Cap-go versions prior to 12.128.12 contain a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path. Authenticated users with app.read_devices permission can exploit non-advancing cursor filters to trigger infinite pagination loops. This causes duplicate-page loops that prevent traversal of later dataset rows and result in repeated processing within device-management workflows. The vulnerability is present in the cloud service environment.

Exploitation allows authenticated attackers with read access to devices to cause infinite pagination loops, which prevent access to later rows in the dataset and cause repeated processing in device-management workflows. This can disrupt normal device management operations but does not escalate privileges or cause direct data compromise according to the available data.

Since this is a cloud-hosted service, the vendor manages remediation server-side. A patch is available for the vulnerability. Users should verify with the vendor advisory that their environment is updated to a fixed version (12.128.12 or later) or that the vendor has applied the fix. No additional user action is required if the vendor has already mitigated the issue.