CVEbaza.plSłownik CWECWE-248
Common Weakness Enumeration

CWE-248

Uncaught Exception

Kategoria: BaseCVE: 219
Opis

Wyjątek jest rzucany z funkcji, ale nie jest przechwytywany. Może to prowadzić do nieoczekiwanego zakończenia programu lub ujawnienia poufnych informacji.

Description (EN)

An exception is thrown from a function, but it is not caught.

Podatności CVE z CWE-248 (219)
10.0
CVSS
CRITICAL
CVE-2025-12423

Podatność w urządzeniach Azure-Access BLU-IC2 oraz BLU-IC4 umożliwia przeprowadzenie ataku typu denial of service (DoS) poprzez manipulację protokołem komunikacyjnym. Podatność otrzymała najwyższy możliwy wynik CVSS 10.0, co wskazuje na jej krytyczny charakter i możliwość zdalnego wykorzystania bez jakiegokolwiek uwierzytelnienia.

pub. 2025-10-28
9.8
CVSS
CRITICAL
CVE-2018-11466

A vulnerability has been identified in SINUMERIK 808D V4.7 (All versions), SINUMERIK 808D V4.8 (All versions), SINUMERIK 828D V4.7 (All versions < V4.7 SP6 HF1), SINUMERIK 840D sl V4.7 (All versions < V4.7 SP6 HF5), SINUMERIK 840D sl V4.8 (All versions < V4.8 SP3). Specially crafted network packets sent to port 102/tcp (ISO-TSAP) could allow a remote attacker to either cause a Denial-of-Service condition of the integrated software firewall or allow to execute code in the context of the software firewall. The security vulnerability could be exploited by an attacker with network access to the affected systems on port 102/tcp. Successful exploitation requires no user privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system. At the time of advisory publication no public exploitation of this security vulnerability was known

pub. 2018-12-12
9.3
CVSS
CRITICAL
CVE-2024-42037

Podatność w module Graphics systemów Huawei EMUI oraz HarmonyOS polega na braku obsługi wyjątków (uncaught exceptions), co może prowadzić do naruszenia poufności danych. Ocena CVSS 9.3 wskazuje na krytyczny poziom ryzyka.

pub. 2024-08-08
9.2
CVSS
CRITICAL
CVE-2025-53620

Podatność w pakiecie @builder.io/qwik-city pozwala nieuwierzytelnionemu atakującemu spowodować natychmiastowe zakończenie procesu Node.js poprzez wysłanie nieprawidłowego żądania do Server Action QRL. Jest to krytyczna luka typu Denial of Service (DoS) dostępna zdalnie bez żadnej autoryzacji.

pub. 2025-07-09
8.8
CVSS
HIGH
CVE-2025-0657

A weakness in Automated Logic and Carrier i-Vu Gen5 router on driver version drv_gen5_106-01-2380, allows malformed packets to be sent through BACnet MS/TP network causing the devices to enter a fault state. This fault state requires a manual power cycle to return the device to network visibility.

pub. 2025-11-27
8.7
CVSS
HIGH
CVE-2026-46689

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

pub. 2026-06-10
8.7
CVSS
HIGH
CVE-2026-9509

An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.

pub. 2026-05-29
8.7
CVSS
HIGH
CVE-2026-34752

Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.

pub. 2026-04-02
8.7
CVSS
HIGH
CVE-2026-33191

Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm_SubscriberDataManagement API. This causes URL parsing failure in Go's net/url package with the error "invalid control character in URL", resulting in a 500 Internal Server Error. This null byte injection vulnerability can be exploited for denial of service attacks. When the supi parameter contains null characters, the UDM attempts to construct a URL for UDR that includes these control characters. Go's URL parser rejects them, causing the request to fail with 500 instead of properly validating input and returning 400 Bad Request. This issue has been fixed in version 1.4.2.

pub. 2026-03-20
8.7
CVSS
HIGH
CVE-2026-32314

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.

pub. 2026-03-16
8.7
CVSS
HIGH
CVE-2026-31812

Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC transport protocol. Prior to 0.11.14, a remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quic_transport_parameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap(), so truncated encodings cause Err(UnexpectedEnd) and panic. This is reachable over the network with a single packet and no prior trust or authentication. This vulnerability is fixed in 0.11.14.

pub. 2026-03-10
8.7
CVSS
HIGH
CVE-2026-1507

The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.

pub. 2026-02-10
8.7
CVSS
HIGH
CVE-2025-9124

A denial-of-service security issue in the affected product. The security issue stems from a fault occurring when a crafted CIP unconnected explicit message is sent. This can result in a major non-recoverable fault.

pub. 2025-10-14
8.7
CVSS
HIGH
CVE-2013-10065

A denial-of-service vulnerability exists in Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\x28) in place of the expected SSH protocol delimiter.

pub. 2025-08-05
8.7
CVSS
HIGH
CVE-2025-53365

The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue.

pub. 2025-07-04
8.7
CVSS
HIGH
CVE-2025-53366

The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue.

pub. 2025-07-04
8.7
CVSS
HIGH
CVE-2025-48997

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.

pub. 2025-06-03
8.7
CVSS
HIGH
CVE-2025-43855

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.

pub. 2025-04-24
8.7
CVSS
HIGH
CVE-2025-24883

go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13.

pub. 2025-01-30
8.7
CVSS
HIGH
CVE-2023-5038

badmonkey, a Security Researcher has found a flaw that allows for a unauthenticated DoS attack on the camera. An attacker runs a crafted URL, nobody can access the web management page of the camera. and must manually restart the device or re-power it. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

pub. 2024-06-25
Pokazano 20 z 219 podatności
Informacje
ID: CWE-248
Typ: Base
Podatności: 219
MITRE CWE ↗
← Słownik CWE
CWE-248 — Nieobsłużony Wyjątek | Słownik CWE | CVEbaza.pl