Karussell

**Name of the Vulnerable Software and Affected Versions** com.graphhopper:graphhopper-web-bundle versions prior to 3.2 com.graphhopper:graphhopper-web-bundle versions 4.0-pre1 through 4.0 **Description** The issue affects the URL parser, which could be tricked into adding or modifying properties of `Object.prototype` using a constructor or ` proto ` payload. **Recommendations** For versions prior to 3.2, update to version 3.2 or later. For versions 4.0-pre1 through 4.0, update to a version later than 4.0.

Name of the Vulnerable Software and Affected Versions: GraphHopper versions 2.0 through 2.3 Description: The issue is related to a regular expression injection that may lead to Denial of Service. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. Recommendations: For GraphHopper versions 2.0 through 2.3, update to version 2.4 or 3.0 to resolve the issue. For versions lower than 2.x with the navigation module added, update to version 2.4 or 3.0 to resolve the issue. As a temporary workaround, consider disabling the navigation module in versions lower than 2.x until a patch is available.