#js

### Impact html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. Example attack vector: ```js import html2pdf from 'html2pdf.js/src/index.js'; const maliciousHTML = '<img src=x onerror="alert(document.cookie)">'; html2pdf(maliciousHTML); // or html2pdf().from(maliciousHTML); ``` ### Patches This vulnerability has been fixed in html2pdf.js@0.14.0 to sanitize text sources using DOMPurify. There are no other breaking changes in this version. ### Workarounds Users of earlier versions of html2pdf.js must safely sanitize any text before using it as a source in html2pdf.js. ### References - Initial report: https://github.com/eKoopmans/html2pdf.js/issues/865 - Fix: https://github.com/eKoopmans/html2pdf.js/pull/877, [v0....

### Description A critical sandbox escape vulnerability exists in **enclave-vm v2.3.0** that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the **host Node.js runtime**. When a tool invocation fails, enclave-vm exposes a **host-side Error object** to sandboxed code. This Error object retains its **host realm prototype chain**, which can be traversed to reach the **host `Function` constructor**. An attacker can intentionally trigger a host error (for example, by invoking a non-existent tool), then climb the prototype chain: ``` Error instance → Error.prototype → Error constructor → Function constructor ``` Using the host `Function` constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as `process.env`, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. --- ### Proof of Concept ```javascript // Vec...

Hundreds of records obtained by WIRED show thin intelligence on the Venezuelan gang in the United States, describing fragmented, low-level crime rather than a coordinated terrorist threat.

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild. Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service (DoS) condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability," Node.js's

### Summary A TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. ### Details Affected conponent: `apps/web/src/routes/api/tunnel/register.ts` - `/tunnel/register` endpoint code-: ```ts // Check if tunnel already exists in database const [existingTunnel] = await db .select() .from(tunnels) .where(eq(tunnels.url, tunnelUrl)); const isReconnection = !!existingTunnel; console.log( `[TUNNEL LIMIT CHECK] Org: ${organizationId}, Tunnel: ${tunnelId}`, ); console.log( `[TUNNEL LIMIT CHECK] Is Reconnection: ${isReconnection}`, ); console.log( `[TUNNEL LIMIT CHECK] Plan: ${currentPlan}, Limit: ${tunnelLimit}`, ); // Check limits only for NEW tunnels (not reconnections) if (!isReconnection) { // Count active tunnels from Redis SET ...

### Summary This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in `https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts` ### Details - The affected code-: ```ts //Race condition const [subscription] = await db .select() .from(subscriptions) .where(eq(subscriptions.organizationId, organization.id)); const currentPlan = subscription?.plan || "free"; const planLimits = getPlanLimits(currentPlan as any); const subdomainLimit = planLimits.maxSubdomains; const existingSubdomains = await db .select() .from(subdomains) .where(eq(subdomains.organizationId, organization.id)); if (existingSubdomains.length >= subdomainLimit) { return json( { error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdom...

## Summary A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. ## Details When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s `alg` field if present. If the JWK did not specify an algorithm, the middleware fell back to using the `alg` value provided in the unverified JWT header. Because the `alg` field in a JWK is optional and commonly omitted in real-world JWKS configurations, this behavior could allow an attacker to influence which algorithm is used for verification. In some environments, this may result in authentication or authorization bypass through crafted JWTs. The practical impact depends on application configuration, including which algorithms are ...

## Summary A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s `alg` value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable **JWT algorithm confusion** and, in certain configurations, allow forged tokens to be accepted. ## Details When verifying JWTs using JWKs or a JWKS endpoint, the middleware selected the verification algorithm based on the JWK’s `alg` field if present, but otherwise fell back to the `alg` value provided in the unverified JWT header. Because the `alg` field in a JWK is optional and often omitted in real-world JWKS configurations, this behavior could allow an attacker to control the algorithm used for verification. In some environments, this may lead to authentication or authorization bypass through crafted tokens. The practical impact depends on application configuration, including which algorithms are accepted and how JWTs are used for authorization decisions. ## Im...

### Summary **Description** A Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. ### Details A vulnerability in the `BaseModelImpl` class of `@adonisjs/lucid` may allow an attacker to overwrite internal class properties (such as `$isPersisted`, `$attributes`, or `$isDeleted`) when passing plain objects to model assignment methods. The library relies on a `this.hasOwnProperty(key)` check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific ...