Suggestions search

All statuses

Filter by:

With package: vitess

Found 3 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-27969

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 6 days ago
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

Vitess users with backup storage access can write to arbitrary file paths on restore

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is a common path traversal security issue. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. No known workarounds are available.

References

https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw x_refsource_CONFIRM
https://github.com/vitessio/vitess/pull/19470 x_refsource_MISC
https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a x_refsource_MISC

Affected products

vitess

==< 22.0.4
==>= 23.0.0, < 23.0.3

Matching in nixpkgs

pkgs.vitess

Database clustering system for horizontal scaling of MySQL

nixos-unstable 23.0.0
- nixpkgs-unstable 23.0.0
- nixos-unstable-small 23.0.0
nixos-25.11 22.0.1
- nixos-25.11-small 22.0.1
- nixpkgs-25.11-darwin 22.0.1

Package maintainers

@urandom2 Colin Arnott <colin@urandom.co.uk>

Upstream advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-r492-hjgh-c9gw
Upstream patch: https://github.com/vitessio/vitess/commit/c565cab615bc962bda061dcd645aa7506c59ca4a

Published

Permalink CVE-2026-27965

updated 3 weeks, 5 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 6 days ago
@LeSuisse accepted 3 weeks, 5 days ago
@LeSuisse published on GitHub 3 weeks, 5 days ago

Vitess users with backup storage access can gain unauthorized access to production deployment environments

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location (e.g. an S3 bucket) can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production deployment environment — allowing them to access information available in that environment as well as run any additional arbitrary commands there. Versions 23.0.3 and 22.0.4 contain a patch. Some workarounds are available. Those who intended to use an external decompressor then can always specify that decompressor command in the `--external-decompressor` flag value for `vttablet` and `vtbackup`. That then overrides any value specified in the manifest file. Those who did not intend to use an external decompressor, nor an internal one, can specify a value such as `cat` or `tee` in the `--external-decompressor` flag value for `vttablet` and `vtbackup` to ensure that a harmless command is always used.

References

https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x x_refsource_CONFIRM
https://github.com/vitessio/vitess/issues/19459 x_refsource_MISC
https://github.com/vitessio/vitess/pull/19460 x_refsource_MISC
https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c x_refsource_MISC

Affected products

vitess

==< 22.0.4
==>= 23.0.0, < 23.0.3

Matching in nixpkgs

pkgs.vitess

Database clustering system for horizontal scaling of MySQL

nixos-unstable 23.0.0
- nixpkgs-unstable 23.0.0
- nixos-unstable-small 23.0.0
nixos-25.11 22.0.1
- nixos-25.11-small 22.0.1
- nixpkgs-25.11-darwin 22.0.1

Package maintainers

@urandom2 Colin Arnott <colin@urandom.co.uk>

Upstream advisory: https://github.com/vitessio/vitess/security/advisories/GHSA-8g8j-r87h-p36x
Upstream patch: https://github.com/vitessio/vitess/commit/4c0173293907af9cb942a6683c465c3f1e9fdb5c

Untriaged

Permalink CVE-2025-31125

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

updated 2 months ago by @fricklerhandwerk Activity log

Created automatic suggestion 2 months ago
@fricklerhandwerk removed
2 maintainers
- @sephii
- @urandom2
2 months ago
@fricklerhandwerk added maintainer @urandom2 2 months ago

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.