Fancymalware

**Name of the Vulnerable Software and Affected Versions** Nuxt versions 3.1.0 through 3.21.5 Nuxt versions 4.0.0-alpha.1 through 4.4.5 @nuxt/nitro-server versions 3.20.0 through 3.21.5 @nuxt/nitro-server versions 4.0.0-alpha.1 through 4.4.5 **Description** The '/ nuxt island/*' endpoint accepts attacker-controlled `props` query or body parameters and renders island components without verifying that the URL-resident hash (`<Name> <hashId>.json`) was issued for those specific inputs by `<NuxtIsland>`. Because the hash is computed client-side and not validated on the server, the same path can return different responses based on the query. In environments where a CDN or reverse-proxy caches this endpoint by path only (ignoring the query), an attacker can prime the cache with their own props, causing subsequent users to receive the attacker's rendered HTML. If the application code passes a prop into an unsafe HTML sink (such as `v-html` or `innerHTML`), this can lead to stored Cross-Site Scripting (XSS) in the embedding page's origin until the cache entry expires. **Recommendations** Update Nuxt to version 3.21.6 or 4.4.6. Update @nuxt/nitro-server to version 3.21.6 or 4.4.6. Ensure any intermediary cache keys '/ nuxt island/*' on the full query string rather than the path alone. Audit application-authored islands to ensure props are not passed into `v-html`, `innerHTML`, or similar HTML sinks, treating island props as untrusted user input.

**Name of the Vulnerable Software and Affected Versions** Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2 **Description** An authentication bypass exists in the ForwardAuth and snippet-based authentication middleware. The forwarded-header sanitization logic only targets canonical header names and fails to strip or normalize alias variants that use underscores instead of dashes (e.g., `X Forwarded Proto` instead of `X-Forwarded-Proto`). These unsanitized alias headers are forwarded to the authentication backend. If the backend treats underscore and dash forms as equivalent, an attacker can inject spoofed trust context, such as a trusted scheme or host, to bypass authentication on protected routes without valid credentials. **Recommendations** Update to version 2.11.43. Update to version 3.6.14. Update to version 3.7.0-rc.2.

**Name of the Vulnerable Software and Affected Versions** SandboxJS versions prior to 0.8.35 **Description** SandboxJS has a flaw where direct assignment to global objects is blocked, but this protection can be bypassed through a callable constructor path using `this.constructor.call(target, attackerObject)`. This allows attacker code to write arbitrary properties into host global objects, persisting those changes across sandbox instances within the same process. The vulnerability arises because the dangerous write is performed internally by a host callable function, bypassing the intended write-time checks. An attacker can leverage this to modify host runtime state and potentially execute arbitrary code, as demonstrated by overwriting `Math.random` and executing commands via a host gadget. This is a sandbox integrity escape, allowing untrusted code to mutate host shared global objects despite global-write protections. These mutations can affect other requests, tenants, or subsequent sandbox runs, potentially leading to control-flow hijack in application logic. **Recommendations** Update to SandboxJS version 0.8.35 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.51 Parse Server versions prior to 9.6.0-alpha.40 **Description** Parse Server contains a flaw where the Pages route and legacy PublicAPI route for resending email verification links reveal different responses based on whether a username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing redirect targets. The `emailVerifySuccessOnInvalidEmail` configuration option, which is enabled by default and protects the API route, did not apply to these routes. The issue is addressed by ensuring these routes respect the `emailVerifySuccessOnInvalidEmail` option, redirecting to the success page regardless of the outcome when the option is set to `true`. **Recommendations** Upgrade to Parse Server version 8.6.51 or later. Upgrade to Parse Server version 9.6.0-alpha.40 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.24 Parse Server versions prior to 8.6.47 **Description** Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name. This crafted name traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The issue affects Parse Server, an open source backend deployable on Node.js infrastructures. The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. The vulnerable component is the cloud function handler. The attack is performed by calling a cloud function endpoint with a crafted function name. **Recommendations** Update Parse Server to version 9.6.0-alpha.24 or later. Update Parse Server to version 8.6.47 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.28 and 8.6.48 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, has an issue in its password reset mechanism. The system does not guarantee single-use tokens for password resets. An attacker intercepting a reset token can potentially race a legitimate user's password reset request, successfully changing the password to one controlled by the attacker. This could lead the legitimate user to believe their password change was successful, while the attacker gains access. The issue affects all Parse Server deployments utilizing the password reset feature. The password reset token is now atomically validated and consumed as part of the password update operation in versions 9.6.0-alpha.28 and 8.6.48. