Publish Advisories

GHSA-3527-qv2q-pfvx
GHSA-7899-w6c4-vqc4
GHSA-hg9m-67mm-7pg3
GHSA-mwfg-948f-2cc5
GHSA-pw95-88fg-3j6f

Author: advisory-database[bot]

advisories/github-reviewed/2025/05/GHSA-3527-qv2q-pfvx/GHSA-3527-qv2q-pfvx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3527-qv2q-pfvx",
-  "modified": "2025-05-05T20:40:36Z",
+  "modified": "2025-05-05T22:06:59Z",
   "published": "2025-05-05T20:40:36Z",
   "aliases": [
     "CVE-2025-46734"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46734"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"
@@ -56,6 +60,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-05-05T20:40:36Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-05-05T20:15:21Z"
   }
 }

advisories/github-reviewed/2025/05/GHSA-7899-w6c4-vqc4/GHSA-7899-w6c4-vqc4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7899-w6c4-vqc4",
-  "modified": "2025-05-05T17:03:20Z",
+  "modified": "2025-05-05T22:06:39Z",
   "published": "2025-05-05T17:03:20Z",
   "aliases": [
     "CVE-2025-46553"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/misskey-dev/summaly/security/advisories/GHSA-7899-w6c4-vqc4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46553"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/misskey-dev/summaly/commit/45153b4f08a772c395a13f7a25399dd87ed022ed"
@@ -59,6 +63,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2025-05-05T17:03:20Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-05-05T19:15:56Z"
   }
 }

advisories/github-reviewed/2025/05/GHSA-hg9m-67mm-7pg3/GHSA-hg9m-67mm-7pg3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hg9m-67mm-7pg3",
-  "modified": "2025-05-05T18:51:35Z",
+  "modified": "2025-05-05T22:06:50Z",
   "published": "2025-05-05T18:51:34Z",
   "aliases": [
     "CVE-2025-46720"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46720"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/keystonejs/keystone"
@@ -56,6 +60,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2025-05-05T18:51:34Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-05-05T19:15:57Z"
   }
 }

advisories/github-reviewed/2025/05/GHSA-mwfg-948f-2cc5/GHSA-mwfg-948f-2cc5.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mwfg-948f-2cc5",
-  "modified": "2025-05-05T14:55:59Z",
+  "modified": "2025-05-05T22:06:28Z",
   "published": "2025-05-05T14:55:59Z",
   "aliases": [
     "CVE-2025-46335"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46335"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d"
@@ -59,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-05-05T14:55:59Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-05-05T19:15:56Z"
   }
 }

advisories/github-reviewed/2025/05/GHSA-pw95-88fg-3j6f/GHSA-pw95-88fg-3j6f.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pw95-88fg-3j6f",
-  "modified": "2025-05-05T20:40:44Z",
+  "modified": "2025-05-05T22:07:30Z",
   "published": "2025-05-05T20:40:44Z",
   "aliases": [
     "CVE-2025-46726"
   ],
   "summary": "Langroid Allows XXE Injection via XMLToolMessage",
   "details": "### Summary\nA LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.\n\n### Details\n`XMLToolMessage` uses `lxml` without safeguards:\nhttps://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52\n`lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. \nCheck here: https://pypi.org/project/defusedxml/#python-xml-libraries\n\n### PoC\nA typical Quadratic blowup XML payload looks like this:\n```xml\n<!DOCTYPE bomb [\n<!ENTITY a \"aaaaaaaaaa\">\n<!ENTITY b \"&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;\">\n<!ENTITY c \"&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;\">\n]>\n<bomb>&c;</bomb>\n```\nHere, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.\n \n### Fix\nLangroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.\nhttps://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -35,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46726"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3"
@@ -55,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-05-05T20:40:44Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2025-05-05T20:15:21Z"
   }
 }