ghsa

## Summary The `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows **unauthenticated arbitrary file read** during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. **Severity:** High **Attack Vector:** Network **Privileges Required:** None **Scope:** Development mode only (`vite dev`) --- ## Impact ### Who Is Affected? - **All developers** using `@vitejs/plugin-rsc` during development - Projects running `vite dev` with the RSC plugin enabled ### Attack Scenarios 1. **Network-Exposed Dev Servers:** When developers run `vite --host 0.0.0.0` (common for mobile testing), attackers on the same network can read files. 2. ~**XSS-Based Attacks:**~ ~If the application has an XSS vulnerability, malicious JavaScript can fetch sensitive files and exfiltrate them.~ 3. ~**Malicious Dependencies:** ~ ~A compromised npm package could incl...

### Description A nil pointer dereference vulnerability was discovered in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. > Note: This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. ### Technical details The vulnerability is located in `/sip/response.go` at line 242 in the `NewResponseFromRequest` function: ```go if _, ok := res.To().Params["tag"]; !ok { uuid, _ := uuid.NewRando...

## Summary An issue in the underlying router library **rou3** can cause `/path` and `//path` to be treated as identical routes. If your environment does **not** normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of `disabledPaths` and path-based rate limits. ## Details Better Auth uses **better-call**, which internally relies on **rou3** for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result: * `/sign-in/email` * `//sign-in/email` * `///sign-in/email` …all resolve to the same route. Some production setups *automatically* collapse multiple slashes. This includes: * Vercel with Nextjs (default) * Cloudflare - when normalize to urls origin is enabled (https://developers.cloudflare.com/rules/normalization/settings/#normalize-urls-to-origin) In these environments and other configurations where `//path` reach Better Auth as `/path`, the issue does not apply. ## Fix Updating rou3 to the latest version resol...

### Impact A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. **Who is impacted:** All users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries: - **virtualenv users**: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths - **PyTorch users**: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures - **poetry/tox users**: through using virtualenv or filelock on their own. Attack requires local filesystem access and ability to create symlinks (standard user p...

### Impact This issue describes a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption` ). In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted. ### Patches This issue is patched in Release [10.16.1](https://pypi.org/project/pymdown-extensions/10.16.1/). ### Workarounds Some possible workarounds If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of `pymdownx.blocks.caption` could be avoided until the library is updated to 10.16.1+. ### References The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716. ### Description The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because ...

### Summary LibreDesk is vulnerable to **stored HTML injection** in the contact notes feature. When adding notes via `POST /api/v1/contacts/{id}/notes`, the backend automatically wraps user input in `<p>` tags. However, by intercepting the request and removing the `<p>` tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. --- ### Details When notes are added through the LibreDesk web application, the client sends note content wrapped inside `<p>` tags. The backend appears to **trust this HTML structure** and stores the content as-is. By intercepting the request to: ``` POST /api/v1/contacts/3/notes ``` and **removing the `<p>` wrapper**, an attacker can submit arbitrary HTML content. The backend does not sanitize or validate the HTML payload before persisting it. As a result: * Arbitrary HTML tags (e.g., `<form>`...

> Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. ## Summary A Prototype Pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. ## Affected Versions - **Package:** `@trpc/server` - **Affected Versions:** >=10.27.0 - **Vulnerable Component:** `formDataToObject()` in `src/unstable-core-do-not-import/http/formDataToObject.ts` ## Vulnerability Details ### Root Cause The `set()` function in `formDataToObject.ts` recursively processes FormData field names containing bracket/dot notation (e.g., `user[name]`, `user.address.city`) to create nested objects. However, it does **not** validate or sanitize dangerous keys like `__proto__`, `constructor`, or `prototype`. #...

## Impact A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. ## Patches The patch escapes user controlled values that are inserted into the HTML pages. ## Workarounds None. ## Resources - https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv - https://github.com/parse-community/parse-server/pull/9985 - https://github.com/parse-community/parse-server/pull/9986

An open redirect vulnerability exists in the Account module in Volosoft ABP Framework >= 5.1.0 and < 10.0.0-rc.2. Improper validation of the returnUrl parameter in the register function allows an attacker to redirect users to arbitrary external domains.

### Impact A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. ### Patches This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions. ### Workarounds As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example...