GHSA-p768-c3pr-6459

Source

https://github.com/advisories/GHSA-p768-c3pr-6459

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-p768-c3pr-6459/GHSA-p768-c3pr-6459.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-p768-c3pr-6459

Aliases

CVE-2025-8396

Published

2025-09-15T15:31:31Z

Modified

2025-09-15T22:12:30.018273Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator

Summary

Temporal OSS Server Vulnerable to Allocation of Resources Without Limits or Throttling

Details

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation. This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T21:51:27Z",
    "nvd_published_at": "2025-09-15T15:15:55Z"
}

References

Affected packages

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.26.3

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.27.0-126.0

Fixed

1.27.3

Go / go.temporal.io/server

Package

Name: go.temporal.io/server; View open source insights on deps.dev
Purl: pkg:golang/go.temporal.io/server

Affected ranges

Type: SEMVER
Events: Introduced

1.28.0-129.0

Fixed

1.28.1