Jaroslav Lobačevski

**Name of the Vulnerable Software and Affected Versions** WilderForge (affected versions not specified) **Description** A critical issue has been identified in the WilderForge organization, stemming from the unsafe use of user-controlled variables, such as `${{ github.event.review.body }}`, directly inside shell script contexts in GitHub Actions workflows. This introduces a code injection issue, allowing a malicious actor to execute arbitrary shell code on the GitHub Actions runner by submitting a crafted pull request review. This can lead to arbitrary command execution with the permissions of the workflow, potentially compromising CI infrastructure, secrets, and build outputs. The issue affects developers who maintain or contribute to specific WilderForge repositories, as well as users who fork these repositories and reuse affected GitHub Actions workflows. End users of the software and users who only install pre-built releases or artifacts are not affected. **Recommendations** As a temporary workaround, consider disabling GitHub Actions in affected repositories or removing the affected workflows. Restrict access to the vulnerable GitHub Actions workflows to minimize the risk of exploitation. Avoid using the `github.event.review.body` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 7-Zip versions prior to 25.0.0 **Description** 7-Zip is a file archiver that supports extracting from Compound Documents. A null pointer dereference in the Compound handler may lead to denial of service. **Recommendations** Update to version 25.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** 7-Zip versions prior to 25.0.0 **Description** 7-Zip is a file archiver with a high compression ratio. A flaw exists in the RAR5 handler where writing zeroes outside of the heap buffer can cause memory corruption and denial of service. **Recommendations** Update to version 25.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to a crafted image file that may trigger an out of bounds memcpy read in the `stbi gif load next` function. This occurs because `two back` points to a memory address lower than the start of the buffer, potentially leading to the leak of internal memory allocation information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to the stbi getn function in the stb image library, which reads a specified number of bytes from a context into a buffer. If the file stream points to the end, it returns zero. However, there are two places where its return value is not checked: in the `stbi hdr load` function and in the `stbi tga load` function. The latter is likely more exploitable as an attacker may also control the size of an uninitialized buffer. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to the processing of ogg vorbis files. A crafted file can trigger an out of bounds write in `f->vendor[i] = get8 packet(f);`. This is caused by an integer overflow in `setup malloc`, where a sufficiently large value in the variable `sz` overflows when added to 7, resulting in a negative value that passes the maximum available memory buffer check. This may lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to the processing of ogg vorbis files. A crafted file can trigger an out of buffer write in the `start decoder` function. This occurs because the maximum value of `m->submaps` is 16, but the arrays `submap floor` and `submap residue` are declared with 15 elements. This can potentially lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to a memory allocation failure in the `start decoder` function when processing a crafted ogg vorbis file. This failure causes the function to return early, setting `f->comment list` to `NULL` but not resetting `f->comment list length`. Later, in the `vorbis deinit` function, it attempts to dereference the `NULL` pointer, potentially leading to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue concerns a crafted file that may trigger an out of bounds read in the `DECODE` macro when the `var` is negative. According to the definition of `DECODE RAW`, a negative `var` is a valid value. This can potentially be used to leak internal memory allocation information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a global buffer read overflow in the `CharDistributionAnalysis::HandleOneChar` function. This may potentially be used to leak internal memory allocation information. The exploitability of this issue is not clear. **Recommendations** For Notepad++ versions 8.5.6 and prior, update to version 8.5.7 to resolve the issue. As a temporary workaround, consider disabling the `CharDistributionAnalysis::HandleOneChar` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a global buffer read overflow in the `nsCodingStateMachine::NextStater` function. This may potentially be used to leak internal memory allocation information. The exploitability of this issue is not clear. **Recommendations** For Notepad++ versions 8.5.6 and prior, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `nsCodingStateMachine::NextStater` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a heap buffer read overflow in the `FileManager::detectLanguageFromTextBegining()` function. This may potentially be used to leak internal memory allocation information. The exploitability of this issue is not clear. **Recommendations** For versions 8.5.6 and prior, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider disabling the `FileManager::detectLanguageFromTextBegining()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Notepad++ versions 8.5.6 and prior **Description** The issue is related to a heap buffer write overflow in the `Utf8 16 Read::convert` function, which may lead to arbitrary code execution when a user opens a specially crafted file. This can potentially allow an attacker to execute arbitrary code. **Recommendations** For versions 8.5.6 and prior, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `Utf8 16 Read::convert` function until a patch is available. Restrict access to potentially vulnerable files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to the `stbi load gif main` function in the stb image library, which may lead to a memory leak or double-free if the caller chooses to free the `delays` memory only when the function returns a non-null value. The function may return a null value but fail to free the memory in `delays` if internally `stbi convert format` is called and fails. This could allow a remote attacker to access confidential data, compromise its integrity, or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to a potential integer overflow in `sizeof(char*) * (f->comment list length)` which may cause `setup malloc` to allocate less memory than required. This can lead to a memory write past an allocated heap buffer in `start decoder` when a crafted file is processed. An attacker may exploit this issue to gain access to confidential data, disrupt data integrity, and cause a denial of service. The issue may also lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb image (affected versions not specified) **Description** The issue is related to the `stbi set flip vertically on load` function in the stb image library. When this function is set to `TRUE` and `req comp` is set to a number that doesn’t match the real number of components per pixel, the library attempts to flip the image vertically. This can trigger an out-of-bounds read in `memcpy` because `bytes per pixel` used to calculate `bytes per row` doesn’t match the real image array dimensions. A crafted image file can exploit this, potentially allowing a remote attacker to access confidential data or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** stb vorbis (affected versions not specified) **Description** The issue is related to a crafted file that may trigger an out of bounds write in `f->vendor[len] = (char)'0';`. This occurs when the length read in `start decoder` is `-1` and `len + 1` becomes 0 when passed to `setup malloc`. The `setup malloc` function behaves differently when `f->alloc.alloc buffer` is pre-allocated, shifting the pre-allocated buffer by zero and returning the currently available memory block instead of returning `NULL` as in the `malloc` case. This may lead to code execution. The vulnerability may allow an attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jsonxx (affected versions not specified) **Description** The issue is related to json parsing in jsonxx, which may lead to stack exhaustion in an address sanitized (ASAN) build. This can cause a Denial of Service if the program using the jsonxx library crashes. The project has been archived, and updates are not expected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jsonxx (affected versions not specified) **Description** The issue is related to the use of the Value class in jsonxx, which may lead to memory corruption via a double free or a use after free. This occurs because the Value class has a default assignment operator that can be used with pointer types, potentially pointing to alterable data without updating the pointer itself. The jsonxx project has been archived, and no updates are expected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No information is available about the vulnerable software and its affected versions. **Description** The issue is related to a security problem, but details are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.