Enrich GHSA-xp7f-v245-w3w8 (CVE-2026-38361, dash-uploader DoS suite)

[a1ohadance]

Enriches GHSA-xp7f-v245-w3w8 (CVE-2026-38361) with the metadata that's currently missing, blocking Dependabot from firing for users of dash-uploader.

Changes

• affected: was empty []. Now lists PyPI/dash-uploader with all 16 published releases (0.1.0 through 0.7.0a2) and an ECOSYSTEM range with last_affected: 0.7.0a2. The package was archived 2025-07-19; no patched version exists.
• summary: added (was missing).
• details: replaced the auto-imported description with full Impact / Affected versions / Mitigation / References sections, breaking out the three DoS primitives in the same library:
  • OOM (CWE-400): unbounded range(1, flowTotalChunks + 1) list comprehension on user input → ~2.9 GB allocation per request.
  • TRUNCATE (CWE-670): flowTotalChunks=0 triggers the all([]) == True quirk so the assembly branch runs on zero chunks, os.unlinking the target file and replacing it with an empty file. Composes with GHSA-3rf6-x59v-5jfv path traversal in upload_id for arbitrary-file truncate.
  • EXHAUST (CWE-400): unique flowIdentifier per request creates never-cleaned-up temp directories. Sustained disk fill.
• credits: added (was missing) — Muhammad Fitri bin Mohd Sultan as FINDER.
• references: added cross-link to companion advisory GHSA-3rf6-x59v-5jfv (CVE-2026-38360, the path-traversal-to-RCE companion advisory). Tagged the upstream package URL with PACKAGE and the public PoC with EVIDENCE.

Verification

• JSON validates against https://raw.githubusercontent.com/ossf/osv-schema/main/validation/schema.json (OSV schema 1.4.0).
• All 16 versions cross-checked against https://pypi.org/pypi/dash-uploader/json.
• Companion advisory enrichment for GHSA-3rf6-x59v-5jfv submitted as separate PR per the contribution guide's "one advisory per PR" rule.

Why this matters

The advisory is currently "affected": [], which means Dependabot does not fire for any user with dash-uploader in their requirements.txt / pyproject.toml. The whole defensive value of GHSA — automatic alerts to dependents of an abandoned package — is gated on populating that field. This PR populates it.

Disclosure context

• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-38361
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38361
• Public PoC: https://github.com/a1ohadance/CVE-2026-38361
• Upstream issue (archived repo): dash-uploader is archived fohrloop/dash-uploader#153

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[a1ohadance]

Still relevant and ready to merge. Could a maintainer review when there's capacity?

This populates the currently empty affected field (all 16 PyPI releases of dash-uploader, 0.1.0 through 0.7.0a2, with last_affected: 0.7.0a2) plus the missing summary, details, credits, and references. Until affected is set, Dependabot does not alert any project depending on this archived package.

Re-verified today: the JSON still validates against the OSV 1.4.0 schema and all 16 versions still cross-check against the PyPI JSON. Happy to rebase or adjust formatting if anything is needed.

[JonathanLEvans]

Hi @a1ohadance,

The description you provided seems to cover a different vulnerability than the one described in the CVE. I recognize that advisory the CVE references matches the description you have provided. However, before I publish, I would like clarification that I am using the correct CVE. Please contact MITRE to get the CVE updated.

[a1ohadance]

Hi @JonathanLEvans , thanks for reviewing.

CVE-2026-38361 is the correct CVE for this advisory - it covers the chunked-upload handling in dash_uploader (the Upload function / max_file_size handling), which is what this PR documents.

You're right that the mismatch is in the CVE's description, which still says "execute arbitrary code". That wording is actually inconsistent with the rest of the same CVE record, which already classifies this as denial of service:

• CWE-400 (Uncontrolled Resource Consumption) and CWE-670
• CVSS:3.1 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (availability-only)

So the CWE and CVSS already match this advisory (DoS); only the description is wrong. The arbitrary-code-execution / path-traversal issue is the separate CVE-2026-38360 (PR #7635).

I have submitted a MITRE update request to correct only the CVE-2026-38361 description to denial of service (leaving the CWE and CVSS as-is, since they are already correct). I'll follow up here once MITRE applies it.

[a1ohadance]

Hi @JonathanLEvans, quick follow-up.

MITRE has now applied the update to CVE-2026-38361. The description has been corrected from the old "execute arbitrary code" wording to denial of service, so it's now consistent with the CWE and CVSS that were already on the record:

• Description: now reflects uncontrolled resource consumption / denial of service in the dash_uploader chunked-upload handling (no more arbitrary-code-execution language)
• CWE-400 (Uncontrolled Resource Consumption) and CWE-670 - unchanged, already correct
• CVSS:3.1 7.5 - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (availability-only) - unchanged, already correct

So the CVE record now matches this advisory end to end.

The separate arbitrary-code-execution / path-traversal issue remains tracked under CVE-2026-38360 (PR #7635, already merged).

You can confirm the corrected description here:

• CVE: https://www.cve.org/CVERecord?id=CVE-2026-38361
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38361

Anyway, this PR got auto-closed by the stale bot and I can't reopen it from my side. Could you reopen it so it's back in your queue? Thanks again for the careful review!

[a1ohadance]

Since this PR can't be reopened from my side after the stale bot closed it, I've resubmitted the same change as #8076. The MITRE description correction you asked for has been applied, so CVE-2026-38361 now reads as the DoS suite and matches this advisory. cc @JonathanLEvans