#js

### Impact This vulnerability may lead to: * Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive data. ### Reproduce Follow these steps to set up a test environment for reproducing the vulnerability: 1. Install dependencies and clone the repository: ```bash pip install uv git clone https://github.com/AstrBotDevs/AstrBot && cd AstrBot uv run main.py ``` 2. Alternatively, deploy the program via pip: ```bash mkdir astrbot && cd astrbot uvx astrbot init uvx astrbot run ``` 3. In another terminal, run the following command to exploit the vulnerability: ```bash curl -L http://0.0.0.0:6185/api/chat/get_file?filename=../../../data/cmd_config.json ``` This request will read the `cmd_config.json` config file, leading to the leakage of sensitive data such as LLM API keys, usernames, and password hashes (MD5). ### Patches The vulnerability has been addressed in [Pull Request #1676](https://github.com...

**Overview** In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. **Am I Affected?** You are affected by this vulnerability if you meet the following preconditions: 1. Applications using the NextJS-Auth0 SDK, versions between 4.0.1 to 4.6.0, 2. Applications using CDN or edge caching that caches responses with the Set-Cookie header. 3. If the Cache-Control header is not properly set for sensitive responses. **Fix** Upgrade auth0/nextjs-auth0 to v4.6.1.

## Summary It is possible to bypass Deno's read/write permission checks by using `ATTACH DATABASE` statement. ## PoC ```js // poc.js import { DatabaseSync } from "node:sqlite" const db = new DatabaseSync(":memory:"); db.exec("ATTACH DATABASE 'test.db' as test;"); db.exec("CREATE TABLE test.test (id INTEGER PRIMARY KEY, name TEXT);"); ``` ``` $ deno poc.js ```

### Summary The [Deno.env.toObject](https://docs.deno.com/api/deno/~/Deno.Env.toObject) method ignores any variables listed in the `--deny-env` option of the `deno run` command. When looking at the [documentation](https://docs.deno.com/runtime/fundamentals/security/#environment-variables) of the `--deny-env` option this might lead to a false impression that variables listed in the option are impossible to read. ### PoC ``` export AWS_SECRET_ACCESS_KEY=my-secret-aws-key # Works as expected. The program stops with a "NotCapable" error message echo 'console.log(Deno.env.get("AWS_SECRET_ACCESS_KEY"));' | deno run \ --allow-env \ --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - # All enviroment variables are printed and the --deny-env list is completely disregarded echo 'console.log(Deno.env.toObject());' | deno run \ --allow-env \ --deny-env=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY - ``` The first example using `get` exits with the following error: ``` error: Uncaught (in p...

### Summary Source code may be stolen when you access a malicious web site with non-Chromium based browser. ### Details The `Origin` header is checked to prevent Cross-site WebSocket hijacking from happening which was reported by CVE-2018-14732. But webpack-dev-server always allows IP address `Origin` headers. https://github.com/webpack/webpack-dev-server/blob/55220a800ba4e30dbde2d98785ecf4c80b32f711/lib/Server.js#L3113-L3127 This allows websites that are served on IP addresses to connect WebSocket. By using the same method described in [the article](https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages) linked from CVE-2018-14732, the attacker get the source code. related commit: https://github.com/webpack/webpack-dev-server/commit/72efaab83381a0e1c4914adf401cbd210b7de7eb (note that `checkHost` function was only used for Host header to prevent DNS rebinding attacks so this change itself is fine. This vulnerability does not affect Chrome 94+ (and othe...

### Summary Source code may be stolen when you access a malicious web site. ### Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject `<script src="http://localhost:8080/main.js">` in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using `Function::toString` against the values in `__webpack_modules__`, the attacker can get the source code. ### PoC 1. Download [reproduction.zip](https://github.com/user-attachments/files/18426585/reproduction.zip) and extract it 2. Run `npm i` 3. Run `npx webpack-dev-server` 4. Open `https://e29c9a88-a242-4fb4-9e64-b24c9d29b35b.pages.dev/` 5. You can see the source code output in the document and the devtools console.  The scr...

### Summary This affects AES-256-GCM and AES-128-GCM in Deno, introduced by commit [0d1beed](https://github.com/denoland/deno/commit/0d1beed). Specifically, the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. ### PoC ```ts import { Buffer } from "node:buffer"; import { createCipheriv, createDecipheriv, randomBytes, scrypt, } from "node:crypto"; type Encrypted = { salt: string; iv: string; enc: string; authTag: string; }; const deriveKey = (key: string, salt: Buffer) => new Promise<Buffer>((res...

Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing  and also negatively affect the application's performance and behavior by using too large or slow-to-load images. This issue affects AngularJS versions greater than or equal to 1.3.1. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.6 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Build Rapsody Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric product is affected: EcoStruxure Power Build Rapsody: v2.7.12 FR and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker. CVE-2025-3916 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). A CVSS v4 score has also been...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric products are affected: Wiser AvatarOn 6K Freelocate: All versions Wiser Cuadro H 5P Socket: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass. This issue affects "Standalon...