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. **Recommendations** Parse Server versions prior to 9.6.0-alpha.28 should be upgraded. Parse Server versions prior to 8.6.48 should be upgraded.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.29 Parse Server versions prior to 8.6.49 **Description** Parse Server is an open source backend deployable on Node.js infrastructures. A user can create an account without providing credentials by submitting an empty `authData` object, circumventing the username and password requirement. This allows the creation of authenticated sessions without valid credentials, even when anonymous users are disabled. The issue arises because empty or non-actionable `authData` was not treated the same as absent `authData` during credential validation for new user creation. The ` User` class is involved in this process. **Recommendations** Versions prior to 9.6.0-alpha.29 should be updated. Versions prior to 8.6.49 should be updated. As a workaround, implement a Cloud Code `beforeSave` trigger on the ` User` class to reject signups where `authData` is empty and no username/password is provided.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.19 Parse Server versions prior to 8.6.43 Parse Server versions prior to 9.6.0 Parse Server versions prior to 8.6.43 **Description** A remote attacker can cause a denial of service by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, impacting all connected clients. The issue occurs because the server does not validate regular expression patterns at subscription time. **Recommendations** Update to Parse Server version 9.6.0-alpha.19 or later. Update to Parse Server version 8.6.43 or later. Update to Parse Server version 9.6.0 or later. Update to Parse Server version 8.6.43 or later. Disable LiveQuery if it is not needed.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.15 Parse Server versions prior to 8.6.41 Parse Server versions prior to 9.6.0 Parse Server versions prior to 8.6.41 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by a file upload issue. An attacker with file upload privileges can bypass the file extension filter by appending a MIME parameter (e.g., `;charset=utf-8`) to the `Content-Type` header. This bypass allows the storage and serving of active content under the application's domain. Additionally, certain XML-based file extensions capable of rendering scripts in web browsers were not included in the default blocklist, potentially leading to stored cross-site scripting (XSS) attacks. Successful exploitation could compromise session tokens, user credentials, and other sensitive data accessible through the browser's local storage. The issue stems from improper validation of file extensions when a MIME parameter is present in the `Content-Type` header. The vulnerable component is the file upload functionality, specifically the extension validation process. **Recommendations** Versions prior to 9.6.0-alpha.15 should be updated. Versions prior to 8.6.41 should be updated. Versions prior to 9.6.0 should be updated. Versions prior to 8.6.41 should be updated. Configure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.40 Parse Server versions prior to 9.6.0-alpha.14 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, is affected by an issue in the GraphQL WebSocket endpoint for subscriptions. Prior to fixes, this endpoint did not enforce authentication, introspection control, or query complexity limits through the standard Express middleware chain. This allowed attackers to connect to the WebSocket endpoint and execute GraphQL operations without valid API keys, access the GraphQL schema even with public introspection disabled, and bypass query complexity limits by sending arbitrarily complex queries. **Recommendations** Versions prior to 8.6.40 should be updated to version 8.6.40 or later. Versions prior to 9.6.0-alpha.14 should be updated to version 9.6.0-alpha.14 or later. Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.11 and 8.6.37 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where its built-in OAuth2 authentication adapter reuses a singleton instance across all OAuth2 provider configurations. Concurrent authentication requests for different OAuth2 providers can lead to one provider’s token validation using another provider’s configuration. This could allow a token that should be rejected by one provider to be incorrectly accepted due to validation against a different provider’s policy. Deployments configuring multiple OAuth2 providers with the `oauth2: true` flag are affected. The issue stems from a race condition in the OAuth2 adapter, potentially allowing attackers to bypass token validation. **Recommendations** Versions prior to 9.6.0-alpha.11 should be updated to 9.6.0-alpha.11 or later. Versions prior to 8.6.37 should be updated to 8.6.37 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.13 and 8.6.39 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue in its OAuth2 authentication adapter. When `appidField` and `appIds` are configured, the adapter does not properly validate application IDs. During validation, a malformed value is sent to the token introspection **API Endpoint** instead of the user’s actual access token. The behavior of the introspection endpoint determines the impact: it could lead to a failure of all OAuth2 logins or allow authentication from unauthorized application contexts if the endpoint returns seemingly valid data for the incorrect request. Deployments utilizing the OAuth2 adapter with `appidField` and `appIds` configured are susceptible. The issue involves incorrect parameter alignment in the OAuth2 adapter's app ID validation method. **Recommendations** Versions prior to 9.6.0-alpha.13 should be updated to 9.6.0-alpha.13 or later. Versions prior to 8.6.39 should be updated to 8.6.39 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 9.6.0-alpha.12 and 8.6.38 **Description** Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to account takeover. An unauthenticated attacker can compromise user accounts created with authentication providers that do not validate user identifiers, such as those using anonymous authentication. By submitting a specially crafted login request, the attacker can manipulate the server into performing a pattern-matching query instead of an exact-match lookup. This allows the attacker to successfully match an existing user and obtain a valid session token, effectively gaining control of the user's account. Both MongoDB and PostgreSQL database backends are affected. The issue stems from insufficient input validation for authentication data, specifically the user identifier. The fix involves enforcing that the user identifier is a string before use in database queries, rejecting non-string values. **Recommendations** Versions prior to 9.6.0-alpha.12 should be updated to 9.6.0-alpha.12 or later. Versions prior to 8.6.38 should be updated to 8.6.38 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.8 Parse Server versions prior to 9.5.0-alpha.8 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, contains a path traversal flaw in the PagesRouter static file serving route. This allows unauthenticated access to files outside the designated `pagesPath` directory. The issue stems from a string prefix comparison lacking directory separator enforcement, enabling attackers to access files in sibling directories with names sharing a prefix with the pages directory. The vulnerable route is susceptible to path traversal sequences. **Recommendations** Update to Parse Server version 8.6.8 or later. Update to Parse Server version 9.5.0-alpha.8 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.10 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, contains an issue where disabling graphQLPublicIntrospection does not fully prevent unauthenticated users from performing type reconnaissance. Specifically, ` type` queries nested within inline fragments can bypass introspection controls. The ` schema` introspection functionality remains unaffected. The issue occurs when graphQLPublicIntrospection is disabled and allows attackers to gather information about the server's schema. The vulnerable queries utilize the ` type` function within inline fragments, such as `... on Query { type(name:"User") { name } }`. **Recommendations** Update to Parse Server version 9.5.0-alpha.10 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.9 Parse Server versions prior to 9.5.0-alpha.9 **Description** Parse Server, an open source backend deployable on Node.js infrastructures, has an issue where the file metadata endpoint does not enforce `beforeFind` and `afterFind` file triggers for versions prior to 8.6.9 and 9.5.0-alpha.9. When these triggers are used for access control, the metadata endpoint bypasses them, potentially allowing unauthorized access to file metadata. The vulnerable API endpoint is `/files/:appId/metadata/:filename`. **Recommendations** Update to Parse Server version 8.6.9 or later. Update to Parse Server version 9.5.0-alpha.9 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.7 Parse Server versions prior to 9.5.0-alpha.6 **Description** Parse Server is an open-source backend deployable on Node.js infrastructures. A malformed `$regex` query parameter, such as `[abc)`, can cause the database to return a structured error object unsanitized through the API response. This exposes database internals, including error messages, error codes, code names, cluster timestamps, and topology details. The issue is exploitable by any client capable of sending query requests, contingent on the deployment’s permission settings. The vulnerable parameter is `$regex`. The API endpoint receiving the vulnerable parameter is not specified. **Recommendations** Upgrade to Parse Server version 8.6.7 or later. Upgrade to Parse Server version 9.5.0-alpha.6 or later.