SB2026021722 - Multiple vulnerabilities in Red Hat Developer Hub 1.7

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026021722

SB2026021722 - Multiple vulnerabilities in Red Hat Developer Hub 1.7

Published: February 17, 2026

Security Bulletin ID SB2026021722
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Interpretation conflict (CVE-ID: CVE-2025-12816)

The vulnerability allows a remote attacker to bypass downstream cryptographic verification and security decisions.

The vulnerability exists due to incorrect validation of ASN.1 structures within the asn1.validate() function in forge/lib/asn1.js. A remote non-authenticated attacker can use specially crafted ASN.1 structures to desynchronize DER schema validations and bypass downstream cryptographic verification and security decisions.


2) Resource exhaustion (CVE-ID: CVE-2025-15284)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the arrayLimit option does not enforce limits for bracket notation (a[]=1&a[]=2). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) OS Command Injection (CVE-ID: CVE-2025-64756)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Improper verification of cryptographic signature (CVE-ID: CVE-2025-65945)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper signature verification under specific conditions when using the HS256 algorithm within the jws.createVerify() function. A remote attacker can manipulate header or payload in the HMAC secret lookup routines and bypass authorization checks. 


5) Uncontrolled recursion (CVE-ID: CVE-2025-66031)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion within the asn1.fromDer() function in forge/lib/asn1.js. A remote non-authenticated attacker can pass specially crafted deep ASN.1 structures to trigger unbounded recursive parsing and perform a denial of service attack.


Remediation

Install update from vendor's website.

References