GHSA-FWHJ-785H-43HH: GHSA-FWHJ-785H-43HH: Denial of Service via Null Pointer Dereference in OliveTin
CVSS Score: 7.5 Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-FWHJ-785H-43HH
A Null Pointer Dereference vulnerability has been identified in OliveTin, an open-source web interface for shell commands. The flaw exists within the API handlers responsible for action execution and management, specifically allowing unauthenticated remote attackers to trigger a server-side panic. By manipulating the sequence of API calls, an attacker can create an invalid internal state that crashes the application process, resulting in a Denial of Service (DoS).
OliveTin versions prior to 3000.11.1 are vulnerable to a Denial of Service attack. Unauthenticated attackers can crash the server by sending a specific sequence of HTTP requests that trigger a Null Pointer Dereference in the Go runtime. A patch is available in version 3000.11.1.
- CWE ID: CWE-476
- CWE Name: NULL Pointer Dereference
- Attack Vector: Network
- Impact: Denial of Service
- CVSS Score: 7.5 (High)
- Exploit Status: POC Available
- OliveTin
- OliveTin: < 3000.11.1 (Fixed in:
3000.11.1)
- Restrict network access to the OliveTin interface using firewalls or VPNs.
- Implement a reverse proxy with authentication in front of OliveTin.
- Configure WAF rules to validate 'actionId' parameters against an allowlist.
Remediation Steps:
- Stop the running OliveTin service.
- Download the latest release (version 3000.11.1 or higher) from the official repository.
- Replace the existing binary/container.
- Restart the service.
- Verify the fix by attempting to trigger the panic with an invalid action ID.
Generated by CVEReports - Automated Vulnerability Intelligence