Nyxsorcerer

**Name of the Vulnerable Software and Affected Versions** SandboxJS versions prior to 0.8.26 **Description** SandboxJS, a JavaScript sandboxing library, has a flaw where the `AsyncFunction` constructor is not properly isolated within the `SandboxFunction`. The library aims to secure code execution by replacing the global `Function` constructor with a sandboxed version. However, prior to version 0.8.26, mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction` were missing. This allows code within the sandbox to access the native host `AsyncFunction` constructor via the `.constructor` property of an async function. By obtaining this constructor, an attacker can create and execute functions outside the sandbox, leading to Remote Code Execution (RCE). The vulnerability is due to the failure to intercept the `AsyncFunction` constructor, allowing attackers to bypass security restrictions and gain full access to the host environment. **Recommendations** Versions prior to 0.8.26 should be updated to version 0.8.26 or later.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.30 through 2.4.55 uWSGI PyPI package versions prior to 2.0.22 **Description** The issue is related to HTTP Response Smuggling vulnerability in Apache HTTP Server via mod proxy uwsgi. Special characters in the origin response header can truncate/split the response forwarded to the client. This can allow a remote attacker to perform an HTTP request smuggling attack. **Recommendations** For Apache HTTP Server versions 2.4.30 through 2.4.55, update to a version that includes the fix for this issue. For uWSGI PyPI package versions prior to 2.0.22, update to version 2.0.22 or later. As a temporary workaround, consider disabling the mod proxy uwsgi module until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions prior to 2.4.55 **Description** The issue is related to the mod proxy module in Apache HTTP Server, where it fails to properly handle CRLF sequences in HTTP headers. This can be exploited by a remote attacker to perform HTTP response splitting attacks. A malicious backend can cause response headers to be truncated early, resulting in some headers being incorporated into the response body, which can bypass security measures if those headers have a security purpose. **Recommendations** For versions prior to 2.4.55, update to Apache HTTP Server version 2.4.55 or later to resolve the issue. As a temporary workaround, consider restricting access to the mod proxy module to minimize the risk of exploitation.