Nadav0077

**Name of the Vulnerable Software and Affected Versions** undici versions 6.17.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x **Description** The WebSocket client fails to limit the number of fragments in a message, only enforcing the `maxPayloadSize` on the cumulative byte count. A malicious server can send numerous small or empty continuation frames that bypass per-frame and cumulative-size validation, leading to unbounded memory growth, memory exhaustion, and a denial of service. This affects applications using the `new WebSocket(...)` client or the WebSocketStream API when connecting to a compromised or attacker-controlled endpoint. **Recommendations** Upgrade to version 6.26.0 or later for the 6.x branch. Upgrade to version 7.28.0 or later for the 7.x branch. Upgrade to version 8.5.0 or later for the 8.x branch.

**Name of the Vulnerable Software and Affected Versions** auth versions 1.18.0 through 1.25.1 auth versions 2.0.0 through 2.1.1 **Description** The Patreon OAuth provider maps every authenticated Patreon account to the same local `user.ID` instead of deriving a unique ID from the account returned by Patreon. This occurs because the `mapUser()` function hashes an uninitialized destination field rather than the actual Patreon user ID. Consequently, all Patreon-authenticated users are collapsed into a single local identity. Applications that rely on `token.User.ID` as a stable account key may experience mixing or merging of unrelated users, leading to cross-account access, privilege confusion, and subscription-state leakage. **Recommendations** Update to version 1.25.2. Update to version 2.1.2.

**Name of the Vulnerable Software and Affected Versions** web3.py versions 6.0.0b3 through 7.15.0 web3.py versions 6.0.0b3 through 8.0.0b2 **Description** web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in the `offchain lookup payload["urls"]` variable. The implementation uses these URLs directly after `{sender}` and `{data}` template substitution without destination validation, lacking restrictions on schemes, hostname allowlists, or blocking of private and reserved IP ranges. Because CCIP Read is enabled by default via the `global ccip read enabled` variable, any application using the `.call()` method is exposed. This leads to Server-Side Request Forgery (SSRF) when the library is used in backend services, indexers, or APIs that perform `eth call` or `.call()` against untrusted contract addresses. A malicious contract can force the process to issue HTTP GET or POST requests to arbitrary destinations, such as internal network services, loopback addresses, and cloud metadata endpoints. The issue is further amplified as the library follows HTTP redirects by default without validating the final resolved URL. **Recommendations** Update web3.py to version 7.15.0 or 8.0.0b2. As a temporary workaround, disable CCIP Read by setting `global ccip read enabled` to `False` when calling untrusted contracts.