#js

A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies `decodeURI()` to determine which route to render, while the middleware uses `context.url.pathname` without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes (e.g., /admin) using encoded path variants that pass routing but bypass validation checks. https://github.com/withastro/astro/blob/ebc4b1cde82c76076d5d673b5b70f94be2c066f3/packages/astro/src/vite-plugin-astro-server/request.ts#L40-L44 ```js /** The main logic to route dev server requests to pages in Astro. */ export async function handleRequest({ pipeline, routesList, controller, incomingRequest, incomingResponse, }: HandleRequest) { const { config, loader } = pipeline; const origin = `${loader.isHttps() ? 'https' : 'http'}://${ incomingRequest.headers[':a...

## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, **regardless of what was intended by the component template(s)**. ## Details Server islands run in their own isolated context outside of the page request and use the following pattern path to hydrate the page: `/_server-islands/[name]`. These paths can be called via GET or POST and use three parameters: - `e`: component to export - `p`: the transmitted properties, encrypted - `s`: for the slots Slots are placeholders for external HTML content, and therefore allow, by default, the injection of code if the component template supports it, nothing exceptional in principle, just a feature. This is where it becomes problematic: it is possible, independently of the component template used, even if it is completely empty, to inject a slot containing an XSS payload, whose parent is a tag whose name is is the absolute path of the island ...

### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. ### Details - **Title**: Arbitrary Local File Read in Astro Development Image Endpoint - **Type**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - **Component**: `/packages/astro/src/assets/endpoint/node.ts` - **Affected Versions**: Astro v5.x development builds (confirmed v5.13.3) - **Attack Vector**: Network (HTTP GET request) - **Authentication Required**: None The vulnerability exists in the Node.js image endpoint handler used during development mode. The endpoint accepts an `href` parameter that specifies the path to an image file. In development mode, this parameter is processed without adequate path val...

### Summary The `ExceededSizeError` exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. ### Details In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the `joserfc.jwt.decode()` operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises `joserfc.errors.ExceededSizeError()` with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it per se. It is therefore the responsibility of the underlying web server (`uvic...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Shelly Equipment: Pro 4PM Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Pro 4PM, a smart DIN rail switch, is affected: Pro 4PM: prior to v1.6 3.2 VULNERABILITY OVERVIEW 3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 Due to lack of input bounds checking, an attacker can send a specially crafted request to any RPC endpoint. The malicious request causes the device's JSON parser to overallocate memory, leading the device to reboot and creating a denial-of-service condition. CVE-2025-11243 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-...

### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processing files with malicious names. When `glob -c <command> <patterns>` is used, matched filenames are passed to a shell with `shell: true`, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. ### Details **Root Cause:** The vulnerability exists in `src/bin.mts:277` where the CLI collects glob matches and executes the supplied command using `foregroundChild()` with `shell: true`: ```javascript stream.on('end', () => foregroundChild(cmd, matches, { shell: true })) ``` **Technical Flow:** 1. User runs `glob -c <command> <pattern>` 2. CLI finds files matching the pattern 3. Matched filenames are collected into an array 4. Command is executed with matched filenames as arguments using `shell: true` 5. Shell interprets metacharacters in filenames as c...

### Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. ### Details The vulnerability exists in the `save` method within the `src/phpMyFAQ/Controller/Administration/ConfigurationTabController.php` controller. This method handles the saving of application-wide configuration settings. It retrieves all submitted form data as an associative array via `$request->get('edit')`. The core of the issue is that while the *values* of this array are processed, the *keys* are trusted implicitly and are not sanitized or validated. **File:** `src/phpMyFAQ/Controller/Administration/ConfigurationTabController.php` ```php...

This week showed just how fast things can go wrong when no one’s watching. Some attacks were silent and sneaky. Others used tools we trust every day — like AI, VPNs, or app stores — to cause damage without setting off alarms. It’s not just about hacking anymore. Criminals are building systems to make money, spy, or spread malware like it’s a business. And in some cases, they’re using the same

Google has disclosed that the company's continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time. "We adopted Rust for its security and are seeing a 1000x reduction in memory safety vulnerability density compared to Android’s C and C++ code. But the biggest surprise was Rust's impact on

### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by combining file uploads with iframe srcdoc attributes, resulting in persistent XSS execution. ### Details The vulnerability arises from insufficient sanitization in the Block Editor interface when processing JSON content containing HTML elements. The attack requires two permissions: - `upload files` - To upload malicious JavaScript files - `edit item` - To create or modify content with the Block Editor **Attack Vector:** 1. **JavaScript File Upload**: Attackers upload a malicious JavaScript file via the files endpoint, obtaining a file ID accessible through the assets directory 2. **Block Editor Exploitation**: Using a JSON field with Block Editor interface, attackers inject raw HTML containing an iframe with srcdoc ...