VYPR
← All advisories
High severityGHSA Advisory· Published Apr 12, 2024· Updated Apr 3, 2026

CVE-2024-30850

CVE-2024-30850

Description

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2024-33434. Reason: This record is a duplicate of CVE-2024-33434. Notes: All CVE users should reference CVE-2024-33434 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-30850 is rejected as a duplicate of CVE-2024-33434; users should consult CVE-2024-33434 for details.

Overview

CVE-2024-30850 has been rejected and should not be used. According to the official NVD record [2], this CVE identifier is a duplicate of CVE-2024-33434. All references and descriptions have been removed to prevent accidental usage.

Duplicate

Notice The rejection notice explicitly states: "DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2024-33434. Reason: This record is a duplicate of CVE-2024-33434." [2] Users are advised to refer to CVE-2024-33434 for the actual vulnerability details.

Related

Vulnerability CVE-2024-33434 describes an issue in CHAOS v5.0.1 before commit 24c9e109b5be34df7b2bce8368eae669c481ed5e, where unsafe concatenation of the filename argument into the buildStr string allows remote attackers to execute arbitrary code [4]. This is the vulnerability that was originally assigned CVE-2024-30850.

Mitigation

The CHAOS project has addressed the issue in pull request #95 [1] and commit 24c9e109b5be34df7b2bce8368eae669c481ed5e [3]. Users should update to a patched version. The duplicate CVE record CVE-2024-30850 is retired.

References
  1. Fix/validate input values by tiagorlampert · Pull Request #95 · tiagorlampert/CHAOS
  2. NVD - CVE-2024-30850
  3. r · tiagorlampert/CHAOS@24c9e10
  4. NVD - CVE-2024-33434

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/tiagorlampert/CHAOSGo
< 0.0.0-20220716132853-b47438d36e3a0.0.0-20220716132853-b47438d36e3a

Affected products

2

Patches

2
24c9e109b5be

r

https://github.com/tiagorlampert/CHAOSTiago Rodrigo LampertJul 8, 2022via ghsa
commit
1 file changed · +1 3
  • internal/utils/validation.go+1 3 modified
    @@ -10,9 +10,7 @@ func IsValidIPAddress(s string) bool {
 }
 
 func IsValidURL(s string) bool {
-	u, err := url.ParseRequestURI(s)
-	_ = u
-	if err != nil {
+	if _, err := url.ParseRequestURI(s); err != nil {
 		return false
 	}
 	return true
1b451cf62582

validate input values

https://github.com/tiagorlampert/CHAOSTiago Rodrigo LampertJul 8, 2022via ghsa
commit
25 files changed · +115 55
  • cmd/chaos/main.go+4 4 modified
    @@ -9,10 +9,10 @@ import (
 	"github.com/tiagorlampert/CHAOS/infrastructure/database"
 	"github.com/tiagorlampert/CHAOS/internal/environment"
 	"github.com/tiagorlampert/CHAOS/internal/middleware"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/template"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/ui"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
+	"github.com/tiagorlampert/CHAOS/internal/utils/template"
+	"github.com/tiagorlampert/CHAOS/internal/utils/ui"
 	"github.com/tiagorlampert/CHAOS/repositories/sqlite"
 	"github.com/tiagorlampert/CHAOS/services"
 	"net/http"
  • delivery/http/handler.go+9 9 modified
    @@ -10,10 +10,10 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/tiagorlampert/CHAOS/delivery/http/request"
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/network"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/network"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 	"github.com/tiagorlampert/CHAOS/services"
 	"net/http"
 	"path/filepath"
@@ -185,7 +185,7 @@ func (h *httpController) sendCommandHandler(c *gin.Context) {
 
