GHSA-8qq5-rm4j-mr97: node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

GHSA-232v-j27c-5pp6: REC in MCPJam inspector due to HTTP Endpoint exposes

GHSA-53wg-r69p-v3r7: GraphQL Modules has a Race Condition issue

GHSA-38cw-85xc-xr9x: Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM

GHSA-cc8m-98fm-rc9g: Skipper is vulnerable to arbitrary code execution through lua filters

### Impact
Importing a malicious `.mrpack` file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.

### Patches
No patches yet.

### Workarounds
Avoid importing `.mrpack` files from untrusted sources.

### References
https://docs.modrinth.com/docs/modpacks/format_definition/#files


**mrpack-install vulnerable to path traversal with dependency**

High severity GitHub Reviewed Published Feb 2, 2023 in nothub/mrpack-install • Updated Feb 8, 2023

Headline

GHSA-r887-gfxh-m9rr: mrpack-install vulnerable to path traversal with dependency

Impact

Patches

Workarounds

References

ghsa: Latest News