Akiilex

**Name of the Vulnerable Software and Affected Versions** protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2 **Description** protobufjs allows certain schema option paths to traverse inherited object properties during option application. A crafted protobuf schema or JSON descriptor can cause option handling to write to properties on global JavaScript constructors, corrupting built-in process-wide functionality. This can lead to a persistent denial of service for the lifetime of the affected process. The issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources using reflection APIs such as `parse()`, `Root.load()`, `Root.loadSync()`, or `Root.fromJSON()`. Applications using bundled or trusted schemas to decode untrusted payloads are not directly affected. **Recommendations** Update to version 7.5.6. Update to version 8.0.2. Avoid parsing or loading protobuf schemas or JSON descriptors from untrusted sources. Validate or reject option names containing unsafe property path components before loading them. Run schema processing in an isolated process.

**Name of the Vulnerable Software and Affected Versions** Istio versions prior to 1.28.6 Istio versions prior to 1.29.2 **Description** When a RequestAuthentication resource is created with a `jwksUri` pointing to an internal service, istiod performs an unauthenticated HTTP GET request to that URL without filtering localhost or link-local IP addresses. This behavior can lead to the distribution of sensitive data to Envoy proxies through the xDS configuration. **Recommendations** Update to version 1.28.6. Update to version 1.29.2. Deploy a `ValidatingAdmissionPolicy` to prevent the creation of RequestAuthentication resources containing suspicious `jwksUri` field values, such as localhost, 127.0.0.0/8, 169.254.0.0/16, and their IPv6 equivalents.