Ash has authorization bypass when bypass policy condition evaluates to true

GHSA-pcxq-fjp3-r752 CVE-2025-48044 HIGH about 1 month ago

### Summary Bypass policies incorrectly authorize requests when their condition evaluates to true but their authorization checks fail and no other ...

hex

No PRs yet

Ash Framework: Filter authorization misapplies impossible bypass/runtime policies

GHSA-7r7f-9xpj-jmr7 CVE-2025-48043 HIGH about 1 month ago

### Summary When using **filter** authorization, two edge cases could cause the policy compiler/authorizer to generate a permissive filter: 1. **...

hex

No PRs yet

Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden

GHSA-jj4j-x5ww-cwh9 CVE-2025-48042 HIGH 2 months ago

### Summary Certain bulk action calls with a `before_transaction` hook and no `after_transaction` hook, will call the `before_transaction` hook bef...

hex

No PRs yet

ash_authentication_phoenix has Insufficient Session Expiration

GHSA-f7gq-h8jv-h3cq CVE-2025-4754 LOW 5 months ago

### Impact Session tokens remain valid on the server after user logout, creating a security gap where: - Compromised tokens (via XSS, network int...

hex

1

Dependabot PRs

Hackney fails to properly release HTTP connections to the pool

GHSA-9fm9-hp7p-53mf CVE-2025-3864 LOW 6 months ago

Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this t...

hex

No PRs yet

ash_authentication has email link auto-click account confirmation vulnerability

GHSA-3988-q8q7-p787 CVE-2025-32782 MODERATE 7 months ago

### Impact The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients...

hex

No PRs yet

Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

GHSA-qrm9-f75w-hg4c CVE-2025-25202 MODERATE 10 months ago

### Impact Applications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic lin...

hex

No PRs yet

Server-side Request Forgery (SSRF) in hackney

GHSA-vq52-99r9-h5pw CVE-2025-1211 LOW 10 months ago

Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in mod...

hex

15

Dependabot PRs

6%

Merged

RabbitMQ HTTP API's queue deletion endpoint does not verify that the user has a required permission

GHSA-pj33-75x5-32j4 CVE-2024-51988 HIGH about 1 year ago

### Summary Queue deletion via the HTTP API was not verifying the `configure` permission of the user. ### Impact Users who had all of the follow...

hex

No PRs yet

In AshPostgres, empty, atomic, non-bulk actions, policy bypass for side-effects vulnerability.

GHSA-hf59-7rwq-785m CVE-2024-49756 MODERATE about 1 year ago

### Impact _What kind of vulnerability is it? Who is impacted?_ In certain *very specific* situations, it was possible for the policies of an upda...

hex

No PRs yet

OpenID Connect client Atom Exhaustion in provider configuration worker ets table location

GHSA-mj35-2rgf-cv8p CVE-2024-31209 MODERATE over 1 year ago

### Impact DOS by Atom exhaustion is possible by calling `oidcc_provider_configuration_worker:get_provider_configuration/1` or `oidcc_provider_con...

hex

No PRs yet

erlang-jose vulnerable to denial of service via large p2c value

GHSA-9mg4-v392-8j68 CVE-2023-50966 MODERATE over 1 year ago

erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBE...

hex

No PRs yet

Samly access control vulnerability

GHSA-h3rw-77w7-92gf CVE-2024-25718 CRITICAL almost 2 years ago

In the Samly package before 1.4.0 for Elixir, `Samly.State.Store.get_assertion/3` can return an expired session, which interferes with access contr...

hex

No PRs yet

Pleroma Path Traversal vulnerability

GHSA-2c28-m2m7-mf55 CVE-2023-5588 LOW about 2 years ago

A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function `Pleroma.Emoji.Pack` of the file `lib/...

hex

No PRs yet

MTProto proxy remote code execution vulnerability

GHSA-738q-mc72-2q22 CVE-2023-45312 HIGH about 2 years ago

In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured defa...

hex

No PRs yet

Pow Mnesia cache doesn't invalidate all expired keys on startup

GHSA-3cjh-p6pw-jhv9 CVE-2023-42446 MODERATE about 2 years ago

Use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A cache ...

hex

No PRs yet

Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows

GHSA-564w-97r7-c6p9 CVE-2023-35174 HIGH over 2 years ago

On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim...

hex

No PRs yet

Ecto lacks a protection mechanism

GHSA-4r2f-6fm9-2qgh CVE-2017-20166 CRITICAL almost 3 years ago

Ecto 2.2.0 lacks a certain protection mechanism associated with the interaction between `is_nil` and `raise`.

hex

No PRs yet

phoenix_html allows Cross-site Scripting in HEEx class attributes

GHSA-5g2h-9x5v-5h3x CVE-2021-46871 MODERATE almost 3 years ago

tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes

hex npm

No PRs yet

Phoenix before 1.6.14 mishandles check_origin wildcarding

GHSA-p8f7-22gq-m7j9 CVE-2022-42975 HIGH about 3 years ago

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of ...

