Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-1386

Summary
Assigner-ClickHouse
Assigner Org ID-cb7ba516-3b07-4c98-b0c2-715220f1a8f6
Published At-11 Apr, 2025 | 04:27
Updated At-11 Apr, 2025 | 16:01
Rejected At-
Credits

Query smuggling in ch-go library

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ClickHouse
Assigner Org ID:cb7ba516-3b07-4c98-b0c2-715220f1a8f6
Published At:11 Apr, 2025 | 04:27
Updated At:11 Apr, 2025 | 16:01
Rejected At:
▼CVE Numbering Authority (CNA)
Query smuggling in ch-go library

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

Affected Products
Vendor
ch-go
Product
ch-go
Collection URL
https://github.com/ClickHouse/ch-go
Package Name
ch-go
Repo
https://github.com/ClickHouse/ch-go
Default Status
unaffected
Versions
Affected
  • From 0 before 0.65.0 (custom)
Problem Types
TypeCWE IDDescription
N/AN/AQuery smuggling
Type: N/A
CWE ID: N/A
Description: Query smuggling
Metrics
VersionBase scoreBase severityVector
4.05.9MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-66CAPEC-66 SQL Injection
CAPEC ID: CAPEC-66
Description: CAPEC-66 SQL Injection
Solutions
Configurations
Workarounds
Exploits
Credits
finder
lixts
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85
N/A
Hyperlink: https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-444CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Type: CWE
CWE ID: CWE-444
Description: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cb7ba516-3b07-4c98-b0c2-715220f1a8f6
Published At:11 Apr, 2025 | 05:15
Updated At:11 Apr, 2025 | 16:15

When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.9MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-444Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-444
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85cb7ba516-3b07-4c98-b0c2-715220f1a8f6
N/A
Hyperlink: https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85
Source: cb7ba516-3b07-4c98-b0c2-715220f1a8f6
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found