Add GHSA and OSV reference type support

docs/metasploit-framework.wiki/Module-Reference-Identifiers.md

@@ -18,6 +18,7 @@ US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']```
 ZDI | zerodayinitiative.com | ```['ZDI', '10-123']```
 WPVDB | wpvulndb.com | ```['WPVDB', '7615']```
 PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']```
+GHSA | github.com/advisories or github.com/owner/repo/security/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` or ```['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo']```
 URL | anything | ```['URL', 'http://example.com/blog.php?id=123']```
 AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~
 

lib/msf/core/module/module_info.rb

@@ -4,7 +4,10 @@ module Msf::Module::ModuleInfo
   #
 
   # The list of options that don't support merging in an information hash.
-  UpdateableOptions = [ "Name", "Description", "Alias", "PayloadCompat" , "Stance"]
+  UpdateableOptions = ['Name', 'Description', 'Alias', 'PayloadCompat', 'Stance'].freeze
+
+  # Reference types that can have 2 or 3 elements (e.g., GHSA with optional repo)
+  ReferencesWithOptionalThirdElement = ['GHSA'].freeze
 
   #
   # Instance Methods
@@ -64,60 +67,45 @@ def notes
   # Register options with a specific owning class.
   #
   def info_fixups
-    # Each reference should be an array consisting of two elements
+    # Each reference should be an array consisting of two or three elements
     refs = module_info['References']
-    if(refs and not refs.empty?)
-      refs.each_index do |i|
-        if !(refs[i].respond_to?('[]') and refs[i].length == 2)
-          refs[i] = nil
-        end
-      end
+    return unless refs&.any?
+
+    refs.reject! do |ref|
+      next true unless ref.respond_to?('[]') && !ref.empty?
 
-      # Purge invalid references
-      refs.delete(nil)
+      # Some reference types can have 2 or 3 elements (e.g., GHSA with optional repo)
+      # Other references should have 2 elements
+      ref_type = ref[0]
+      can_have_third_element = ReferencesWithOptionalThirdElement.include?(ref_type)
+      valid_length = can_have_third_element ? (ref.length == 2 || ref.length == 3) : (ref.length == 2)
+
+      !valid_length
     end
   end
 
   #
   # Checks and merges the supplied key/value pair in the supplied hash.
   #
   def merge_check_key(info, name, val)
-    if (self.respond_to?("merge_info_#{name.downcase}", true))
-      self.send("merge_info_#{name.downcase}", info, val)
-    else
-      # If the info hash already has an entry for this name
-      if (info[name])
-        # If it's not an array, convert it to an array and merge the
-        # two
-        if (info[name].kind_of?(Hash))
-          raise TypeError, 'can only merge a hash into a hash' unless val.kind_of?(Hash)
-          val.each_pair do |val_key, val_val|
-            merge_check_key(info[name], val_key, val_val)
-          end
-
-          return
-        elsif (info[name].kind_of?(Array) == false)
-          curr       = info[name]
-          info[name] = [ curr ]
-        end
+    merge_method = "merge_info_#{name.downcase}"
+    return __send__(merge_method, info, val) if respond_to?(merge_method, true)
 
-        # If the value being merged is an array, add each one
-        if (val.kind_of?(Array) == true)
-          val.each { |v|
-            if (info[name].include?(v) == false)
-              info[name] << v
-            end
-          }
-        # Otherwise just add the value
-        elsif (info[name].include?(val) == false)
-          info[name] << val
-        end
-      # Otherwise, just set the value equal if no current value
-      # exists
-      else
-        info[name] = val
-      end
+    return info[name] = val unless info[name]
+
+    # Handle hash merging recursively
+    if info[name].is_a?(Hash)
+      raise TypeError, 'can only merge a hash into a hash' unless val.is_a?(Hash)
+      val.each_pair { |val_key, val_val| merge_check_key(info[name], val_key, val_val) }
+      return
     end
+
+    # Convert to array if needed
+    info[name] = Array(info[name]) unless info[name].is_a?(Array)
+
+    # Merge values, avoiding duplicates
+    values_to_add = val.is_a?(Array) ? val : [val]
+    values_to_add.each { |v| info[name] << v unless info[name].include?(v) }
   end
 
   #

lib/msf/core/module/reference.rb

@@ -77,11 +77,14 @@ def self.from_s(str)
   #
   # Initializes a site reference from an array.  ary[0] is the site and
   # ary[1] is the site context identifier, such as CVE.
+  # ary[2] is optional and can be used for additional context (e.g., repo for GHSA)
   #
   def self.from_a(ary)
     return nil if (ary.length < 2)
+    # Reject if first element is an array (nested array structure)
+    return nil if ary[0].kind_of?(Array)
 
