Max-Schaefer

Name of the Vulnerable Software and Affected Versions: ssh2 versions prior to 1.4.0 Description: The issue is a command injection vulnerability that may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This issue only exists on Windows. Recommendations: For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider validating and sanitizing any untrusted input before calling the vulnerable method to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** merge-deep library versions prior to 3.0.3 **Description** The issue allows an attacker to trick the library into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, facilitating prototype-pollution attacks against applications using this library. **Recommendations** For merge-deep library versions prior to 3.0.3, update to version 3.0.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: slashify version 1.0.0 Description: The issue allows open-redirect attacks. It is an Express middleware that normalises routes by stripping any final slash and redirects without validating the path. For example, visiting a URL like 'localhost:3000///github.com/' can redirect to 'https://github.com'. Recommendations: For version 1.0.0, discontinuing use of the `slashify` package is recommended as there is no known safe version of this package.