Chalker

Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.

**Name of the Vulnerable Software and Affected Versions** Apollo Server versions 2.0.0 through 3.13.0 Apollo Server versions 4.2.0 through 4.13.0 Apollo Server versions 5.0.0 through 5.4.0 **Description** Apollo Server, a GraphQL server, is susceptible to denial of service (DoS) attacks. This occurs due to the default configuration of the `startStandaloneServer` function from the `@apollo/server/standalone` package. Specifically, specially crafted request bodies containing unusual character set encodings can trigger the issue. The issue only affects users directly utilizing `startStandaloneServer` and does not impact those integrating Apollo Server through packages like `@as-integrations/express5` or `@as-integrations/next`. **Recommendations** Versions 2.0.0 through 3.13.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Versions 4.2.0 through 4.13.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Versions 5.0.0 through 5.4.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sha.js versions through 2.4.11 **Description** An improper input validation vulnerability exists in sha.js, allowing for input data manipulation. This flaw can lead to hash collisions and potentially private key extraction, threatening web applications. The vulnerability stems from missing input type checks, which permit the use of data types other than expected, resulting in undefined behavior, including hash state rewinding and the potential to transform tagged hashes into untagged hashes. Exploitation can involve manipulating the length property of input data to generate collisions or cause denial-of-service conditions. **Recommendations** Update sha.js to version 2.4.12 or later.

### Name of the Vulnerable Software and Affected Versions: cipher-base versions through 1.0.4 ### Description: An improper input validation issue exists in cipher-base, allowing input data manipulation. This is due to missing input type checks, which can lead to invalid value calculations, hash state rewinding (potentially turning a tagged hash into an untagged hash), and denial-of-service conditions when processing malicious JSON-stringifyable input. Specifically, manipulating the `length` property within the input data can cause unexpected behavior in the hashing process. This can potentially lead to collisions, incorrect hash values, and in some cases, even private key extraction from cryptographic libraries. ### Recommendations: Update cipher-base to a version beyond 1.0.4.

Name of the Vulnerable Software and Affected Versions: pbkdf2 versions 3.0.10 through 3.1.2 Description: The issue is related to an Improper Input Validation vulnerability in pbkdf2, allowing Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.js. The vulnerability is caused by the silent return of predictable uninitialized or zero-filled memory for non-normalized or unimplemented algorithms supported by Node.js. Recommendations: For versions 3.0.10 through 3.1.2, update to a version that fixes the Improper Input Validation vulnerability to prevent Signature Spoofing. As a temporary workaround, consider restricting the use of non-normalized or unimplemented algorithms supported by Node.js until a patch is available.

Name of the Vulnerable Software and Affected Versions: pbkdf2 versions <=3.1.2 Description: The issue is related to an Improper Input Validation vulnerability in pbkdf2, allowing Signature Spoofing by Improper Validation. Recommendations: For versions <=3.1.2, update to a version greater than 3.1.2 to resolve the issue. As a temporary workaround, consider restricting the use of the `pbkdf2` function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: pnpm versions prior to 9.15.0 Description: The package manager pnpm seems to mishandle overrides and global cache. This can lead to overrides from one workspace leaking into npm metadata saved in the global cache, affecting other workspaces. Installs by default do not revalidate the data, including on first lockfile generation. This breaks the expectation that `ignore-scripts` is sufficient to prevent immediate code execution on install. Global state integrity is lost via operations that one would expect to be secure, enabling subsequently running arbitrary code execution on installs. Recommendations: For versions prior to 9.15.0, update to version 9.15.0 to fix the issue. As a temporary workaround, use separate cache and store directories in each workspace.

