Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Mercure has a Topic Selector Cache Key Collision
Vulnerability Description
Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones. The cache key was constructed by concatenating the topic selector and topic with an underscore separator. Because both topic selectors and topics can contain underscores, two distinct pairs can produce the same key. An attacker who can subscribe to the hub or publish updates with crafted topic names can exploit this to bypass authorization checks on private updates. This vulnerability is fixed in 0.22.0.
CVSS Information
N/A
Vulnerability Type
CWE-1289
Vulnerability Title
mercure 安全漏洞
Vulnerability Description
mercure是Kévin Dunglas个人开发者的一个实时数据推送协议及服务器实现。 Mercure 0.22.0之前版本存在安全漏洞,该漏洞源于TopicSelectorStore中的缓存键冲突,可能导致攻击者毒化匹配结果缓存,绕过私有更新的授权检查。
CVSS Information
N/A
Vulnerability Type
N/A