 func (h *httpController) getCommandHandler(c *gin.Context) {
 	address := c.Query("address")
-	decoded, err := utilities.DecodeBase64(address)
+	decoded, err := utils.DecodeBase64(address)
 	if err != nil {
 		c.String(http.StatusBadRequest, err.Error())
 		return
@@ -239,11 +239,11 @@ func (h *httpController) generateBinaryPostHandler(c *gin.Context) {
 		ServerPort:    req.Port,
 		OSTarget:      system.OSTargetIntMap[osTarget],
 		Filename:      req.Filename,
-		RunHidden:     utilities.ParseCheckboxBoolean(req.RunHidden),
+		RunHidden:     utils.ParseCheckboxBoolean(req.RunHidden),
 	})
 	if err != nil {
 		h.Logger.Error(err)
-		c.String(http.StatusInternalServerError, err.Error())
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
 	c.String(http.StatusOK, binary)
@@ -274,7 +274,7 @@ func (h *httpController) fileExplorerHandler(c *gin.Context) {
 		c.String(http.StatusBadRequest, err.Error())
 		return
 	}
-	path, err := utilities.DecodeBase64(req.Path)
+	path, err := utils.DecodeBase64(req.Path)
 	if err != nil {
 		c.String(http.StatusBadRequest, err.Error())
 		return
@@ -293,7 +293,7 @@ func (h *httpController) fileExplorerHandler(c *gin.Context) {
 	}
 
 	var fileExplorer entities.FileExplorer
-	err = json.Unmarshal(utilities.StringToByte(payload.Response), &fileExplorer)
+	err = json.Unmarshal(utils.StringToByte(payload.Response), &fileExplorer)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
  • internal/middleware/jwt.go+1 1 modified
    @@ -4,7 +4,7 @@ import (
 	"github.com/appleboy/gin-jwt/v2"
 	"github.com/gin-gonic/gin"
 	"github.com/tiagorlampert/CHAOS/entities"
-	jwtUtil "github.com/tiagorlampert/CHAOS/internal/utilities/jwt"
+	jwtUtil "github.com/tiagorlampert/CHAOS/internal/utils/jwt"
 	"github.com/tiagorlampert/CHAOS/services"
 	"net/http"
 	"time"
  • internal/utilities/string.go+0 15 removed
    @@ -1,15 +0,0 @@
-package utilities
-
-import "crypto/rand"
-
-const characters = `0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz`
-
-// GenerateRandomString generate a random string based on a given size
-func GenerateRandomString(size int) string {
-	var bytes = make([]byte, size)
-	rand.Read(bytes)
-	for i, x := range bytes {
-		bytes[i] = characters[x%byte(len(characters))]
-	}
-	return string(bytes)
-}
  • internal/utils/base64.go+1 1 renamed
    @@ -1,4 +1,4 @@
-package utilities
+package utils
 
 import "encoding/base64"
  • internal/utils/byte.go+1 1 renamed
    @@ -1,4 +1,4 @@
-package utilities
+package utils
 
 func ByteToString(value []byte) string {
 	return string(value)
  • internal/utils/checkbox.go+1 1 renamed
    @@ -1,4 +1,4 @@
-package utilities
+package utils
 
 func ParseCheckboxBoolean(value string) bool {
 	if value == "true" {
  • internal/utils/constants/constants.go+0 0 renamed
  • internal/utils/image/png.go+1 1 renamed
    @@ -3,7 +3,7 @@ package image
 import (
 	"fmt"
 	"github.com/google/uuid"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
 	"os"
 )
  • internal/utils/jwt/jwt.go+0 0 renamed
  • internal/utils/network/address.go+0 0 renamed
  • internal/utils/network/http.go+0 0 renamed
  • internal/utils/password.go+1 1 renamed
    @@ -1,4 +1,4 @@
-package utilities
+package utils
 
