Bugbunny-Research

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2025.12.5 authentik versions 2026.2.0-rc1 through 2026.2.2 **Description** An authentication bypass exists due to SAML NameID XML Comment Injection. The software incorrectly extracts the `NameID` value from a SAML assertion, allowing an attacker to inject an XML comment that truncates the value. This enables an attacker with an account on a SAML Source and the ability to modify their `NameID` (such as a username or email) to gain access to other user accounts, provided that XML Signing is enabled. **Recommendations** Update versions prior to 2025.12.5 to 2025.12.5. Update versions 2026.2.0-rc1 through 2026.2.2 to 2026.2.3.

**Name of the Vulnerable Software and Affected Versions** ERPNext versions prior to 16.9.1 **Description** Certain endpoints in this open source Enterprise Resource Planning tool fail to enforce proper authorization checks, which allows users to modify data beyond the permissions assigned to their role. **Recommendations** Update to version 16.9.1.

**Name of the Vulnerable Software and Affected Versions** dalfox (affected versions not specified) **Description** A structural ordering error in the `ParameterAnalysis()` function within `pkg/scanning/parameterAnalysis.go` allows an unauthenticated remote attacker to crash the dalfox server process. The issue occurs because the `results` channel is closed after the first worker stage completes, but is then passed to a second worker stage that processes POST-body parameters. When the `processParams()` function identifies a reflected parameter in the second stage, it attempts to write to the already-closed `results` channel, triggering a Go runtime panic. This can be remotely triggered via the REST API (default port 6664) when the `data` variable is provided in the request and the target URL reflects at least one parameter. Since the default configuration does not require an API key, any network peer can execute this attack, leading to a complete denial of service where the server process terminates and requires a manual restart. **Recommendations** Allocate a fresh `results` channel for the second stage of parameter analysis instead of reusing the closed channel from the first stage. Merge both parameter maps into a single shared queue and worker stage to eliminate the two-stage design. As a temporary workaround, implement a `recover` mechanism within the `processParams()` goroutines to prevent the entire process from crashing when a panic occurs.

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely into memory using zip.entryData(), with no limit on the decompressed size. The upload middleware also has no file size limit. An admin user can upload a crafted ZIP containing a highly compressed details entry that, when decompressed, consumes hundreds of megabytes or gigabytes of memory, crashing the server process via out-of-memory. This vulnerability is fixed in 2.32.2.

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a library folder. This check fails for sibling directories whose names share a common prefix (e.g., /audiobooks vs /audiobooks-private), allowing authenticated users with upload permission to probe file existence outside their authorized library folder boundaries. This vulnerability is fixed in 2.32.2.

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with access to any library can enumerate and read collections (including full book metadata) from libraries they are explicitly restricted from accessing. This vulnerability is fixed in 2.32.2.

**Name of the Vulnerable Software and Affected Versions** Audiobookshelf versions prior to 2.32.2 **Description** An issue exists in the 'GET /api/libraries/:id/download' endpoint where the system validates if a user has access to the library specified in the URL path but fails to constrain the fetched downloadable items to that specific library. Consequently, an authenticated user with download permissions and access to at least one library can exfiltrate the full file contents of items from any other library, including those to which they are explicitly denied access, by providing specific item IDs. **Recommendations** Update to version 2.32.2.

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to v5 **Description** `go-git` may parse malformed Git objects differently than upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, the decoded representation in `go-git` may expose values that differ from how Git interprets or rejects the same object. Furthermore, commit signing and verification logic operates on commit data reconstructed from the parsed representation instead of the original raw object bytes. This can lead to `go-git` signing or verifying a commit payload that is not byte-for-byte equivalent to the object stored in the repository, potentially making a signature appear valid for a commit with metadata that differs from the intended signed object. **Recommendations** Upgrade to a supported version of go-git (v5 or later).

**Name of the Vulnerable Software and Affected Versions** Outline versions prior to 1.7.0 **Description** The 'shares.create' API accepts both `collectionId` and `documentId` simultaneously. When `published` is set to false, the system only verifies read access for each, skipping the required share permission check. A subsequent 'shares.update' call authorizes publication using an OR policy, meaning the user only needs share permissions for either the collection or the document. This allows an attacker with share permissions on an unrelated collection to publish a share that exposes an arbitrary document they are not authorized to share, making it accessible to unauthenticated users. **Recommendations** Update to version 1.7.0.

**Name of the Vulnerable Software and Affected Versions** Outline versions prior to 1.7.0 **Description** An issue exists in the `ZipHelper.extract` function where the extraction path for each entry is computed by passing a full filesystem path through `trimFileAndExt`. This helper function uses `path.basename` when truncating. If a zip entry's nested path exceeds the `MAX PATH LENGTH` (4096 bytes), `trimFileAndExt` removes all directory components and returns only the filename. Consequently, `fs.createWriteStream` opens the file relative to the process working directory rather than within the intended extraction sandbox. Because `cleanupExtractedData` only removes the temporary extraction directory, the escaped file remains on the system after import cleanup. **Recommendations** Update to version 1.7.0.

