GHSA-53v5-9752-qq92
Suggest an improvement- Source
- https://github.com/advisories/GHSA-53v5-9752-qq92
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-53v5-9752-qq92/GHSA-53v5-9752-qq92.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-53v5-9752-qq92
- Aliases
-
- CVE-2025-13806
- Published
- 2025-12-01T06:30:25Z
- Modified
- 2025-12-02T01:30:18.257547Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- NutzBoot Incorrect Privilege Assignment vulnerability
- Details
-
A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-266" ], "github_reviewed_at": "2025-12-02T00:32:21Z", "nvd_published_at": "2025-12-01T05:16:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-13806
- https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md
- https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md#vulnerability-details-and-poc
- https://github.com/nutzam/nutzboot
- https://vuldb.com/?ctiid.333816
- https://vuldb.com/?id.333816
- https://vuldb.com/?submit.692061
Affected packages
Maven / org.nutz:nutzboot-parent
Package
- Name
- org.nutz:nutzboot-parent
- View open source insights on deps.dev
- Purl
- pkg:maven/org.nutz/nutzboot-parent
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected2.6.0-SNAPSHOT
Affected versions
2.*
2.0-Beta
2.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.3.0.v20190220
2.3.1.v20190318
2.3.3.v20190329
2.3.4.v20190410
2.3.5.v20190516
2.3.6.v20190621
2.3.7.v20190731
2.3.8.v20191031
2.3.9.v20200309
2.4.0.v20200427
2.4.1.v20201014
2.4.2.v20201205
2.5.1.v20220215