Meteor har 3.2.1 livedata_server.js Object.assign forwardedFor Kari na aiki

Hakika vulnerability da aka rarraba a matsayin karshewa an gano a Meteor har 3.2.1. Tabbas, aikin Object.assign ne ke da matsala; idan ba a bayyana ba, to aiki ce da ba a sani ba, a cikin laburare $software_library, a cikin fayil packages/ddp-server/livedata_server.js, a cikin sashi $software_component. Wuro manipulation of the argument forwardedFor ga Kari na aiki. Amfani da CWE wajen bayyana matsala yana kaiwa CWE-1333. Lalle, rauni an sanar da shi 05/15/2025 da 13713. Ana samun bayanin tsaro don saukewa a github.com. Ana kiran wannan rauni da CVE-2025-4727. Ngam yiɗi ka a tuma ndiyam ka nder internet. Bayani na fasaha ga. Kuma, akwai exploit. Exploit ɗin an bayyana wa jama'a, za a iya amfani da shi. A sa'i, exploit might be approx. USD $0-$5k ndiyam. Á yí huɗɗi-na-gaskiya. 0-day ga, an ndiyam a wuro be $0-$5k. Patch ɗin an san shi da f7ea6817b90952baaea9baace2a3b4366fee6a63. Gyaran matsalar yana nan a shirye don saukewa a github.com. Ngamdi ka a yiɗi a ɗaɓɓita kompona wey ka a saɓata. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

