Nbars

**Name of the Vulnerable Software and Affected Versions** HotCRP versions October 2025 through January 2026 **Description** HotCRP is conference review software. Versions between October 2025 and January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser instead of being downloaded. This behavior was intended only for `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` files. However, adding `save=0` to the document URL could request inline delivery for any document. This made users vulnerable to cross-site scripting attacks when clicking a document link. Uploaded HTML or SVG documents could run in the viewer’s browser with access to their HotCRP credentials, allowing Javascript within those documents to make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The issue was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323. **Recommendations** Update to HotCRP version 3.2.1 or later.

**Name of the Vulnerable Software and Affected Versions** ECMAScript (affected versions not specified) **Description** A problem in the ECMAScript specification of async generators may lead to mis-implementation in a way that could present as a security issue, such as type confusion and pointer dereference. The internal async generator machinery calls regular promise resolver functions on IteratorResult objects, assuming that these objects will not be then-ables. However, these objects can be made then-able, triggering arbitrary behavior, including re-entering the async generator machinery in a way that violates some internal invariants. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Implementors should refer to the latest ECMAScript specification and update their implementations to comply with the `AsyncGenerator` section. Users unable to upgrade to the patched version would want to use exception handling mechanisms to ensure any exceptions caused by the engine don't impact the availability of the main application.

**Name of the Vulnerable Software and Affected Versions** Boa versions 0.16 through 0.19.0 **Description** A wrong assumption in Boa's implementation of `AsyncGenerator` can cause an uncaught exception on certain scripts. This occurs because the state of an `AsyncGenerator` object is assumed not to change while resolving a promise created by methods such as `%AsyncGeneratorPrototype%.next`, `%AsyncGeneratorPrototype%.return`, or `%AsyncGeneratorPrototype%.throw`. However, a carefully constructed code can trigger a state transition from a getter method for the promise's `then` property, causing the engine to fail an assertion of this assumption and resulting in an uncaught exception. This could be used to create a Denial Of Service attack in applications that run arbitrary ECMAScript code provided by an external user. **Recommendations** For versions 0.16 through 0.19.0, upgrade to version 0.19.0 to correctly handle this case. For users unable to upgrade to the patched version, use `std::panic::catch unwind` to ensure any exceptions caused by the engine do not impact the availability of the main application.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 128 Mozilla Firefox ESR versions prior to 115.13 Mozilla Thunderbird versions prior to 115.13 Mozilla Thunderbird versions prior to 128 **Description** The issue is related to a type confusion in Async Generators, potentially leading to memory corruption and an exploitable crash. This could allow a remote attacker to cause a denial of service. The problem is associated with an error in the ECMA-262 specification. **Recommendations** For Mozilla Firefox versions prior to 128, upgrade to version 128 or later. For Mozilla Firefox ESR versions prior to 115.13, upgrade to version 115.13 or later. For Mozilla Thunderbird versions prior to 115.13, upgrade to version 115.13 or later. For Mozilla Thunderbird versions prior to 128, upgrade to version 128 or later. As a temporary workaround, consider using `std::panic::catch unwind` to ensure any exceptions caused by the engine do not impact the availability of the main application.