 import (
 	"golang.org/x/crypto/bcrypt"
  • internal/utils/string.go+35 0 added
    @@ -0,0 +1,35 @@
+package utils
+
+import (
+	"crypto/rand"
+	"regexp"
+	"strconv"
+	"strings"
+)
+
+const characters = `0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz`
+
+// GenerateRandomString generate a random string based on a given size
+func GenerateRandomString(size int) string {
+	var bytes = make([]byte, size)
+	rand.Read(bytes)
+	for i, x := range bytes {
+		bytes[i] = characters[x%byte(len(characters))]
+	}
+	return string(bytes)
+}
+
+func NormalizeString(s string) (string, error) {
+	re, err := regexp.Compile(`\W`)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(re.ReplaceAllString(s, "")), nil
+}
+
+func StringIsNumber(s string) bool {
+	if _, err := strconv.Atoi(s); err == nil {
+		return true
+	}
+	return false
+}
  • internal/utils/system/directory.go+0 0 renamed
  • internal/utils/system/os.go+0 0 renamed
  • internal/utils/template/template.go+0 0 renamed
  • internal/utils/ui/logo.go+0 0 renamed
  • internal/utils/validation.go+19 0 added
    @@ -0,0 +1,19 @@
+package utils
+
+import (
+	"net"
+	"net/url"
+)
+
+func IsValidIPAddress(s string) bool {
+	return net.ParseIP(s) != nil
+}
+
+func IsValidURL(s string) bool {
+	u, err := url.ParseRequestURI(s)
+	_ = u
+	if err != nil {
+		return false
+	}
+	return true
+}
  • services/auth_service.go+3 3 modified
    @@ -5,7 +5,7 @@ import (
 	"fmt"
 	"github.com/sirupsen/logrus"
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	"github.com/tiagorlampert/CHAOS/repositories"
 	"strings"
 )
@@ -47,7 +47,7 @@ func (s authService) Setup() (*entities.Auth, error) {
 		if hasProvidedSecretKey {
 			dummyAuth.SecretKey = s.secretKey
 		} else {
-			dummyAuth.SecretKey = utilities.GenerateRandomString(secretKeySize)
+			dummyAuth.SecretKey = utils.GenerateRandomString(secretKeySize)
 		}
 		return &dummyAuth, s.authRepository.Insert(dummyAuth)
 	}
@@ -74,7 +74,7 @@ func (s authService) RefreshSecret() (string, error) {
 	}
 	if err := s.authRepository.Update(entities.Auth{
 		DBModel:   auth.DBModel,
-		SecretKey: utilities.GenerateRandomString(secretKeySize),
+		SecretKey: utils.GenerateRandomString(secretKeySize),
 	}); err != nil {
 		return "", err
 	}
  • services/client.go+7 1 modified
    @@ -2,7 +2,8 @@ package services
 
 import (
 	"context"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
+	"errors"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 )
 
 type (
@@ -21,6 +22,11 @@ type (
 	}
 )
 
+var (
+	ErrInvalidServerAddress = errors.New("the server address provided is invalid")
+	ErrInvalidServerPort    = errors.New("the server port provided is invalid")
+)
+
 type Client interface {
 	SendCommand(ctx context.Context, input SendCommandInput) (SendCommandOutput, error)
 	BuildClient(BuildClientBinaryInput) (string, error)
  • services/client_service.go+23 9 modified
    @@ -4,11 +4,11 @@ import (
 	"context"
 	"fmt"
 	"github.com/google/uuid"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/constants"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/image"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/jwt"
-	"github.com/tiagorlampert/CHAOS/internal/utilities/system"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
+	"github.com/tiagorlampert/CHAOS/internal/utils/constants"
+	"github.com/tiagorlampert/CHAOS/internal/utils/image"
+	"github.com/tiagorlampert/CHAOS/internal/utils/jwt"
+	"github.com/tiagorlampert/CHAOS/internal/utils/system"
 	repo "github.com/tiagorlampert/CHAOS/repositories"
 	"os/exec"
 	"strings"
@@ -38,7 +38,7 @@ func NewClient(
 }
 
 func (c clientService) SendCommand(ctx context.Context, input SendCommandInput) (SendCommandOutput, error) {
-	addr, err := utilities.DecodeBase64(input.MacAddress)
+	addr, err := utils.DecodeBase64(input.MacAddress)
 	if err != nil {
 		return SendCommandOutput{}, fmt.Errorf(`error decoding base64: %w`, err)
 	}
@@ -60,7 +60,7 @@ func (c clientService) SendCommand(ctx context.Context, input SendCommandInput)
 		}
 	}
 