4 Goyarwa · 93 Datenpunkte

FurɗeSúgá
05/15/2025 09:18		Gargadi 1/3
05/16/2025 03:37		Gargadi 2/3
05/16/2025 11:43		Gargadi 3/3
06/23/2025 17:47
software_nameMeteorMeteorMeteorMeteor
software_version<=3.2.1<=3.2.1<=3.2.1<=3.2.1
software_filepackages/ddp-server/livedata_server.jspackages/ddp-server/livedata_server.jspackages/ddp-server/livedata_server.jspackages/ddp-server/livedata_server.js
software_functionObject.assignObject.assignObject.assignObject.assign
software_argumentforwardedForforwardedForforwardedForforwardedFor
vulnerability_cweCWE-1333 (Kari na aiki)CWE-1333 (Kari na aiki)CWE-1333 (Kari na aiki)CWE-1333 (Kari na aiki)
vulnerability_risk1111
cvss3_vuldb_avNNNN
cvss3_vuldb_acHHHH
cvss3_vuldb_prNNNN
cvss3_vuldb_uiNNNN
cvss3_vuldb_sUUUU
cvss3_vuldb_cNNNN
cvss3_vuldb_iNNNN
cvss3_vuldb_aLLLL
cvss3_vuldb_ePPPP
cvss3_vuldb_rlOOOO
cvss3_vuldb_rcCCCC
advisory_urlhttps://github.com/meteor/meteor/issues/13713https://github.com/meteor/meteor/issues/13713https://github.com/meteor/meteor/issues/13713https://github.com/meteor/meteor/issues/13713
advisory_confirm_urlhttps://github.com/meteor/meteor/pull/13721https://github.com/meteor/meteor/pull/13721https://github.com/meteor/meteor/pull/13721https://github.com/meteor/meteor/pull/13721
exploit_availability1111
exploit_publicity1111
countermeasure_nameGargajiyaGargajiyaGargajiyaGargajiya
upgrade_version3.2.23.2.23.2.23.2.2
countermeasure_upgrade_urlhttps://github.com/meteor/meteor/releases/tag/release/METEOR%403.2.2https://github.com/meteor/meteor/releases/tag/release/METEOR%403.2.2https://github.com/meteor/meteor/releases/tag/release/METEOR%403.2.2https://github.com/meteor/meteor/releases/tag/release/METEOR%403.2.2
patch_namef7ea6817b90952baaea9baace2a3b4366fee6a63f7ea6817b90952baaea9baace2a3b4366fee6a63f7ea6817b90952baaea9baace2a3b4366fee6a63f7ea6817b90952baaea9baace2a3b4366fee6a63
countermeasure_patch_urlhttps://github.com/meteor/meteor/commit/f7ea6817b90952baaea9baace2a3b4366fee6a63https://github.com/meteor/meteor/commit/f7ea6817b90952baaea9baace2a3b4366fee6a63https://github.com/meteor/meteor/commit/f7ea6817b90952baaea9baace2a3b4366fee6a63https://github.com/meteor/meteor/commit/f7ea6817b90952baaea9baace2a3b4366fee6a63
source_cveCVE-2025-4727CVE-2025-4727CVE-2025-4727CVE-2025-4727
cna_responsibleVulDBVulDBVulDBVulDB
cvss2_vuldb_avNNNN
cvss2_vuldb_acHHHH
cvss2_vuldb_auNNNN
cvss2_vuldb_ciNNNN
cvss2_vuldb_iiNNNN
cvss2_vuldb_aiPPPP
cvss2_vuldb_ePOCPOCPOCPOC
cvss2_vuldb_rcCCCC
cvss2_vuldb_rlOFOFOFOF
cvss4_vuldb_avNNNN
cvss4_vuldb_acHHHH
cvss4_vuldb_prNNNN
cvss4_vuldb_uiNNNN
cvss4_vuldb_vcNNNN
cvss4_vuldb_viNNNN
cvss4_vuldb_vaLLLL
cvss4_vuldb_ePPPP
cvss4_vuldb_atNNNN
cvss4_vuldb_scNNNN
cvss4_vuldb_siNNNN
cvss4_vuldb_saNNNN
cvss2_vuldb_basescore2.62.62.62.6
cvss2_vuldb_tempscore2.02.02.02.0
cvss3_vuldb_basescore3.73.73.73.7
cvss3_vuldb_tempscore3.43.43.43.4
cvss3_meta_basescore3.73.73.73.7
cvss3_meta_tempscore3.43.43.53.5
cvss4_vuldb_bscore6.36.36.36.3
cvss4_vuldb_btscore2.92.92.92.9
advisory_date1747260000 (05/15/2025)1747260000 (05/15/2025)1747260000 (05/15/2025)1747260000 (05/15/2025)
price_0day$0-$5k$0-$5k$0-$5k$0-$5k
advisory_identifier13713137131371313713
euvd_idEUVD-2025-15378EUVD-2025-15378EUVD-2025-15378
cve_nvd_summaryA vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/ddp-server/livedata_server.js. The manipulation of the argument forwardedFor leads to inefficient regular expression complexity. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.2 is able to address this issue. The identifier of the patch is f7ea6817b90952baaea9baace2a3b4366fee6a63. It is recommended to upgrade the affected component.A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/ddp-server/livedata_server.js. The manipulation of the argument forwardedFor leads to inefficient regular expression complexity. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.2 is able to address this issue. The identifier of the patch is f7ea6817b90952baaea9baace2a3b4366fee6a63. It is recommended to upgrade the affected component.
cvss4_cna_avNN
cvss4_cna_acHH
cvss4_cna_atNN
cvss4_cna_prNN
cvss4_cna_uiNN
cvss4_cna_vcNN
cvss4_cna_viNN
cvss4_cna_vaLL
cvss4_cna_scNN
cvss4_cna_siNN
cvss4_cna_saNN
cvss4_cna_bscore6.36.3
cvss3_cna_avNN
cvss3_cna_acHH
cvss3_cna_prNN
cvss3_cna_uiNN
cvss3_cna_sUU
cvss3_cna_cNN
cvss3_cna_iNN
cvss3_cna_aLL
cvss3_cna_basescore3.73.7
cvss2_cna_avNN
cvss2_cna_acHH
cvss2_cna_auNN
cvss2_cna_ciNN
cvss2_cna_iiNN
cvss2_cna_aiPP
cvss2_cna_basescore2.62.6
cve_nvd_summaryesSe encontró una vulnerabilidad en Meteor hasta la versión 3.2.1 y se clasificó como problemática. Este problema afecta a la función Object.assign del archivo packages/ddp-server/livedata_server.js. La manipulación del argumento forwardedFor genera una complejidad ineficiente en las expresiones regulares. El ataque puede ejecutarse en remoto. Es un ataque de complejidad bastante alta. Parece difícil de explotar. Se ha hecho público el exploit y puede que sea utilizado. Actualizar a la versión 3.2.2 puede solucionar este problema. El identificador del parche es f7ea6817b90952baaea9baace2a3b4366fee6a63. Se recomienda actualizar el componente afectado.

GurɗoGumtiGada

Do you need the next level of professionalism?

Upgrade your account now!