GHSA-pqj7-jx24-wj7w
MEDIUMVTAdmin users that can create shards can deny access to other functions
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
vitess.io/vitessReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error.
Attempting to view the keyspace(s) will also no longer work.
Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.
Patches
v16.0.2, corresponding to 0.16.2 on pkg.go.dev
Workarounds
- Always use
vtctldclientto create shards, instead of using VTAdmin - Disable creating shards from VTAdmin using RBAC
- Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called
a/bin keyspacecommerce, and you are running etcd, it can be deleted by doing something like
% etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard
References
https://github.com/vitessio/vitess/issues/12842
Found during a security audit sponsored by the CNCF and facilitated by OSTIF.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | vitess.io/vitess | all versions | 0.16.2 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for vitess.io/vitess. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update vitess.io/vitess to 0.16.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-pqj7-jx24-wj7w is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-pqj7-jx24-wj7w is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-pqj7-jx24-wj7w. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-pqj7-jx24-wj7w in your dependencies?
O3 detects GHSA-pqj7-jx24-wj7w across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.