Tag
#js
### Summary The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. ### Details The SenderContext Seal() [implementation](https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34) allows for concurrent executions to trigger `computeNonce()` with the same sequence number. This results in the same nonce being used in the suite's AEAD. ### PoC This code reproduces the issue (and also checks for more things that could be wrong with the implementation). ```js import { CipherSuite, KdfId, AeadId, KemId } from "hpke-js"; const suite = new CipherSuite({ kem: KemId.DhkemP256HkdfSha256, kdf: KdfId.HkdfSha256, aead: AeadId.Aes128Gcm, }); const keypair = await suite.kem.generateKeyPair(); const skR = keypair.privateKey; const pkR = keypair.publicKey; ...
Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that's targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated;
This week has been crazy in the world of hacking and online security. From Thailand to London to the US, we've seen arrests, spies at work, and big power moves online. Hackers are getting caught. Spies are getting better at their jobs. Even simple things like browser add-ons and smart home gadgets are being used to attack people. Every day, there's a new story that shows how quickly things are
Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef. The end goal of the attacks is to establish persistence and deliver JavaScript malware that facilitates remote access and control, per a new report from Acronis Threat Research Unit (TRU). The campaign, per the
### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the `?module` query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using `${...}` expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. **Root Cause:** The CSS module conversion logic (`router.go:1112-1119`) performs incomplete sanitization - it only checks for backticks (\`) but fails to escape template literal expressions (`${...}`), allowing arbitrary JavaScript execution when the CSS content is inserted into a template literal string. ### Details **File:** `server/router.go` **Lines:** 1112-1119 ...
### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., `package/../../tmp/evil.js`). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. Uploading files containing `../` in the path is not allowed on official registries (npm, GitHub), but the `X-Npmrc` header allows specifying any arbitrary registry. By setting the registry to an attacker-controlled server via the `X-Npmrc` header, this vulnerability can be triggered. ### Details **file:** `server/npmrc.go` **line:** 552-567 ```go func extractPackageTarball(installDir string, pkgName string, tarball io.Reader) (err error) { pkgDir := path.Join(installDir, "node_modules", pkgName) tr := tar.NewReader(unziped) for { h, err := tr.Next...
## Summary When using Astro's Cloudflare adapter (@astrojs/cloudflare) with `output: 'server'`, the image optimization endpoint (`/_image`) contains a critical vulnerability in the `isRemoteAllowed()` function that unconditionally allows `data:` protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. ## Details On-demand rendered sites built with Astro include an `/_image` endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via `image.domains` or `image.remotePatterns`), a critical vulnerability exists in the underlying validation logic. The `isRemoteAllowed()` function in [packages/internal-helpers/src/remote.ts](https://github.com/withastro/astro/blob/b8ca69b97149becefaf89bf21853de9c905cdbb7/packages/internal-helpers/src/remote.ts) (lines 128-131) unconditionally allows ALL `data...
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies `decodeURI()` to determine which route to render, while the middleware uses `context.url.pathname` without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes (e.g., /admin) using encoded path variants that pass routing but bypass validation checks. https://github.com/withastro/astro/blob/ebc4b1cde82c76076d5d673b5b70f94be2c066f3/packages/astro/src/vite-plugin-astro-server/request.ts#L40-L44 ```js /** The main logic to route dev server requests to pages in Astro. */ export async function handleRequest({ pipeline, routesList, controller, incomingRequest, incomingResponse, }: HandleRequest) { const { config, loader } = pipeline; const origin = `${loader.isHttps() ? 'https' : 'http'}://${ incomingRequest.headers[':a...
## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, **regardless of what was intended by the component template(s)**. ## Details Server islands run in their own isolated context outside of the page request and use the following pattern path to hydrate the page: `/_server-islands/[name]`. These paths can be called via GET or POST and use three parameters: - `e`: component to export - `p`: the transmitted properties, encrypted - `s`: for the slots Slots are placeholders for external HTML content, and therefore allow, by default, the injection of code if the component template supports it, nothing exceptional in principle, just a feature. This is where it becomes problematic: it is possible, independently of the component template used, even if it is completely empty, to inject a slot containing an XSS payload, whose parent is a tag whose name is is the absolute path of the island ...
### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. ### Details - **Title**: Arbitrary Local File Read in Astro Development Image Endpoint - **Type**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - **Component**: `/packages/astro/src/assets/endpoint/node.ts` - **Affected Versions**: Astro v5.x development builds (confirmed v5.13.3) - **Attack Vector**: Network (HTTP GET request) - **Authentication Required**: None The vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an `href` parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path val...