**Name of the Vulnerable Software and Affected Versions** Volcano versions prior to 1.14.2 Volcano versions prior to 1.13.3 Volcano versions prior to 1.12.4 **Description** The Volcano webhook server fails to enforce a size limit on incoming HTTP request bodies. This allows any in-cluster pod capable of reaching the webhook endpoint to send an arbitrarily large request body, which may lead to the server being terminated due to Out-of-Memory (OOM), a condition where the system exhausts its available RAM and the operating system kills the process to recover. **Recommendations** Upgrade to version 1.14.2. Upgrade to version 1.13.3. Upgrade to version 1.12.4.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.11.0 **Description** NodeVM's builtin allowlist can be bypassed when the `module` builtin is allowed, including when the `*` wildcard is used. The `module` builtin exposes Node's `Module. load()` function, which loads any module by name directly in the host context, completely bypassing restrictions. This allows sandboxed code to load excluded builtins, such as `child process`, leading to remote code execution on the host system. **Recommendations** Update to version 3.11.0. As a temporary workaround, explicitly exclude the `module` builtin from the allowlist configuration to prevent sandboxed code from accessing `Module. load()`.

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.11.0 **Description** NodeVM's `require.root` path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in the host context. This occurs because path validation uses `path.resolve()`, which does not dereference symlinks, while module loading uses Node's native `require()` function, which does. An attacker can exploit this discrepancy to load arbitrary host-realm modules and achieve remote code execution. The issue is specifically located in the `isPathAllowed()` and `loadJS()` functions within `lib/resolver-compat.js`, and the `resolve()` function in `lib/filesystem.js`. **Recommendations** Update to version 3.11.0. As a temporary workaround, restrict the use of filesystem symlinks within the allowed root directory to prevent unauthorized module loading.

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.1 Description The Orbit agent’s FileVault disk encryption key rotation flow collects a local user’s password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`, a password containing `}` terminates the literal and injects arbitrary Tcl commands. Since Orbit runs as root, this allows a local unprivileged user to escalate to root privileges. Recommendations Update to Fleet version 4.81.1 or later.

**Name of the Vulnerable Software and Affected Versions** OpenFGA versions 0.1.4 through 1.13.1 **Description** When configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the '/playground' endpoint. This endpoint is enabled by default and does not require authentication, as it is intended for local development and debugging rather than production environments. The issue affects instances running with the `--authn-method` set to preshared, where the playground is enabled and accessible beyond localhost or trusted networks. **Recommendations** Upgrade to OpenFGA version 1.14.0. Disable the playground by running `./openfga run --playground-enabled=false.`

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.8.0 through 1.13.1 Description OpenFGA is an authorization/permission engine. BatchCheck calls with multiple checks for the same object, relation, and user can lead to improper policy enforcement under specific conditions. Recommendations Update to version 1.14.0 or later.

Name of the Vulnerable Software and Affected Versions Directus (affected versions not specified) Description When `GRAPHQL INTROSPECTION=false` is configured, Directus blocks standard GraphQL introspection queries but the `/graphql/system` endpoint's `server specs graphql` resolver returns an equivalent SDL representation of the schema. This bypasses introspection controls, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. Administrators setting `GRAPHQL INTROSPECTION=false` had a false sense of security, as schema information remained accessible via the SDL endpoint. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 11.16.1 **Description** Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks on `directus files`, but does not validate item-level access to the specific file being replaced. This bypasses row-level permission rules. As a result, an attacker can overwrite any file in `directus files` by UUID, leading to potential data loss and metadata corruption. Privilege escalation is possible if admin-owned files are stored in `directus files`. **Recommendations** Update to version 11.16.1 or later. As a workaround, disable TUS uploads by setting `TUS ENABLED=false` if resumable uploads are not required.

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.33.4 Description Budibase is an open-source low-code platform. The plugin file upload endpoint, ''/api/plugin/upload'', passes user-supplied filenames directly to the `createTempFolder()` function without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing '../' to delete arbitrary directories using `rmSync` and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. Recommendations Update to version 3.33.4 or later.

**Name of the Vulnerable Software and Affected Versions** lodash versions prior to 4.18.0 **Description** The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the `options.imports` object used by the ` .template` function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the `option` variable is not extended to the `options.imports` key names. Furthermore, the use of `assignInWith` can introduce vulnerabilities if `Object.prototype` has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code. **Recommendations** Upgrade to version 4.18.0. Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.