Enrich GHSA-xp7f-v245-w3w8 (CVE-2026-38361, dash-uploader DoS suite)#7636
Open
a1ohadance wants to merge 2 commits intogithub:a1ohadance/advisory-improvement-7636from
Open
Conversation
…ns, credits, mitigation
github-actions
Bot
changed the base branch from
main
to
a1ohadance/advisory-improvement-7636
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enriches GHSA-xp7f-v245-w3w8 (CVE-2026-38361) with the metadata that's currently missing, blocking Dependabot from firing for users of
dash-uploader.Changes
affected: was empty[]. Now listsPyPI/dash-uploaderwith all 16 published releases (0.1.0through0.7.0a2) and an ECOSYSTEM range withlast_affected: 0.7.0a2. The package was archived 2025-07-19; no patched version exists.summary: added (was missing).details: replaced the auto-imported description with full Impact / Affected versions / Mitigation / References sections, breaking out the three DoS primitives in the same library:range(1, flowTotalChunks + 1)list comprehension on user input → ~2.9 GB allocation per request.flowTotalChunks=0triggers theall([]) == Truequirk so the assembly branch runs on zero chunks,os.unlinking the target file and replacing it with an empty file. Composes with GHSA-3rf6-x59v-5jfv path traversal inupload_idfor arbitrary-file truncate.flowIdentifierper request creates never-cleaned-up temp directories. Sustained disk fill.credits: added (was missing) — Muhammad Fitri bin Mohd Sultan as FINDER.references: added cross-link to companion advisory GHSA-3rf6-x59v-5jfv (CVE-2026-38360, the path-traversal-to-RCE companion advisory). Tagged the upstream package URL withPACKAGEand the public PoC withEVIDENCE.Verification
https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json(OSV schema 1.4.0).https://pypi.org/pypi/dash-uploader/json.Why this matters
The advisory is currently
"affected": [], which means Dependabot does not fire for any user withdash-uploaderin theirrequirements.txt/pyproject.toml. The whole defensive value of GHSA — automatic alerts to dependents of an abandoned package — is gated on populating that field. This PR populates it.Disclosure context