[GHSA-wgc6-9f6w-h8hx] microlight allows a denial of service

[Qix-]

This "high severity" advisory shouldn't exist. See #5730 (comment).

Updates

• Affected products
• CVSS v4
• Severity

Comments

From the advisory:

When excessively large content (e.g., 100 million characters) is processed

Tricking anyone into downloading 100MiB of code that is to be processed is of course going to cause DoS. This is a nonsense CVE. Please stop abusing the CVE system for beg bounty / clout-chasing security reports. This has to end.

---

Screenshots at time of report, just in case context is lost:

[Copilot]

Pull Request Overview

This PR updates the GHSA-wgc6-9f6w-h8hx advisory by removing the existing CVSS v4 score, clearing the top-level severity array, and downgrading the vulnerability’s severity rating.

• Removed the CVSS v4 entry from the severity array
• Replaced the previous array with an empty severity list
• Changed the recorded severity from HIGH to LOW

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/06/GHSA-wgc6-9f6w-h8hx/GHSA-wgc6-9f6w-h8hx.json:51

• Downgrading this denial-of-service vulnerability to LOW may understate its impact. Please verify the severity level against a valid CVSS vector or documented risk criteria.

    "severity": "LOW",

[Qix-]

This is such a nonsense security report I don't even know where to begin. This is yet another report following the trending decline of the CVE system as a whole. Daniel Stenberg (@bagder) has been documenting this extensively and I've also been a victim of excessive "high severity" ReDoS reports across my more popular repositories, increasing in frequency over the last few years.

It's also worth mentioning, I'd bet $20 this "high severity" CVE was never disclosed to @asvd given their GitHub inactivity for at least a year. They're certainly never disclosed to me anymore in my own repos.

Why this was "Github Reviewed" as "high severity" is an insult and blight not only to the GitHub Security team but also to the security community as a whole.

Stop this shit. It's getting tiring. This should not be a security advisory whatsoever.

[Qix-]

For reference, the "fix" for this CVE has been submitted here, and it is extremely low quality: asvd/microlight#15

[Qix-]

Original here:

https://gist.github.com/Rootingg/483b09b760d031b62b172f2153f3ed2a

@Rootingg perceived performance issues !== DoS. The CVE / NIST systems are not your playground for learning cybersecurity. Loading 100 million characters into a DOM formatting library creating millions of DOM nodes is 100% expected and not a security issue. That's like saying loading a 100GiB image into a browser at 1px is a security issue that needs to be fixed by Chrome.

You are polluting a shared system that is already very fragile and broken. PLEASE STOP.

[shelbyc]

Hi @Qix-, thank you for bringing this to our attention. We're withdrawing the advisory and have reached out to MITRE, the CVE Numbering Authority that issued the CVE, at https://cveform.mitre.org/ to request that the CVE ID be rejected. We also lowered the severity on the withdrawn advisory from high to low to align the severity with the lack of practical security impact.

[advisory-database]

Hi @Qix-! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[Qix-]

Thank you @shelbyc, very much appreciated.