#java

From @jackfromeast and @superboy-zjc: We have identified a class pollution vulnerability in Mesop (<= [0.14.0](https://github.com/mesop-dev/mesop/releases/tag/v0.14.0)) application that allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs). Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequnces like RCE when gadgets are available.

## Impact Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the `vega-interpreter`. ## Workarounds - Use `vega` with [expression interpreter](https://vega.github.io/vega/usage/interpreter/) - Upgrade to a [newer Vega version](https://github.com/vega/vega/releases/tag/v5.32.0) (`5.32.0`) ### POC Summary Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function. ### POC Details Consider the function call `replace('foo', {__proto__: /h/.constructor.prototype, global: false})`. Since `pattern` has `RegExp.prototype[@@replace]`, `pattern.exec('foo')` winds up being called. The resulting malicious call looks like this: ``` replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false}) ``` Since functions cannot be returned from this, an attacker that wishes to escalate to XSS mu...

### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. ### Patches Patched in `vega` `5.31.0` / `vega-functions` `5.16.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ - Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. - Using the interpreter [described in CSP safe mode](https://vega.github.io/vega/usage/interpreter/) (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. ### References - Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984 Reproduction of the error in Vega by @mattijn ``` { "$schema": "https://vega.github.io/schema/vega/v5.json", "signals": [ { "name...

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu

Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.

### Impact This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/`escape`/`escapeAll`. An attacker may be able to get read-only access to environment variables. Example: ```javascript import * as cp from "node:child_process"; import { Shescape } from "shescape"; // 1. Prerequisites const shescape = new Shescape({ shell: "cmd.exe", // Or shell: true, // Only if the default shell is CMD }); // 2. Payload const payload = '"%PATH%'; // 3. Usage let escapedPayload; escapedPayload = shescape.quote(payload); // Or escapedPayload = shescape.quoteAll([payload]); // Or escapedPayload = shescape.escape(payload); // Or escapedPayload = shescape.escapeAll([payload]); // And (example) const result = cp.execSync(`echo Hello ${escapedPayload}`, options); // 4. Impact console.log(result.toString()); // Outputs "Hello" followed by the contents of the PATH environment variable ``` For Shescape prior to ...

### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887

### Description The go-httpbin framework is vulnerable to XSS as the user can control the `Response Content-Type` from GET parameter. This allows attacker to execute cross site scripts in victims browser. ### Affected URLs: - `/response-headers?Content-Type=text/html&xss=%3Cimg/src/onerror=alert(%27xss%27)%3E` - `/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html` - `/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html` ### Steps to reproduce: 1. Visit one of the above mentioned URLs. 2. XSS window will popup ### Suggested fix - Allow Only Safe Content-Type Values Or give users option to define whitelisted Content-Type headers ### Criticality The following can be major impacts of the issue: * Access to victim's sensitive Personal Identifiable Information. * Access to CSRF token * Cookie injection * Phishing * And any other thing Javascript can perform

## Summary The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI [2] is a command line tool for interacting with CDK applications. Customers can use the CDK CLI to create, manage, and deploy their AWS CDK projects. An issue exists in the AWS CDK CLI where, under certain conditions, AWS credentials may be returned in the console output. Plugins that return an `expiration `property in the credentials object are affected by this issue. Plugins that omit the `expiration` property are not affected. ## Impact When customers run AWS CDK CLI commands with credential plugins and configure those plugins to return temporary credentials by including an `expiration` property, the AWS credentials retrieved by the plugin may be returned in the console output. Any user with access where the CDK CLI was ran would have access to this output. The followi...

mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM.