Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit f7155e35eae3 · 2026-03-10T00:57:53.000Z
GHSA-3c4m-j3g4-hh25 GHSA-mf3j-86qx-cq5j
diff --git a/advisories/github-reviewed/2026/03/GHSA-3c4m-j3g4-hh25/GHSA-3c4m-j3g4-hh25.json b/advisories/github-reviewed/2026/03/GHSA-3c4m-j3g4-hh25/GHSA-3c4m-j3g4-hh25.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3c4m-j3g4-hh25",
+  "modified": "2026-03-10T00:56:30Z",
+  "published": "2026-03-10T00:56:30Z",
+  "aliases": [
+    "CVE-2026-30913"
+  ],
+  "summary": "flarum/nicknames extension has display name injection in notification emails (autolink & markdown)",
+  "details": "## Summary\n\nWhen the `flarum/nicknames` extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains.\n\n## Affected package\n\n- **`flarum/nicknames`** — permissive display name driver that allows special characters; affected since initial release on the `1.x` branch\n\nAny third-party display name driver that permits special characters would be equally affected.\n\n## Variants\n\n1. **Domain autolink** — a nickname such as `nasty.com` is automatically converted to a clickable hyperlink by virtually all email clients (Gmail, Outlook, Apple Mail, Thunderbird).\n2. **Markdown link syntax** — a nickname such as `[CLICK](https://evil.com)` is rendered as a clickable hyperlink by email clients that auto-render markdown in plain-text emails (e.g. Apple Mail, Thunderbird).\n\n## Steps to reproduce\n\n**Variant 1 (autolink — affects all email clients)**\n1. Enable `flarum/nicknames`, set nickname to `nasty.com`\n2. Trigger a notification email to another user (e.g. follow them, mention them)\n3. The nickname appears as a clickable link in the received email\n\n**Variant 2 (markdown — affects markdown-rendering email clients)**\n1. Enable `flarum/nicknames`, set nickname to `[CLICK](https://evil.com)`\n2. Trigger a notification email to another user\n3. In a markdown-rendering email client (e.g. Apple Mail), the nickname appears as a clickable link\n\n## Impact\n\nPhishing / social engineering: victims may be misled into visiting attacker-controlled URLs via links appearing to originate from a trusted platform notification email. Variant 1 is exploitable against virtually all email clients without any special conditions.\n\n- CVSS v3.1: `AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N` — **4.6 Medium**\n\n## Root cause\n\nThe default username-based display name driver constrains values to `[a-zA-Z0-9_-]+`, making it immune. `flarum/nicknames` introduced permissive validation (min/max length and an optional admin-configured regex) that allows arbitrary characters including those meaningful in URL and markdown contexts. This has been the case since the first commit of the extension.\n\n## Proposed fix\n\n- Add validation in `flarum/nicknames` to reject or sanitize nicknames containing characters that email clients may interpret as URLs or markdown links\n- Alternatively, sanitize the display name before insertion into notification email bodies so that legitimate nicknames like `Jane.Smith` are preserved but rendered safely\n\n## References\n\n- Bug bounty submission: SBB-L4ZVAFH8 (Intigriti)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "flarum/nicknames"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.8.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/flarum/framework/security/advisories/GHSA-3c4m-j3g4-hh25"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/flarum/nicknames/commit/4dde99729abdce8f6e2a7437c86e38735fdcca28"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/flarum/framework"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/flarum/nicknames/releases/tag/v1.8.3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T00:56:30Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-mf3j-86qx-cq5j/GHSA-mf3j-86qx-cq5j.json b/advisories/github-reviewed/2026/03/GHSA-mf3j-86qx-cq5j/GHSA-mf3j-86qx-cq5j.json
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mf3j-86qx-cq5j",
+  "modified": "2026-03-10T00:57:18Z",
+  "published": "2026-03-10T00:57:18Z",
+  "aliases": [
+    "CVE-2026-30925"
+  ],
+  "summary": "Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery",
+  "details": "### Impact\n\nA malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps.\n\nThis only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.\n\n### Patches\n\nRegex evaluation in LiveQuery subscription matching now runs in an isolated VM context with a configurable timeout via a new Parse Server option `liveQuery.regexTimeout, with defaults 100 ms. A regex that exceeds the timeout is treated as non-matching.\n\nThe protection adds approximately 50 microseconds of overhead per regex evaluation. For most applications this is negligible, but it can add up if there is a very large number of LiveQuery subscriptions that use `$regex` on the same class. For example, 10,000 concurrent regex subscriptions would add approximately 500ms of processing time per object save event on that class. Set `liveQuery.regexTimeout: 0` to disable the protection and use native regex evaluation without overhead.\n\n### Workarounds\n\nUse the `beforeSubscribe` Cloud Code hook to reject any LiveQuery subscription that contains a `$regex` operator. Note that this also blocks the LiveQuery `startsWith`, `endsWith`, and `contains` query methods, as they use `$regex` internally.\n\n```js\n// Repeat for each class that is used with LiveQuery\nParse.Cloud.beforeSubscribe('MyClass', request => {\n  const where = request.query._where || {};\n  for (const value of Object.values(where)) {\n    if (value?.$regex) {\n      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, '$regex not allowed in LiveQuery subscriptions');\n    }\n  }\n});\n```\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.11",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0-alpha.1"
+            },
+            {
+              "fixed": "9.5.0-alpha.14"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.11"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.11"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1333"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T00:57:18Z",
+    "nvd_published_at": null
+  }
+}
