GHSA SYNC: 2 new advisories; 3 modified advisories

gems/phlex/GHSA-w67g-2h6v-vjgq.yml

@@ -60,4 +60,5 @@ related:
     - https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
     - https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
     - https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
+    - https://advisories.gitlab.com/pkg/gem/phlex/GHSA-w67g-2h6v-vjgq
     - https://github.com/advisories/GHSA-w67g-2h6v-vjgq

gems/spree_api/GHSA-87fh-rc96-6fr6.yml → gems/spree_api/CVE-2026-25758.yml

@@ -1,5 +1,6 @@
 ---
 gem: spree_api
+cve: 2026-25758
 ghsa: 87fh-rc96-6fr6
 url: https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
 title: Unauthenticated Spree Commerce users can access all guest addresses
@@ -17,8 +18,8 @@ description: |
 
   ### Impact
 
-  This issue may lead to disclosure of PII of guest users (including
-  names, addresses and phone numbers).
+  This issue may lead to disclosure of PII of guest users
+  (including names, addresses and phone numbers).
 
   ### Unauthenticated users can access all guest addresses (`GHSL-2026-027`)
 
@@ -54,8 +55,8 @@ description: |
 
   #### Impact
 
-  This issue may lead to disclosure of PII of guest users (including
-  names, addresses and phone numbers).
+  This issue may lead to disclosure of PII of guest users
+  (including names, addresses and phone numbers).
 
   #### CWEs
 
@@ -64,8 +65,7 @@ description: |
 
   ### Credit
 
-  This issue was discovered with the [GitHub Security Lab Taskflow
-  Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+  This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
   and manually verified by GHSL team members
   [@p- (Peter Stöckli)](https://github.com/p-) and
   [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
@@ -74,6 +74,7 @@ description: |
 
   This report is subject to a 90-day disclosure deadline, as
   described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+cvss_v4: 7.7
 patched_versions:
   - "~> 4.10.3"
   - "~> 5.0.8"
@@ -82,6 +83,7 @@ patched_versions:
   - ">= 5.3.2"
 related:
   url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-25758
     - https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
     - https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
     - https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
@@ -92,6 +94,5 @@ related:
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
+    - https://advisories.gitlab.com/pkg/gem/spree_api/CVE-2026-25758
     - https://github.com/advisories/GHSA-87fh-rc96-6fr6
-notes: |
-  - CVE-2026-25758 in GHSA Advisory.

gems/spree_storefront/CVE-2026-25757.yml

@@ -0,0 +1,82 @@
+---
+gem: spree_storefront
+cve: 2026-25757
+ghsa: p6pv-q7rc-g4h9
+url: https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
+title: Unauthenticated Spree Commerce users can view completed
+  guest orders by Order ID
+date: 2026-02-05
+description: |
+  ### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)
+
+  The `OrdersController#show` action permits viewing completed
+  guest orders by order number alone, without requiring the
+  associated order token.
+
+  Order lookup without enforcing token requirement in
+  [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):
+
+  ```ruby
+  @order = complete_order_finder.new(number: params[:id],
+    token: params[:token], store: current_store).execute.first
+  ```
+
+  Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):
+
+  ```ruby
+  def authorize_access
+    return true if @order.user_id.nil?
+
+    @order.user == try_spree_current_user
+  end
+  ```
+
+  If the attacker is in possession of a leaked Order ID, they might
+  look it up directly via this API.
+  Alternatively, brute forcing all or parts of the possible Order IDs
+  might be feasible for an attacker. (The Order IDs themselves are
+  [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45),
+  but with relatively low entropy: by default an order ID has a length
+  of 9 and a base of 10, that would require an attacker to perform
+  1 billion requests to gather all guest orders. (At an assumed
+  constant rate of 100 requests per second it would take 115 days.)
+
+  #### Impact
+
+  This issue may lead to disclosure of PII of guest users
+  (including names, addresses and phone numbers).
+
+  #### CWEs
+
+  - CWE-639: Authorization Bypass Through User-Controlled Key
+
+  ### Credit
+
+  This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+  and manually verified by GHSL team members
+  [@p- (Peter Stöckli)](https://github.com/p-) and
+  [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
+
+  ### Disclosure Policy
+
+  This report is subject to a 90-day disclosure deadline, as
+  described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+cvss_v4: 7.7
+patched_versions:
+  - "~> 5.0.8"
+  - "~> 5.1.10"
+  - "~> 5.2.7"
+  - ">= 5.3.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-25757
+    - https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
+    - https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
+    - https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
+    - https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
+    - https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
+    - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
+    - https://advisories.gitlab.com/pkg/gem/spree_storefront/CVE-2026-25757
+    - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9

gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml

@@ -74,5 +74,6 @@ related:
     - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
     - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
     - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9
+    - https://advisories.gitlab.com/pkg/gem/spree_storefront/GHSA-p6pv-q7rc-g4h9
 notes: |
   - CVE-2026-25757 in GHSA advisory.