#js

### Impact When importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

### Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. ### Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun) ### Details [HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2). Although an attacker can send such a request. For those requests with an invalid `request-line` (it includes `request-target`), the spec [recommends to reject them with 400 or 301](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2-4). The same can be said for HTTP 2 ([ref1](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-2.4.1), [ref2](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-3), [ref3](https...

A vulnerability was found where an attacker can crash the database via crafting a HTTP query that returns a null byte. The problem relies on an uncaught exception in the `net` module, where the result of the query will be converted to JSON before showing as the HTTP response to the user in the **/sql** endpoint. ### Impact This vulnerability allows any authenticated user to crash a SurrealDB instance by sending a crafted query with a null byte to the /sql endpoint. Where SurrealDB is used as an application backend, it is possible that an application user can crash the SurrealDB instance and thus the supported application through crafted inputs that exploit this attack vector. ### Patches A patch has been introduced that ensures the error is caught and converted as an error. - Versions 2.2.2, 2.1.5 and 2.0.5 and later are not affected by this isssue ### Workarounds Affected users who are unable to update may want to limit the ability of untrusted clients to run arbitrary queries ...

ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.

A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow. ### Impact A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. ### Patches This issue has been resolved in Helm v3.17.3. ### Workarounds Ensure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB. ### For more information Helm's security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document. ### Credits Disclosed by Jakub Ciolek at AlphaSense.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIDIS Prime Vulnerabilities: Race Condition Enabling Link Following, Improper Validation of Integrity Check Value, Unchecked Input for Loop Condition, Expected Behavior Violation, Incorrect Provision of Specified Functionality, Heap-based Buffer Overflow, Cleartext Transmission of Sensitive Information, Use After Free, NULL Pointer Dereference, Exposure of Sensitive Information to an Unauthorized Actor, Out-of-bounds Write, Improper Input Validation, Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities coul...

### Summary Xgrammar includes a cache for compiled grammars to increase performance with repeated use of the same grammar. This cache is held in memory. Since the cache is unbounded, a system making use of xgrammar can be abused to fill up a host's memory and case a denial of service. For example, sending many small requests to an LLM inference server with unique JSON schemas would eventually cause this denial of service to occur. ### Details The fix is to add a limit to the cache size. This was done in https://github.com/mlc-ai/xgrammar/pull/243 An example of making use of the new cache size limit can be found in vLLM here: https://github.com/vllm-project/vllm/pull/16283 ### Impact Any system making use of Xgrammar and taking requests as input from potentially untrusted parties would be vulnerable to this denial of service issue.

### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. ### Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. ### PoC https://gist.github.com/linhnph05/03d677b183636af206ff781bdd19701a ### Impact 1. Redirect user to another phishing site 2. Make request to another endpoint of the application based on user's cookie 3. Steal user's cookie

### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. ### PoC - First, create a file named **model.py** to create a simple model and save it ``` import bentoml import numpy as np class mymodel: def predict(self, info): return np.abs(info) def __call__(self, info): return self.predict(info) model = mymodel() bentoml.picklable_model.save_model("mymodel", model) ``` - Then run the following command to save this model ``` python3 model.py ``` - Next, create **bentofile.yaml** to build this model ``` service: "service.py" description: "A model serving service with BentoML" python: packages: - bentoml - numpy models: - tag: MyModel:latest include: - "*.py" ``` - Then, create **service.p...

### Impact When generating an ESTree from a value with a property named `__proto__`, `valueToEstree` would generate an object that specifies a prototype instead. Example: ```js import { generate } from 'astring' import { valueToEstree } from 'estree-util-value-to-estree' const estree = valueToEstree({ ['__proto__']: {} }) const code = generate(estree) console.log(code) ``` Output: ```js { "__proto__": {} } ``` ### Patches This was fixed in version [3.3.3](https://github.com/remcohaszing/estree-util-value-to-estree/releases/tag/v3.3.3). ### Workarounds If you control the input, don’t specify a property named `__proto__`. If you don’t control the output, strip any properties named `__proto__` before passing it to `valueToEstree`.