Gtsp233

**Name of the Vulnerable Software and Affected Versions** locutus versions 2.0.39 through 3.0.24 **Description** A prototype pollution issue exists in the `parse str` function of the npm package locutus. An attacker can manipulate `Object.prototype` by overriding `RegExp.prototype.test` and then providing a specially crafted query string to `parse str`, bypassing the prototype pollution protection. This issue arises from an incomplete fix for a previous vulnerability. The initial fix replaced a guard based on `String.prototype.includes()` with one based on `RegExp.prototype.test()`, but `RegExp.prototype.test` is also a writable prototype method and can be overridden, allowing the guard to be bypassed. The vulnerability requires a chained scenario where an attacker needs a separate prototype pollution gadget to override `RegExp.prototype.test` before exploiting `parse str`. This could potentially lead to authentication bypass, denial of service, or remote code execution if a polluted property is passed to vulnerable functions. The vulnerable code resides in `parse str.js`, specifically at line 77, where `RegExp.prototype.test()` is used to check for forbidden keys in user-provided input. **Recommendations** Upgrade to locutus version 3.0.25 or later.

**Name of the Vulnerable Software and Affected Versions** dash-core-components versions prior to 2.13.0 dash versions prior to 2.15.0 dash-html-components versions prior to 2.0.16 **Description** The issue allows an authenticated attacker to steal data visible to another user who opens a view that exploits this vulnerability. The attacker could also make additional requests and access other data accessible to this user. In some cases, they could steal the access tokens of that user, allowing the attacker to act as that user, including viewing other apps and resources hosted on the same server. This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user. **Recommendations** For dash-core-components versions prior to 2.13.0, update to version 2.13.0 or later. For dash versions prior to 2.15.0, update to version 2.15.0 or later. For dash-html-components versions prior to 2.0.16, update to version 2.0.16 or later. As a temporary workaround, consider restricting the use of the `href` attribute in the `a` tag to minimize the risk of exploitation.