hex

No PRs yet

ecdsa-elixir fails to check signatures, vulnerable to message forging

GHSA-xx36-6rv4-gj8r CVE-2021-43568 CRITICAL over 3 years ago

### Summary Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perf...

hex

No PRs yet

Cross-site Scripting in RabbitMQ

GHSA-9pf7-f47q-mwpq CVE-2019-11291 LOW over 3 years ago

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x v...

hex

No PRs yet

Pivotal RabbitMQ is vulnerable to a denial of service attack

GHSA-hrfh-7j5f-8ccr CVE-2019-11287 HIGH over 3 years ago

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1...

hex

No PRs yet

Ejabberd DoS via malformed stanza

GHSA-2h3q-v47h-f4rc CVE-2011-4320 MODERATE over 3 years ago

The `mod_pubsub` module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3 allows remote authenticated users to cause a denial of service (infini...

hex

No PRs yet

Erlang Solutions MongooseIM vulnerable to denial of service (DoS) via crafted XMPP stream

GHSA-5v5w-44w6-q5hv CVE-2014-2829 HIGH over 3 years ago

Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attacker...

hex

No PRs yet

puppetlabs-rabbitmq allows local users to obtain sensitive information

GHSA-h3gh-978r-747w CVE-2014-9568 LOW over 3 years ago

puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive in...

hex

No PRs yet

alchemist.vim vulnerable to remote code execution

GHSA-6x65-vqp7-5r63 CVE-2017-1000212 CRITICAL over 3 years ago

Elixir's vim plugin, alchemist.vim is vulnerable to remote code execution in the bundled alchemist-server. A malicious website can execute requests...

hex

No PRs yet

Hex authenticity of signed packages not validated

GHSA-q3cc-rr2c-87r6 CVE-2019-1000013 HIGH over 3 years ago

Hex package manager hex_core version 0.3.0 and earlier contains a Signing oracle vulnerability in Package registry verification that can result in ...

hex

No PRs yet

Inline DTD allows XML bomb attack

GHSA-qpmc-wprv-x746 CVE-2019-15160 HIGH over 3 years ago

The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via a...

hex

No PRs yet

Denial of service

GHSA-5653-437f-5hmc CVE-2019-16764 MODERATE over 3 years ago

The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is f...

hex

No PRs yet

Session fixation

GHSA-v2wf-c3j6-wpvw CVE-2020-5205 MODERATE over 3 years ago

### Impact The use of `Plug.Session` in `Pow.Plug.Session` is susceptible to session fixation attacks if a persistent session store is used for `P...

hex

No PRs yet

Header Injection

GHSA-9h73-w7ch-rh73 CVE-2018-1000883 MODERATE over 3 years ago

Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added....

hex

No PRs yet

Arbitrary Code Execution in Cookie Serialization

GHSA-5v4m-c73v-c7gq CVE-2017-1000053 HIGH over 3 years ago

The default serialization used by Plug session may result in code execution in certain situations. Keep in mind, however, the session cookie is s...

hex

No PRs yet

Null Byte Injection in Plug.Static

GHSA-2q6v-32mr-8p8x CVE-2017-1000052 HIGH over 3 years ago

Plug.Static is used for serving static assets, and is vulnerable to null byte injection. If file upload functionality is provided, this can allow...

hex

No PRs yet

Cross-site Scripting in xain

GHSA-5chx-gg25-v37m CVE-2018-20302 MODERATE over 3 years ago

XSS is possible via the use of the order query parameter. An example request would look like: ``` http://host/ressources?order=%27><script>al...

hex

No PRs yet

Phoenix Arbitrary URL Redirect

GHSA-cmfh-8f8r-fj96 CVE-2017-1000163 MODERATE over 3 years ago

The Phoenix team designed `Phoenix.Controller.redirect/2` to protect against redirects allowing user input to redirect to an external URL where you...

hex

No PRs yet

XSS in HEEx class attributes

GHSA-j3gg-r6gp-95q2 MODERATE over 3 years ago

The `class` attribute was not protected against XSS attacks when using HEEx.

hex

No PRs yet

Missing `is_nil` requirement

GHSA-2xxx-fhc8-9qvq MODERATE over 3 years ago

Ecto will not raise on queries with non-explicit nil comparisons (ie if they aren't checked with `is_nil`).

hex

No PRs yet

Remote Code Execution in paginator

GHSA-w98m-2xqg-9cvj CVE-2020-15150 CRITICAL over 3 years ago

There is a vulnerability in Paginator which makes it susceptible to Remote Code Execution (RCE) attacks via input parameters to the `paginate()` fu...

hex

No PRs yet

Permissive parameters and privilege escalation

GHSA-mrq8-53r4-3j5m CVE-2018-20301 MODERATE almost 4 years ago

An issue was discovered in Steve Pallen Coherence before 0.5.2 that is similar to a Mass Assignment vulnerability. In particular, "registration" en...

hex

No PRs yet