-	res := utilities.ByteToString(payload.Response)
+	res := utils.ByteToString(payload.Response)
 	if payload.HasError {
 		return SendCommandOutput{}, fmt.Errorf(res)
 	}
@@ -77,7 +77,7 @@ func HandleResponse(payload *PayloadData) (*PayloadData, error) {
 		if err != nil {
 			return nil, err
 		}
-		payload.Response = utilities.StringToByte(file)
+		payload.Response = utils.StringToByte(file)
 		break
 	default:
 		return payload, nil
@@ -86,13 +86,27 @@ func HandleResponse(payload *PayloadData) (*PayloadData, error) {
 }
 
 func (c clientService) BuildClient(input BuildClientBinaryInput) (string, error) {
+	if !utils.IsValidIPAddress(input.ServerAddress) &&
+		!utils.IsValidURL(input.ServerAddress) {
+		return "", ErrInvalidServerAddress
+	}
+
+	if !utils.StringIsNumber(input.ServerPort) {
+		return "", ErrInvalidServerPort
+	}
+
+	filename, err := utils.NormalizeString(input.Filename)
+	if err != nil {
+		return "", err
+	}
+
 	token, err := c.GenerateNewToken()
 	if err != nil {
 		return "", err
 	}
 
 	const buildStr = `GO_ENABLED=1 GOOS=%s GOARCH=amd64 go build -ldflags '%s -s -w -X main.Version=%s -X main.ServerPort=%s -X main.ServerAddress=%s -X main.Token=%s -extldflags "-static"' -o ../temp/%s main.go`
-	filename := handleFilename(input.OSTarget, input.Filename)
+	filename = handleFilename(input.OSTarget, filename)
 	buildCmd := fmt.Sprintf(buildStr, handleOSType(input.OSTarget), runHidden(input.RunHidden), c.appVersion, input.ServerPort, input.ServerAddress, token, filename)
 	cmd := exec.Command("sh", "-c", buildCmd)
 	cmd.Dir = "client/"
  • services/device_service.go+2 2 modified
    @@ -3,7 +3,7 @@ package services
 import (
 	"errors"
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	"github.com/tiagorlampert/CHAOS/repositories"
 	"time"
 )
@@ -30,7 +30,7 @@ func (d deviceService) FindAll() ([]entities.Device, error) {
 		return nil, err
 	}
 	for index, device := range devices {
-		devices[index].MacAddressBase64 = utilities.EncodeBase64(device.MacAddress)
+		devices[index].MacAddressBase64 = utils.EncodeBase64(device.MacAddress)
 	}
 	return devices, nil
 }
  • services/user_service.go+5 5 modified
    @@ -2,7 +2,7 @@ package services
 
 import (
 	"github.com/tiagorlampert/CHAOS/entities"
-	"github.com/tiagorlampert/CHAOS/internal/utilities"
+	"github.com/tiagorlampert/CHAOS/internal/utils"
 	repo "github.com/tiagorlampert/CHAOS/repositories"
 )
 
@@ -24,7 +24,7 @@ func (u userService) Login(username, password string) bool {
 	if err != nil {
 		return false
 	}
-	return utilities.PasswordsMatch(user.Password, password)
+	return utils.PasswordsMatch(user.Password, password)
 }
 
 func (u userService) Insert(input entities.User) error {
@@ -42,11 +42,11 @@ func (u userService) UpdatePassword(input UpdateUserPasswordInput) error {
 	if err != nil {
 		return err
 	}
-	if !utilities.PasswordsMatch(user.Password, input.OldPassword) {
+	if !utils.PasswordsMatch(user.Password, input.OldPassword) {
 		return ErrInvalidPassword
 	}
 
-	passwordHash, err := utilities.HashAndSalt(input.NewPassword)
+	passwordHash, err := utils.HashAndSalt(input.NewPassword)
 	if err != nil {
 		return err
 	}
@@ -63,7 +63,7 @@ func (u userService) CreateDefaultUser() error {
 		return err
 	}
 
-	passwordHash, err := utilities.HashAndSalt(defaultPassword)
+	passwordHash, err := utils.HashAndSalt(defaultPassword)
 	if err != nil {
 		return err
 	}
  • web/static/js/app/generate.js+2 1 modified
    @@ -21,7 +21,7 @@ async function GenerateBinary() {
         .then(response => {
             if (!response.ok) {
                 return response.text().then(err => {
-                    throw new Error(err.message);
+                    throw new Error(err);
                 });
             }
             return response.text();
@@ -32,6 +32,7 @@ async function GenerateBinary() {
         })
         .catch(err => {
             console.log('Error: ', err);
+            Swal.close();
             ShowNotification('danger', 'Ops!', 'Failed building client binary.\n' + JSON.parse(err.message).error)
         });
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.