Cristian-Alexandru Staicu

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 5.3.3 Parse Server versions prior to 4.10.20 **Description** A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue affects Parse Server, an open source backend that can be deployed to any infrastructure that can run Node.js. **Recommendations** For versions prior to 5.3.3, update to version 5.3.3 or later. For versions prior to 4.10.20, update to version 4.10.20 or later. As a temporary workaround, consider restricting access to the Cloud Code Webhook target endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.19 Parse Server versions prior to 5.3.2 **Description** The issue allows keywords specified in the `requestKeywordDenylist` option to be injected via Cloud Code Webhooks or Triggers, resulting in the keyword being saved to the database and bypassing the `requestKeywordDenylist` option. This can be exploited by making requests to the Cloud Code Webhooks API. To mitigate this, configuring the firewall to only allow trusted servers to make requests to the Parse Server Cloud Code Webhooks API or blocking the API completely if not in use can help. **Recommendations** For versions prior to 4.10.19, update to version 4.10.19 or later. For versions prior to 5.3.2, update to version 5.3.2 or later. As a temporary workaround, consider configuring your firewall to only allow trusted servers to make requests to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.18 Parse Server versions prior to 5.3.1 on the 5.X branch **Description** Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. An attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. **Recommendations** For versions prior to 4.10.18, update to version 4.10.18 or later. For versions prior to 5.3.1 on the 5.X branch, update to version 5.3.1 or later. As a temporary workaround, consider disabling remote code execution through the MongoDB BSON parser until a patch is available.

**Name of the Vulnerable Software and Affected Versions** deep-get-set versions prior to the version with a complete fix for the issue **Description** The issue is related to Prototype Pollution via the `deep` function in the deep-get-set package. This problem arises from an incomplete fix of a previous issue. **Recommendations** For all versions of deep-get-set, consider disabling the `deep` function as a temporary workaround until a complete fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** fast-string-search (affected versions not specified) **Description** The issue is related to an Out-of-bounds Read, caused by incorrect memory freeing and length calculation for non-string input as the source. This allows an attacker to read previously allocated memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** fast-string-search (affected versions not specified) **Description** The issue is related to Denial of Service (DoS) when computations are incorrect for non-string inputs. This can cause the V8 to attempt reading from non-permitted locations, resulting in a segmentation fault due to the violation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** @discordjs/opus versions prior to 0.8.0 **Description** The issue is related to a Denial of Service (DoS) condition that occurs when trying to encode using an encoder with zero channels or a non-initialized buffer, leading to a hard crash. This is due to improperly handled errors that cause the application to crash instead of returning the error to the user. **Recommendations** For versions prior to 0.8.0, update to version 0.8.0 or later to resolve the issue, as this version correctly returns errors to the user instead of causing a hard crash.

**Name of the Vulnerable Software and Affected Versions** mout (affected versions not specified) **Description** The issue concerns the `deepFillIn` function and the `deepMixIn` function, which can be exploited due to a lack of key checks when accessing the target object recursively. This allows for the exploitation of the vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pg-native versions prior to 3.0.1 libpq versions prior to 1.8.10 **Description** The issue is related to a Denial of Service (DoS) condition that occurs when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. The problem is found in pg-native, which is a binding to npm's libpq library, and may transitively impact npm's libpq. **Recommendations** For pg-native versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue. For libpq versions prior to 1.8.10, update to version 1.8.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable `libpq` library until a patch is available. Avoid using non-array arguments in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** querymen (affected versions not specified) **Description** The issue arises from the `handler(type, name, fn)` function, where the parameters can be controlled by users without proper sanitization, leading to Prototype Pollution. This is a result of an incomplete fix of a previous issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sds versions 0.0.0 and later **Description** The issue allows the library to be tricked into adding or modifying properties of the Object.prototype. This is achieved by abusing the `set` function located in `js/set.js`. **Recommendations** For sds version 0.0.0, consider restricting access to the `set` function in `js/set.js` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bignum (affected versions not specified) **Description** The issue is related to a Denial of Service (DoS) due to a type-check exception in V8. When verifying the type of the second argument to the `powm` function, V8 will crash regardless of Node try/catch blocks. This occurs because of a problem with the type verification of the second argument to the `powm` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jailed versions (affected versions not specified) **Description** The issue concerns a Sandbox Bypass that can be exploited via an exported `alert()` method. This method can access the main application, posing a risk. The exported methods are stored in the `application.remote` object. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libxmljs versions all **Description** The issue arises when the `libxmljs.parseXml` function is invoked with a non-buffer argument. In such cases, the V8 code attempts to call the `toString` method of the argument. If the argument's `toString` value is not a Function object, V8 will crash. This is a problem related to the libxmljs package, which provides libxml bindings for the V8 JavaScript engine. **Recommendations** For all versions of libxmljs, as a temporary workaround, consider avoiding the use of the `libxmljs.parseXml` function with non-buffer arguments until a patch is available. Restrict access to this function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sqlite3 versions 5.0.0 through 5.0.2 **Description** The issue is related to an uncontrolled resource consumption in the V8 component of the SQLite database management system, which can lead to a Denial of Service (DoS). Exploitation of this issue can cause the application to crash when a specific object is supplied in the parameter array. The error cannot be caught and will result in a fatal error. The `toString` function of the passed parameter is invoked, and if an invalid Function object is passed, it will throw and crash the V8 engine. **Recommendations** For versions 5.0.0, 5.0.1, and 5.0.2, upgrade to version 5.0.3 or later to resolve the issue. As a temporary workaround, ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.

**Name of the Vulnerable Software and Affected Versions** convict versions prior to 6.2.2 **Description** The issue allows for Prototype Pollution via the convict function due to missing validation of `parentKey`. This could enable an attacker to inject attributes used in other components or override existing attributes with incompatible types, potentially leading to a crash. The main use case of Convict is for handling server-side configurations, and while it's unlikely an admin would sabotage their own server, an uninformed admin could be tricked into writing malicious JavaScript code into config files. **Recommendations** For convict versions prior to 6.2.2, upgrade to convict@6.2.3 to resolve the issue. As a temporary workaround, consider restricting access to configuration files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** madlib-object-utils versions prior to 0.1.8 **Description** The issue allows an attacker to perform Prototype Pollution via the `setValue` method, enabling them to merge object prototypes into it. This vulnerability is a result of an incomplete fix. **Recommendations** For versions prior to 0.1.8, update to version 0.1.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `setValue` method until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** notevil versions all argencoders-notevil versions all **Description** The issue is related to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. This vulnerability derives from an incomplete fix. The package notevil and its variant argencoders-notevil have been affected, with the latter being deprecated. **Recommendations** For notevil all versions, consider restricting access to the main context to prevent prototype pollution. For argencoders-notevil all versions, as the package is deprecated, it is recommended to avoid using it and consider alternative solutions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bodymen versions 0.0.0 and later **Description** The issue allows for Prototype Pollution via the `handler` function, which can be tricked into adding or modifying properties of `Object.prototype` using a ` proto ` payload. **Recommendations** For bodymen versions 0.0.0 and later, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libnested versions prior to 1.5.2 **Description** The issue is related to Prototype Pollution via the `set` function in `index.js`. **Recommendations** For versions prior to 1.5.2, update to version 1.5.2 or later to resolve the issue.