
@@ -756,4 +841,4 @@ We recognize security researchers who help improve Charon:
756841
757842---
758843
759- **Last Updated**: 2026-03-24
844+ **Last Updated**: 2026-05-18
0 commit comments