-    self.new(ary[0], ary[1])
+    self.new(ary[0], ary[1], ary[2])
   end
 
   #
@@ -90,9 +93,14 @@ def self.from_a(ary)
   # * tools/module_reference.rb
   # * https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html
   #
-  def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
+  def initialize(in_ctx_id = 'Unknown', in_ctx_val = '', in_ctx_repo = nil)
+    # Ensure ctx_id and ctx_val are strings (handle constants like ATT&CK techniques)
+    in_ctx_id = in_ctx_id.to_s if in_ctx_id.respond_to?(:to_s) && !in_ctx_id.is_a?(String)
+    in_ctx_val = in_ctx_val.to_s if in_ctx_val.respond_to?(:to_s) && !in_ctx_val.is_a?(String)
+
     self.ctx_id  = in_ctx_id
     self.ctx_val = in_ctx_val
+    self.ctx_repo = in_ctx_repo
 
     if in_ctx_id == 'CVE'
       self.site = "https://nvd.nist.gov/vuln/detail/CVE-#{in_ctx_val}"
@@ -114,6 +122,17 @@ def initialize(in_ctx_id = 'Unknown', in_ctx_val = '')
       self.site = "https://wpscan.com/vulnerability/#{in_ctx_val}"
     elsif in_ctx_id == 'PACKETSTORM'
       self.site = "https://packetstormsecurity.com/files/#{in_ctx_val}"
+    elsif in_ctx_id == 'GHSA'
+      # Handle both formats: with or without GHSA- prefix
+      ghsa_id = in_ctx_val.start_with?('GHSA-') ? in_ctx_val : "GHSA-#{in_ctx_val}"
+      # Use repo-specific URL if repo is provided, otherwise use global format
+      if in_ctx_repo && !in_ctx_repo.empty?
+        self.site = "https://github.com/#{in_ctx_repo}/security/advisories/#{ghsa_id}"
+      else
+        self.site = "https://github.com/advisories/#{ghsa_id}"
+      end
+    elsif in_ctx_id == 'OSV'
+      self.site = "https://osv.dev/vulnerability/#{in_ctx_val}"
     elsif in_ctx_id == 'URL'
       self.site = in_ctx_val.to_s
     elsif in_ctx_id == 'LOGO'
@@ -165,9 +184,13 @@ def from_s(str)
   # The context value of the reference, such as MS02-039
   #
   attr_reader :ctx_val
+  #
+  # The context repository for GHSA references (optional)
+  #
+  attr_reader :ctx_repo
 
 protected
 
-  attr_writer :site, :ctx_id, :ctx_val
+  attr_writer :site, :ctx_id, :ctx_val, :ctx_repo
 
 end

modules/auxiliary/admin/http/pihole_domains_api_exec.rb

@@ -26,7 +26,7 @@ def initialize(info = {})
           'SchneiderSec' # original PoC, discovery
         ],
         'References' => [
-          ['URL', 'https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-5cm9-6p3m-v259'],
+          ['GHSA', '5cm9-6p3m-v259', 'pi-hole/AdminLTE'],
           ['CVE', '2021-32706']
         ],
         'Targets' => [

modules/auxiliary/gather/jetty_web_inf_disclosure.rb

@@ -31,8 +31,8 @@ def initialize(info = {})
           [ 'EDB', '50438' ],
           [ 'EDB', '50478' ],
           [ 'URL', 'https://github.com/ColdFusionX/CVE-2021-34429' ],
-          [ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm' ], # CVE-2021-34429
-          [ 'URL', 'https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5' ], # CVE-2021-28164
+          [ 'GHSA', 'vjv5-gp2w-65vm', 'jetty/jetty.project' ], # CVE-2021-34429
+          [ 'GHSA', 'v7ff-8wcx-gmc5', 'jetty/jetty.project' ], # CVE-2021-28164
           [ 'CVE', '2021-34429' ],
           [ 'CVE', '2021-28164' ]
         ],

modules/auxiliary/gather/listmonk_env_disclosure.rb

@@ -21,7 +21,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2025-49136'],
-          ['URL', 'https://github.com/knadh/listmonk/security/advisories/GHSA-jc7g-x28f-3v3h']
+          ['GHSA', 'jc7g-x28f-3v3h', 'knadh/listmonk']
         ],
         'DisclosureDate' => '2025-06-08',
         'Notes' => {

modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb

@@ -24,7 +24,7 @@ def initialize(info = {})
           'RicterZ' # original PoC, analysis
         ],
         'References' => [
-          [ 'URL', 'https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q'],
+          ['GHSA', '6xvq-wj2x-3h3q', 'minio/minio'],
           [ 'CVE', '2023-28432']
         ],
         'Targets' => [

modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb

@@ -33,7 +33,7 @@ def initialize(info = {})
           'h00die', # msf module
         ],
         'References' => [
-          [ 'URL', 'https://github.com/advisories/GHSA-xqvf-v5jg-pxc2'],
+          [ 'GHSA', 'xqvf-v5jg-pxc2' ],
           [ 'URL', 'https://www.mongodb.com/docs/ops-manager/current/reference/configuration/#mongodb-setting-mms.https.PEMKeyFilePassword'],
           [ 'CVE', '2023-0342']
         ],

modules/auxiliary/gather/onedev_arbitrary_file_read.rb

@@ -27,7 +27,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2024-45309'],
-          ['URL', 'https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489']
+          ['GHSA', '7wg5-6864-v489', 'theonedev/onedev']
         ],
         'DisclosureDate' => '2024-10-19',
         'Notes' => {

modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb

@@ -27,7 +27,7 @@ def initialize(info = {})
           'Marco Stuurman' # discovery
         ],
         'References' => [
-          [ 'URL', 'https://github.com/advisories/GHSA-g7j7-h4q8-8w2f'],
+          [ 'GHSA', 'g7j7-h4q8-8w2f' ],
           [ 'URL', 'https://github.com/fe-ax/tf-cve-2021-36782'],
           [ 'URL', 'https://fe.ax/cve-2021-36782/'],
           [ 'CVE', '2021-36782']

modules/auxiliary/scanner/http/grafana_plugin_traversal.rb

@@ -29,7 +29,7 @@ def initialize(info = {})
         'DisclosureDate' => '2021-12-02',
         'References' => [
           ['CVE', '2021-43798'],
-          ['URL', 'https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p'],
+          ['GHSA', '8pjx-jj86-j47p', 'grafana/grafana'],
           ['URL', 'https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/'],
           ['EDB', '50581'],
           ['URL', 'https://github.com/jas502n/Grafana-CVE-2021-43798'],

modules/auxiliary/scanner/http/icinga_static_library_file_directory_traversal.rb

@@ -38,7 +38,7 @@ def initialize(info = {})
         'References' => [
           ['EDB', '51329'],
           ['URL', 'https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/'],
-          ['URL', 'https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw'],
+          ['GHSA', '5p3f-rh28-8frw', 'Icinga/icingaweb2'],
           ['URL', 'https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d'],
           ['CVE', '2022-24716'],
         ],

modules/auxiliary/scanner/misc/cups_browsed_info_disclosure.rb

@@ -21,7 +21,7 @@ def initialize
       'License' => MSF_LICENSE,
       'References' => [
         ['CVE', '2024-47176'],
-        ['URL', 'https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8' ],
+        ['GHSA', 'rj88-6mr5-rcw8', 'OpenPrinting/cups-browsed'],
         ['URL', 'https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/' ],
       ],
       'DefaultOptions' => { 'RPORT' => 631 },

modules/exploits/linux/http/bentoml_rce_cve_2025_27520.rb

@@ -25,7 +25,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2025-27520'],
-          ['URL', 'https://github.com/advisories/GHSA-33xw-247w-6hmc'],
+          ['GHSA', '33xw-247w-6hmc', 'bentoml/BentoML']
         ],
         'Targets' => [
           [

modules/exploits/linux/http/bentoml_runner_server_rce_cve_2025_32375.rb

@@ -26,7 +26,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2025-32375'],
-          ['URL', 'https://github.com/advisories/GHSA-7v4r-c989-xh26'],
+          ['GHSA', '7v4r-c989-xh26', 'bentoml/BentoML']
         ],
         'Targets' => [
           [

modules/exploits/linux/http/cacti_unauthenticated_cmd_injection.rb

@@ -52,7 +52,7 @@ def initialize(info = {})
         ],
         'References' => [
           ['CVE', '2022-46169'],
-          ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details
+          ['GHSA', '6p93-p743-35gf', 'Cacti/cacti'], # disclosure and technical details
           ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC
           ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller
         ],

modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb

@@ -43,7 +43,7 @@ def initialize(info = {})
           [ 'CVE', '2023-41892' ],
           [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],
           [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],
-          [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],
+          [ 'GHSA', '4w8r-3xrw-v25g' ],
           [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],
         ],
         'License' => MSF_LICENSE,

modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb

@@ -28,7 +28,7 @@ def initialize(info = {})
           'Takahiro Yokoyama'      # Metasploit module
         ],
         'References' => [
-          [ 'URL', 'https://github.com/advisories/GHSA-x645-6pf9-xwxw'],
+          [ 'GHSA', 'x645-6pf9-xwxw' ],
           [ 'CVE', '2024-51092']
         ],
         'Platform' => %w[linux],

modules/exploits/linux/http/lucee_admin_imgprocess_file_write.rb

@@ -29,7 +29,7 @@ def initialize(info = {})
         'References' => [
           ['CVE', '2021-21307'],
           ['URL', 'https://dev.lucee.org/t/lucee-vulnerability-alert-november-2020-cve-2021-21307/7643'],
-          ['URL', 'https://github.com/lucee/Lucee/security/advisories/GHSA-2xvv-723c-8p7r'],
+          ['GHSA', '2xvv-723c-8p7r', 'lucee/lucee'],
           ['URL', 'https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md']
         ],
         'DisclosureDate' => '2021-01-15', # rootxharsh and iamnoooob's writeup

modules/exploits/linux/http/opentsdb_key_cmd_injection.rb

@@ -40,7 +40,7 @@ def initialize(info = {})
           'Erik Wynter' # @wyntererik - Metasploit
         ],
         'References' => [
-          ['URL', 'https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw'], # security advisory
+          ['GHSA', '76f7-9v52-v2fw', 'OpenTSDB/opentsdb'], # security advisory
           ['CVE', '2023-36812'], # CVE linked in the official security advisory
           ['CVE', '2023-25826'] # CVE that seems to be a dupe of CVE-2023-36812 since it describes the same issue and references the PR that introduces the commits that are referenced in CVE-2023-36812
         ],

modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb

@@ -42,7 +42,7 @@ def initialize(info = {})
         'References' => [
           ['CVE', '2025-4653'],
           ['URL', 'https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/'],
-          ['URL', 'https://github.com/h00die-gr3y/h00die-gr3y/security/advisories/GHSA-m4f8-9c8x-8f3f'],
+          ['GHSA', 'm4f8-9c8x-8f3f', 'h00die-gr3y/h00die-gr3y'],
           ['URL', 'https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653']
         ],
         'License' => MSF_LICENSE,

modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb

@@ -40,7 +40,7 @@ def initialize(info = {})
           [ 'CVE', '2024-39205' ],
           [ 'CVE', '2024-28397' ],
           [ 'URL', 'https://github.com/Marven11/CVE-2024-39205-Pyload-RCE' ],
-          [ 'URL', 'https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g' ],
+          [ 'GHSA', 'w7hq-f2pj-c53g', 'pyload/pyload' ],
           [ 'URL', 'https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape' ],
         ],
         'DisclosureDate' => '2024-10-28',

modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb

@@ -37,7 +37,7 @@ def initialize(info = {})
         'References' => [
           ['CVE', '2024-24578'],
           ['URL', 'https://attackerkb.com/topics/ywHhBnSObR/cve-2024-24578'],
-          ['URL', 'https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h']
+          ['GHSA', 'q967-q4j8-637h', 'jens-maus/RaspberryMatic']
         ],
         'DisclosureDate' => '2024-03-16',
         'Platform' => ['unix', 'linux'],

modules/exploits/linux/http/roxy_wi_exec.rb

@@ -28,7 +28,7 @@ def initialize(info = {})
         ],
         'References' => [
           ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory
-          ['URL', 'https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532'], # Additional Information
+          ['GHSA', '53r2-mq99-f532', 'roxy-wi/roxy-wi'], # Additional Information
           ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch
           ['CVE', '2022-31137']
         ],

modules/exploits/linux/http/traccar_rce_upload.rb

@@ -22,8 +22,8 @@ def initialize(info = {})
           'Naveen Sunkavally' # Discovery CVE-2024-31214 and PoC
         ],
         'References' => [
-          [ 'URL', 'https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5'],
-          [ 'URL', 'https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9'],
+          ['GHSA', 'vhrw-72f6-gwp5', 'traccar/traccar'],
+          ['GHSA', '3gxq-f2qj-c8v9', 'traccar/traccar'],
           [ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/traccar-5-remote-code-execution-vulnerabilities/'],
           [ 'CVE', '2024-31214'],
           [ 'CVE', '2024-24809']

modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb

@@ -30,7 +30,7 @@ def initialize(info = {})
         ],
         'References' => [
           ['CVE', '2025-24016'],
-          ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'],
+          ['GHSA', 'hcrc-79hj-m3qh', 'wazuh/wazuh'],
           ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'],
           ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES]
         ],

modules/exploits/linux/local/ndsudo_cve_2024_32019.rb

@@ -32,7 +32,7 @@ def initialize(info = {})
         'Targets' => [[ 'Auto', {} ]],
         'Privileged' => true,
         'References' => [
-          [ 'URL', 'https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93'],
+          [ 'GHSA', 'pmhq-4cxq-wj93', 'netdata/netdata' ],
           [ 'CVE', '2024-32019']
         ],
         'DisclosureDate' => '2024-04-12',