**Name of the Vulnerable Software and Affected Versions** secp256k1-node versions prior to 5.0.1 secp256k1-node versions prior to 4.0.4 secp256k1-node versions prior to 3.8.1 **Description** The issue affects the `elliptic`-based version of secp256k1-node, where the `loadCompressedPublicKey` function is missing a check to ensure the public key is on the curve. This allows an attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. **Recommendations** For versions prior to 5.0.1, update to version 5.0.1 or later. For versions prior to 4.0.4, update to version 4.0.4 or later. For versions prior to 3.8.1, update to version 3.8.1 or later. As a temporary workaround, consider disabling the `loadCompressedPublicKey` function until a patch is available. Restrict access to the `publicKeyVerify()` and `publicKeyTweakMul()` functions to minimize the risk of exploitation. Avoid using the `publicKeyTweakMul()` function with untrusted public keys until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** dns-packet versions prior to 5.2.2 **Description** The issue arises from the creation of buffers with allocUnsafe that are not always filled before forming network packets. This can lead to the exposure of internal application memory over an unencrypted network when querying crafted invalid domain names. **Recommendations** For versions prior to 5.2.2, update to version 5.2.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: fs-path node module versions prior to 0.0.25 Description: The issue concerns command injection via user-supplied inputs through specific methods. The `copy`, `copySync`, `remove`, and `removeSync` methods are vulnerable to this type of attack. Recommendations: For versions prior to 0.0.25, update to version 0.0.25 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `copy`, `copySync`, `remove`, and `removeSync` methods until a patch is applied. Avoid using user-supplied inputs in these methods to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** bl versions prior to 4.0.3 bl versions prior to 3.0.1 bl versions prior to 2.2.1 bl versions prior to 1.2.3 **Description** A buffer over-read issue exists that could allow an attacker to supply user input that corrupts the BufferList state, potentially exposing uninitialized memory via regular slice() calls. This occurs when the consume() argument becomes negative. **Recommendations** For versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. For versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue. For versions prior to 2.2.1, update to version 2.2.1 or later to resolve the issue. For versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Node.js stringstream module versions less than 0.0.6 **Description** The issue arises from the allocation of uninitialized buffers when a number is passed in the input stream, leading to an out-of-bounds read. This occurs when using Node.js 4.x. **Recommendations** For versions less than 0.0.6, consider not installing or using this module if user input is being passed in to `stringstream` as a temporary workaround until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 10.9.0 **Description** The issue is related to an argument processing flaw in the `Buffer.alloc()` method. This method is intended to return initialized memory, but due to the flaw, it can return uninitialized memory. The third argument, `encoding`, can be misinterpreted as the `start` to a fill operation if passed as a number. This may lead to the return of uncleared memory blocks that may contain sensitive information, particularly when `Buffer.alloc()` arguments are derived from user input. **Recommendations** For Node.js versions prior to 10.9.0, update to version 10.9.0 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input before passing it to the `Buffer.alloc()` method to minimize the risk of exploitation. Restrict access to sensitive information and avoid using the `encoding` argument as a number to prevent misinterpretation by the internal "fill" method.

**Name of the Vulnerable Software and Affected Versions** Node.js versions prior to 6.14.4 Node.js versions prior to 8.11.4 Node.js versions prior to 10.9.0 **Description** The issue arises when Node.js is used with UCS-2 encoding, which is recognized under the names `ucs2`, `ucs-2`, `utf16le`, and `utf-16le`. In this context, the `Buffer#write()` function can be exploited to write beyond the boundaries of a single buffer. Specifically, writes that initiate from the second-to-last position of a buffer lead to a miscalculation of the maximum length of the input bytes to be written. **Recommendations** For versions prior to 6.14.4, update to version 6.14.4 or later. For versions prior to 8.11.4, update to version 8.11.4 or later. For versions prior to 10.9.0, update to version 10.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** whereis versions prior to 0.4.1 **Description** The issue arises from concatenating unsanitized user input in the `whereis` npm module, allowing an attacker to execute arbitrary commands. It is recommended to use the `which` npm module instead, as `whereis` is deprecated. **Recommendations** Update to version 0.4.1 or later. As a temporary workaround, consider avoiding the use of the `whereis` module with untrusted user input until a patch is applied or the module is updated.

**Name of the Vulnerable Software and Affected Versions** memjs versions <= 1.1.0 memjs versions prior to 1.2.2 **Description** The issue results in Denial of Service (DoS) and uninitialized memory usage due to the allocation and storage of buffers on typed input. The package fails to sanitize the `value` option passed to the Buffer constructor, allowing attackers to pass large values that exhaust system resources. **Recommendations** For memjs versions <= 1.1.0, upgrade to version 1.2.2 or later. For memjs versions prior to 1.2.2, upgrade to version 1.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** protobufjs versions prior to 5.0.3 protobufjs versions prior to 6.8.6 **Description** The issue concerns a regular expression denial of service when parsing crafted invalid .proto files, potentially leading to ReDoS. **Recommendations** Update to version 5.0.3 or later. Update to version 6.8.6 or later.

**Name of the Vulnerable Software and Affected Versions** reduce-css-calc versions <=1.2.4 **Description** Arbitrary code execution is possible through crafted CSS, making cross-site scripting (XSS) possible on the client and arbitrary code injection possible on the server. This occurs because user input is passed to the `calc` function, and affected versions of `reduce-css-calc` pass input directly to `eval`. If user input is passed into the `calc` function, this may result in cross-site scripting on the browser or remote code execution on the server. **Recommendations** For versions <=1.2.4, update to version 1.2.5 or later. As a temporary workaround, consider restricting the use of the `calc` function to minimize the risk of exploitation. Avoid passing user input to the `calc` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** atob versions 2.0.3 and earlier **Description** The issue arises when the `atob` function allocates uninitialized Buffers upon receiving a number as input on Node.js versions 4.x and below. **Recommendations** Update to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Node.js versions (affected versions not specified) **Description** The HTTP parser in Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. This does not align with the HTTP specification, which does not allow for spaces in the `Content-Length` value. The security risk of this flaw is considered to be very low, as it is difficult to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. However, vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. **Recommendations** For all affected versions, users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete. At the moment, there is no information about a newer version that contains a fix for this vulnerability.