Elliottt

**Name of the Vulnerable Software and Affected Versions** @fastly/js-compute versions prior to 3.16.0 **Description** The implementation of several functions in the @fastly/js-compute package includes a use-after-free bug. This bug could allow for unintended data loss if the result of the preceding functions were sent anywhere else, and often results in a Compute service crash causing an HTTP 500 error to be returned. The affected functions include `FetchEvent.client.tlsCipherOpensslName`, `FetchEvent.client.tlsProtocol`, `FetchEvent.client.tlsClientCertificate`, `FetchEvent.client.tlsJA3MD5`, `FetchEvent.client.tlsClientHello`, `CacheEntry.prototype.userMetadata` of the `fastly:cache` subsystem, and `Device.lookup` of the `fastly:device` subsystem. As all requests to Compute are isolated from one another, the only data at risk is data present for a single request. **Recommendations** For versions prior to 3.16.0, update to version 3.16.0 or later to fix the use-after-free bug. As a temporary workaround, consider avoiding the use of the affected functions until a patch is available. Restrict access to the affected subsystems, such as `fastly:cache` and `fastly:device`, to minimize the risk of exploitation. Avoid using the affected functions, such as `FetchEvent.client.tlsCipherOpensslName` and `CacheEntry.prototype.userMetadata`, in your code until the issue is resolved.