GHSA SYNC: 1 brand new advisory (#970)

jasnow · web-flow · commit a888ef6672f9 · 2026-02-12T17:13:30.000-08:00
diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml
@@ -0,0 +1,35 @@
+---
+engine: mruby
+cve: 2025-7207
+ghsa: 48pr-6hvf-39v3
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-7207
+title: Heap-based buffer overflow vulnerability in mruby 3.4.0
+date: 2025-07-08
+description: |
+  A vulnerability, which was classified as problematic, was found
+  in mruby up to 3.4.0. Affected is the function scope_new of
+  the file mrbgems/mruby-compiler/core/codegen.c of the component
+  nregs Handler. The manipulation leads to heap-based buffer overflow.
+  An attack has to be approached locally. The exploit has been
+  disclosed to the public and may be used. The name of the patch
+  is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended
+  to apply a patch to fix this issue.
+cvss_v2: 1.7
+cvss_v3: 5.5
+cvss_v4: 4.4
+notes: |
+  - Not patched - mruby 3.5.0 has not been released as of 2026/02/07.
+  - Found Issue #6509 listed in **unreleased** mruby 3.5 file listed below.
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-7207
+    - https://github.com/mruby/mruby/blob/6f321251785c2396cb7e6a576ac2080c1adb4491/NEWS.md
+    - https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9.patch
+    - https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
+    - https://github.com/mruby/mruby/issues/6509#event-17145516649
+    - https://github.com/mruby/mruby/issues/6509
+    - https://vuldb.com/?ctiid.315156
+    - https://vuldb.com/?id.315156
+    - https://vuldb.com/?submit.607683
+    - https://www.wiz.io/vulnerability-database/cve/cve-2025-7207
+    - https://github.com/advisories/GHSA-48pr-6hvf-39v3
