Alessio Dellalibera

Name of the Vulnerable Software and Affected Versions: total.js versions prior to 3.4.7 Description: The issue occurs in the `image.pipe` and `image.stream` functions due to the `type` parameter being used to build a command that is executed using `child process.spawn` with the option `shell` set to true, and because the `type` parameter is not properly sanitized. This leads to a command injection vulnerability. Recommendations: For versions prior to 3.4.7, update to version 3.4.7 or later to resolve the issue. As a temporary workaround, consider disabling the `image.pipe` and `image.stream` functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. Avoid using the `type` parameter in the affected functions until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: total.js versions prior to 3.4.7 Description: The issue is related to a prototype pollution vulnerability in the set function, which can be used to set a value into an object according to a path. However, the keys of the path being set are not properly sanitized. The impact depends on the application and can lead to Denial of service (DoS), Remote Code Execution, or Property Injection in some cases. Recommendations: For total.js versions prior to 3.4.7, update to version 3.4.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of the set function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** doc-path versions prior to 2.1.2 **Description** The issue affects the doc-path package. **Recommendations** For versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue.