Leodog896

**Nome do Software Vulnerável e Versões Afetadas** Versões 20, 22 e 23 do Node.js **Descrição** O problema permite que atacantes usem indevidamente o utilitário diagnostics channel, acessando threads de workers internas para fins maliciosos. Isso não se limita aos workers, mas também expõe workers internos, nos quais uma instância deles pode ser obtida, e seu construtor pode ser capturado e reinstanciado para uso malicioso. Isso afeta usuários do Modelo de Permissão (--permission). **Recomendações** Para as versões 20, 22 e 23 do Node.js, considere desativar o utilitário diagnostics channel como uma solução temporária até que um patch esteja disponível. Restrinja o acesso às threads de workers internas para minimizar o risco de exploração. Evite utilizar o utilitário diagnostics channel para fins maliciosos até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Nome do Software Vulnerável e Versões Afetadas** Versões do Node.js v20, v22 e v23 **Descrição** O utilitário diagnostics channel permite que um evento seja interceptado sempre que uma worker thread é criada, expondo não apenas workers, mas também workers internos. Isso permite que atores maliciosos obtenham instâncias desses workers, acessem seus construtores e potencialmente os reativem para fins maliciosos. O problema afeta usuários do Modelo de Permissão (--permission) e pode ser usado para expor dados e recursos sensíveis. **Recomendações** Para as versões do Node.js v20, v22 e v23, considere desativar o utilitário diagnostics channel como uma solução temporária para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 16.x through 20.x **Description** A privilege escalation issue exists in the experimental policy mechanism due to inadequate access controls. This can be exploited by a remote attacker to bypass existing security restrictions. The use of the deprecated API `process.binding()` can bypass the policy mechanism, allowing an attacker to require internal modules and eventually execute arbitrary code outside of the limits defined in a `policy.json` file. The policy is an experimental feature of Node.js. **Recommendations** For Node.js versions 16.x through 20.x, consider disabling the use of the deprecated API `process.binding()` as a temporary workaround until a patch is available. Restrict access to internal modules to minimize the risk of exploitation. Avoid using `process.binding('spawn sync')` in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Denosaurs emoji package versions 0.1.0 through 0.2.x **Description** The Denosaurs emoji package has an issue where the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. This issue can cause problems when handling large payloads. As a workaround, users can avoid using the `replace`, `unemojify`, or `strip` functions to minimize the risk. **Recommendations** For Denosaurs emoji package versions 0.1.0 through 0.2.x, update to version 0.3.0 to resolve the issue. As a temporary workaround, consider avoiding the use of the `replace`, `unemojify`, or `strip` functions until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 1.31.2 **Description** The issue is related to the lack of filtering for special control characters in Deno, a runtime for JavaScript and TypeScript. This allows a malicious program to clear the first two lines of a prompt and replace them with any desired text, effectively spoofing the interactive permission prompt for certain actions. This can give the program the ability to choose what program it wants to run, posing a security risk. The problem cannot be exploited on systems without an interactive prompt, such as headless servers. **Recommendations** For Deno versions prior to 1.31.2, update to version 1.31.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `op spawn child` and `op kill` functions until a patch is applied. Additionally, avoid using the `--unstable` flag in versions prior to 1.31.0, as it is required for exploitation in those versions.

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 1.29.3 **Description** The issue is related to errors in synchronization when using a shared resource in Deno, a runtime for JavaScript and TypeScript. This could allow a remote attacker to execute arbitrary code. Multi-threaded programs can spoof interactive permission prompts, potentially tricking users into allowing unauthorized actions. The problem impacts users who rely on interactive permission prompts, especially those using the Web Worker API. The exploitation is timing-sensitive and cannot be reliably reproduced. This issue cannot be exploited on systems without an interactive prompt, such as headless servers. **Recommendations** For Deno versions prior to 1.29.3, update to version 1.29.3 to resolve the issue. As a temporary workaround for users unable to upgrade, run Deno with the `--no-prompt` flag to disable interactive permission prompts.