Skip to content

Commit cff1627

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-f4hp-rmr7-r7v8 GHSA-x3gm-94wq-g975 GHSA-fqc7-9xjw-jrh3
1 parent 5dd5ac7 commit cff1627

3 files changed

Lines changed: 264 additions & 10 deletions

File tree

advisories/unreviewed/2025/03/GHSA-f4hp-rmr7-r7v8/GHSA-f4hp-rmr7-r7v8.json renamed to advisories/github-reviewed/2025/03/GHSA-f4hp-rmr7-r7v8/GHSA-f4hp-rmr7-r7v8.json

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-f4hp-rmr7-r7v8",
4-
"modified": "2025-03-31T15:30:48Z",
4+
"modified": "2026-06-09T21:56:31Z",
55
"published": "2025-03-31T15:30:48Z",
66
"aliases": [
77
"CVE-2025-2998"
88
],
9+
"summary": "PyTorch is Vulnerable to Memory Consumption through pad_packed_sequence Function",
910
"details": "A vulnerability was found in PyTorch 2.6.0. It has been declared as critical. Affected by this vulnerability is the function torch.nn.utils.rnn.pad_packed_sequence. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "PyPI",
25+
"name": "torch"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"last_affected": "2.6.0"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -31,6 +52,18 @@
3152
"type": "WEB",
3253
"url": "https://github.com/pytorch/pytorch/issues/149622#issue-2935495265"
3354
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/pytorch/pytorch/commit/494518046816d29099b7d056a74ffa5c244fdcdd"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-192.yaml"
62+
},
63+
{
64+
"type": "PACKAGE",
65+
"url": "https://github.com/pytorch/pytorch"
66+
},
3467
{
3568
"type": "WEB",
3669
"url": "https://vuldb.com/?ctiid.302047"
@@ -49,8 +82,8 @@
4982
"CWE-119"
5083
],
5184
"severity": "MODERATE",
52-
"github_reviewed": false,
53-
"github_reviewed_at": null,
85+
"github_reviewed": true,
86+
"github_reviewed_at": "2026-06-09T21:56:31Z",
5487
"nvd_published_at": "2025-03-31T14:15:20Z"
5588
}
5689
}

advisories/unreviewed/2025/03/GHSA-x3gm-94wq-g975/GHSA-x3gm-94wq-g975.json renamed to advisories/github-reviewed/2025/03/GHSA-x3gm-94wq-g975/GHSA-x3gm-94wq-g975.json

Lines changed: 34 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-x3gm-94wq-g975",
4-
"modified": "2025-03-10T15:30:47Z",
4+
"modified": "2026-06-09T21:57:46Z",
55
"published": "2025-03-10T15:30:47Z",
66
"aliases": [
77
"CVE-2025-2149"
88
],
9+
"summary": "PyTorch: Manipulation of the argument scale/zero_point leads to improper initialization via Quantized Sigmoid Module",
910
"details": "A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "PyPI",
25+
"name": "torch"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"last_affected": "2.6.0"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -31,6 +52,14 @@
3152
"type": "WEB",
3253
"url": "https://github.com/pytorch/pytorch/issues/147818#issue-2877301660"
3354
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/torch/PYSEC-2025-190.yaml"
58+
},
59+
{
60+
"type": "PACKAGE",
61+
"url": "https://github.com/pytorch/pytorch"
62+
},
3463
{
3564
"type": "WEB",
3665
"url": "https://vuldb.com/?ctiid.299060"
@@ -49,8 +78,8 @@
4978
"CWE-665"
5079
],
5180
"severity": "LOW",
52-
"github_reviewed": false,
53-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-06-09T21:57:46Z",
5483
"nvd_published_at": "2025-03-10T13:15:36Z"
5584
}
5685
}

advisories/github-reviewed/2026/06/GHSA-fqc7-9xjw-jrh3/GHSA-fqc7-9xjw-jrh3.json

Lines changed: 192 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,192 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fqc7-9xjw-jrh3",
4+
"modified": "2026-06-09T21:58:11Z",
5+
"published": "2026-06-09T21:58:11Z",
6+
"aliases": [
7+
"CVE-2026-47767"
8+
],
9+
"summary": "SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch",
10+
"details": "### Description\n\nCVE-2024-50340 (GHSA-x8vp-gf4q-mw5j) addressed an issue where, with `register_argc_argv=On`, a crafted query string let an unauthenticated GET change the kernel environment and debug flag by feeding `--env`/`--no-debug` through `$_SERVER['argv']`. The fix shipped in `symfony/runtime` 5.4.46 / 6.4.14 / 7.1.7 gated the argv read on `empty($_GET)` as a proxy for \"is this a CLI invocation\".\n\nThat proxy is unsafe: `parse_str()` (which builds `$_GET`) and the web SAPI (which builds `$_SERVER['argv']` from the raw query when `register_argc_argv=On`) do not agree on every input, so an attacker can craft a query that leaves `$_GET` empty while `$_SERVER['argv']` carries the attacker's flags. `SymfonyRuntime::getInput()` then parses them, restoring the exact primitive CVE-2024-50340 was meant to prevent.\n\nPreconditions and impact match the original CVE: web SAPI, `register_argc_argv=On`, app booted through `symfony/runtime`; from an unauthenticated GET an attacker can flip `APP_ENV` and toggle `APP_DEBUG`.\n\n### Resolution\n\n`SymfonyRuntime` now gates the argv read on `isset($_SERVER['QUERY_STRING'])` rather than on `empty($_GET)`. `QUERY_STRING` is the same input the SAPI uses to build argv, so the security check and the thing it protects no longer parse different sources. Worker SAPIs (FrankenPHP / RoadRunner / Swoole) keep working because the runtime constructor runs once at boot when `QUERY_STRING` is unset.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/3228c3806ee511008bea19a95084d460b17e5d25) for branch 5.4.\n\n### Credits\n\nSymfonyRuntime would like to thank 0xEr3n for reporting the issue and Nicolas Grekas for providing the fix.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "symfony/runtime"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "5.4.46"
29+
},
30+
{
31+
"fixed": "5.4.52"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "symfony/runtime"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "6.4.14"
48+
},
49+
{
50+
"fixed": "6.4.40"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "symfony/runtime"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "7.1.7"
67+
},
68+
{
69+
"fixed": "7.4.12"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "symfony/runtime"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "8.0.0"
86+
},
87+
{
88+
"fixed": "8.0.12"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Packagist",
97+
"name": "symfony/symfony"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "5.4.46"
105+
},
106+
{
107+
"fixed": "5.4.52"
108+
}
109+
]
110+
}
111+
]
112+
},
113+
{
114+
"package": {
115+
"ecosystem": "Packagist",
116+
"name": "symfony/symfony"
117+
},
118+
"ranges": [
119+
{
120+
"type": "ECOSYSTEM",
121+
"events": [
122+
{
123+
"introduced": "6.4.14"
124+
},
125+
{
126+
"fixed": "6.4.40"
127+
}
128+
]
129+
}
130+
]
131+
},
132+
{
133+
"package": {
134+
"ecosystem": "Packagist",
135+
"name": "symfony/symfony"
136+
},
137+
"ranges": [
138+
{
139+
"type": "ECOSYSTEM",
140+
"events": [
141+
{
142+
"introduced": "7.1.7"
143+
},
144+
{
145+
"fixed": "7.4.12"
146+
}
147+
]
148+
}
149+
]
150+
},
151+
{
152+
"package": {
153+
"ecosystem": "Packagist",
154+
"name": "symfony/symfony"
155+
},
156+
"ranges": [
157+
{
158+
"type": "ECOSYSTEM",
159+
"events": [
160+
{
161+
"introduced": "8.0.0"
162+
},
163+
{
164+
"fixed": "8.0.12"
165+
}
166+
]
167+
}
168+
]
169+
}
170+
],
171+
"references": [
172+
{
173+
"type": "WEB",
174+
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-fqc7-9xjw-jrh3"
175+
},
176+
{
177+
"type": "PACKAGE",
178+
"url": "https://github.com/symfony/symfony"
179+
}
180+
],
181+
"database_specific": {
182+
"cwe_ids": [
183+
"CWE-20",
184+
"CWE-436",
185+
"CWE-74"
186+
],
187+
"severity": "MODERATE",
188+
"github_reviewed": true,
189+
"github_reviewed_at": "2026-06-09T21:58:11Z",
190+
"nvd_published_at": null
191+
}
192+
}

0 commit comments

Comments
 (0)