| Titolo | 666ghj BettaFish v1.2.1, commit 53f60e8f4aa038a59ab5e02525634c92d6c849b5 CWE-187 Partial Comparison |
|---|
| Descrizione | A vulnerability was found in 666ghj BettaFish v1.2.1 and classified as medium severity.
Affected is the InsightEngine search-result deduplication component. The fallback
identifier for URL-less results compares only the first 100 characters of
title_or_content. This partial comparison can cause two distinct documents or comments
to be treated as duplicates when they share the same first 100 characters but differ
later in the full content.
It is possible to launch the attack remotely when an attacker can publish or otherwise
influence content that is later ingested into the local media/comment database.
Authentication required: no for public-source content injection into supported platforms.
User interaction required: yes, an operator must run an InsightEngine search/report over
the affected topic.
Technical Details
- Affected file/function: InsightEngine/agent.py / DeepSearchAgent._deduplicate_results
- Vulnerable parameter: title_or_content
- Attack vector: Network
- Privileges required: None
- Trigger condition: two URL-less QueryResult objects have identical title_or_content[:100]
but different full title_or_content values.
Impact
- Confidentiality: None
- Integrity: Low
- Availability: None
The result that appears later is silently dropped before downstream sentiment analysis,
search history storage, LLM summarization prompts, and final report generation. This can
produce incomplete or misleading public-opinion, incident, or security-event reports.
For example, mitigation guidance placed after character 100 can be removed if an
attacker-controlled URL-less comment with the same prefix is processed first.
CVSS v3.1
Score: 4.3 (Medium)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Timeline
- Discovered: 2026-06-03
- Vendor notified: 2026-06-03
- Patch released: [unknown]
- Public disclosure: 2026-06-03
Countermeasure
Use a deduplication key that includes sufficient stable identity information for
URL-less results, such as full normalized content and relevant metadata like platform,
source table, author, and timestamp. Avoid deduplicating distinct records by a truncated
content prefix alone. |
|---|
| Fonte | ⚠️ https://github.com/666ghj/BettaFish/issues/688 |
|---|
| Utente | Dem000000 (UID 98564) |
|---|
| Sottomissione | 03/06/2026 09:39 (1 mese fa) |
|---|
| Moderazione | 04/07/2026 06:42 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 376283 [666ghj BettaFish fino a 1.2.1 InsightEngine search-result Deduplication InsightEngine/agent.py _deduplicate_results] |
|---|
| Punti | 20 |
|---|