Kimkou2024

**Name of the Vulnerable Software and Affected Versions** urllib3 versions 2.6.0 through 2.6.x **Description** An issue exists in the streaming API where the library may decompress an entire HTTP response instead of the requested portion. This occurs in two scenarios: during the second `HTTPResponse.read(amt=N)` call when using the official Brotli library for decompression, or when `HTTPResponse.drain conn()` is called after a response has been partially read and decompressed. This behavior can lead to excessive resource consumption on the client side, specifically high CPU usage and massive memory allocation, when processing small amounts of highly compressed data. **Recommendations** Update to version 2.7.0. As a temporary workaround for the Brotli-specific issue, switch from the `brotli` library to `brotlicffi`. As a temporary workaround, call `HTTPResponse.close()` instead of `HTTPResponse.drain conn()` when connection reuse is not required.

**Name of the Vulnerable Software and Affected Versions** Angular SSR versions 19.0.0-next.0 through 19.2.24 Angular SSR versions 20.x through 20.3.24 Angular SSR versions 21.x through 21.2.8 Angular SSR versions 22.0.0-next.0 through 22.0.0-next.6 **Description** An issue exists in the processing logic of the 'X-Forwarded-Prefix' header. The internal validation mechanism does not properly account for URL-encoded characters, specifically dots (`%2e%2e`), allowing attackers to bypass security filters by injecting encoded path traversal sequences. This occurs when the application is configured to trust proxy headers and is deployed behind a proxy that forwards the 'X-Forwarded-Prefix' header without sanitization. This can lead to two scenarios: - Open Redirect: The decoded traversal payload manipulates the Location header during a redirect, forcing the browser to an unintended path or external domain. - Server-Side Request Steering: The manipulated prefix is used as the base path for server-side `HttpClient` requests, causing the server to make requests to unintended internal paths or external endpoints. **Recommendations** Update Angular SSR to version 19.2.25. Update Angular SSR to version 20.3.25. Update Angular SSR to version 21.2.9. Update Angular SSR to version 22.0.0-next.7. As a temporary workaround, manually sanitize the 'X-Forwarded-Prefix' header in `server.ts` by decoding the component to catch encoded traversal attempts before normalization.