From 82bec2e29af10a64c7dba346b9fd405c6394fd97 Mon Sep 17 00:00:00 2001
From: Fitri Sultan <34848106+a1ohadance@users.noreply.github.com>
Date: Sun, 10 May 2026 02:50:39 +0800
Subject: [PATCH 1/2] Enrich GHSA-xp7f-v245-w3w8 (CVE-2026-38361) with PyPI
 package, versions, credits, mitigation

---
 .../GHSA-xp7f-v245-w3w8.json                  | 72 ++++++++++++++++---
 1 file changed, 64 insertions(+), 8 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json b/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
index 5f4c677161831..a1808ceb29757 100644
--- a/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
+++ b/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
@@ -6,15 +6,62 @@
   "aliases": [
     "CVE-2026-38361"
   ],
-  "details": "An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components",
+  "summary": "dash-uploader vulnerable to multiple unauthenticated denial-of-service vectors via /API/dash-uploader",
+  "details": "### Impact\n\nThe HTTP request handler in [dash-uploader](https://pypi.org/project/dash-uploader/) versions 0.1.0 through 0.7.0a2 trusts client-supplied form parameters in three ways, each yielding a distinct denial-of-service primitive. All three are reachable unauthenticated through `POST /API/dash-uploader`.\n\n**OOM (uncontrolled resource consumption, CWE-400).** The handler builds a list comprehension over `range(1, flowTotalChunks + 1)` on user-controlled input. With `flowTotalChunks=30000000`, ~30M Python list entries plus path strings allocate ~2.9 GB of resident memory on the worker thread. Trips gunicorn's `--timeout` watchdog (worker SIGKILL by arbiter) within seconds, or the Linux OOM killer under memory pressure.\n\n**TRUNCATE (always-incorrect control flow, CWE-670).** With `flowTotalChunks=0`, the handler computes `all([os.path.exists(p) for p in []])` which evaluates to `True` (the `all([]) == True` quirk). The library enters its \"upload complete, assemble final file\" branch on zero chunks, `os.unlink`s the target file, opens it in append-binary mode, and iterates an empty chunk list — replacing the target file with an empty file. Combined with the path traversal in `upload_id` ([CVE-2026-38360](https://github.com/advisories/GHSA-3rf6-x59v-5jfv)), this truncates arbitrary files writable by the gunicorn UID via a single unauthenticated request.\n\n**EXHAUST (no garbage collection, CWE-400).** Each request with a unique `flowIdentifier` creates a temp directory at `<upload_folder>/<upload_id>/<flowIdentifier>/` and writes the supplied chunk into it. With `flowTotalChunks > 1`, the upload never \"completes\" and the temp directory is never cleaned up. The library has no TTL and no garbage collector, allowing sustained disk-fill at the rate the network and the dash-uploader handler can sustain.\n\n### Affected versions\n\nAll 16 published PyPI releases (`0.1.0` through `0.7.0a2`) are affected. The package repository was archived on 2025-07-19; **no patched version exists**.\n\n### Mitigation\n\nReplace `dash-uploader` with an alternative file-upload component. There is no upstream fix path.\n\nInterim mitigations:\n\n* Block `POST /API/dash-uploader` at an upstream proxy, OR\n* Enforce request-body and `flowTotalChunks` ceilings in front of the application (e.g. nginx `client_max_body_size` plus a Lua/CEL rule rejecting `flowTotalChunks` outside `[1, 1000]`), OR\n* Configure the upload directory on a quota-enforced separate filesystem so EXHAUST cannot fill the application's main disk.\n\nThis is a companion advisory to [GHSA-3rf6-x59v-5jfv](https://github.com/advisories/GHSA-3rf6-x59v-5jfv) (CVE-2026-38360), an unauthenticated path-traversal-to-RCE in the same library reachable through the same endpoint.\n\n### References\n\n* Public PoC: <https://github.com/a1ohadance/CVE-2026-38361>\n* NVD: <https://nvd.nist.gov/vuln/detail/CVE-2026-38361>\n* CVE record: <https://www.cve.org/CVERecord?id=CVE-2026-38361>\n* Upstream issue (archived repo): <https://github.com/fohrloop/dash-uploader/issues/153>",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "dash-uploader",
+        "purl": "pkg:pypi/dash-uploader"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.1.0"
+            },
+            {
+              "last_affected": "0.7.0a2"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "0.1.0",
+        "0.1.1",
+        "0.1.2",
+        "0.2.0",
+        "0.2.3",
+        "0.2.4",
+        "0.3.0",
+        "0.3.1",
+        "0.4.0",
+        "0.4.1",
+        "0.4.2",
+        "0.5.0",
+        "0.6.0",
+        "0.6.1",
+        "0.7.0a1",
+        "0.7.0a2"
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.7.0a2"
+      }
+    }
+  ],
   "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://github.com/a1ohadance/CVE-2026-38361"
+    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38361"
@@ -28,11 +75,7 @@
       "url": "https://docs.python.org/3/library/functions.html#all"
     },
     {
-      "type": "WEB",
-      "url": "https://github.com/a1ohadance/CVE-2026-38361"
-    },
-    {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/fohrloop/dash-uploader"
     },
     {
@@ -54,6 +97,19 @@
     {
       "type": "WEB",
       "url": "https://pypistats.org/packages/dash-uploader"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/advisories/GHSA-3rf6-x59v-5jfv"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Muhammad Fitri bin Mohd Sultan",
+      "type": "FINDER",
+      "contact": [
+        "https://github.com/a1ohadance"
+      ]
     }
   ],
   "database_specific": {
@@ -65,4 +121,4 @@
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-08T15:16:37Z"
   }
-}
\ No newline at end of file
+}

From 4b57085891408e2c18025d16a5997ef27494a3b9 Mon Sep 17 00:00:00 2001
From: Fitri Sultan <34848106+a1ohadance@users.noreply.github.com>
Date: Sun, 10 May 2026 02:55:29 +0800
Subject: [PATCH 2/2] Drop explicit versions list per processor feedback; keep
 ECOSYSTEM range events

---
 .../GHSA-xp7f-v245-w3w8.json                  | 23 +------------------
 1 file changed, 1 insertion(+), 22 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json b/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
index a1808ceb29757..96413bc02abed 100644
--- a/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
+++ b/advisories/unreviewed/2026/05/GHSA-xp7f-v245-w3w8/GHSA-xp7f-v245-w3w8.json
@@ -33,28 +33,7 @@
             }
           ]
         }
-      ],
-      "versions": [
-        "0.1.0",
-        "0.1.1",
-        "0.1.2",
-        "0.2.0",
-        "0.2.3",
-        "0.2.4",
-        "0.3.0",
-        "0.3.1",
-        "0.4.0",
-        "0.4.1",
-        "0.4.2",
-        "0.5.0",
-        "0.6.0",
-        "0.6.1",
-        "0.7.0a1",
-        "0.7.0a2"
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 0.7.0a2"
-      }
+      ]
     }
   ],
   "references": [