Overview · Basekick-Labs/arc · GitHub

Security

No security policy detected

This project has not set up a SECURITY.md file yet.

Report a vulnerability

Arc Enterprise cluster FSM applyRegisterFile accepts arbitrary file paths without validation, enabling cluster-wide path-traversal worm primitive
GHSA-f85q-mvg8-qf37 published May 31, 2026 by xe-nvdk

Critical
Arc Enterprise cluster replication accepts unauthenticated MsgReplicateSync messages, enabling cluster-wide data injection from any TLS-trusted peer
GHSA-wfgr-8x84-22q7 published May 31, 2026 by xe-nvdk

High
Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
GHSA-j93g-rp6m-j32m published May 31, 2026 by xe-nvdk

Moderate
Authenticated arbitrary local-file read via DuckDB I/O functions bypasses RBAC table-level checks
GHSA-p2j4-c4g6-rpf5 published May 31, 2026 by xe-nvdk

High

Learn more about advisories related to Basekick-Labs/arc in the GitHub Advisory Database