Peaktwilight

**Name of the Vulnerable Software and Affected Versions** Forge versions prior to 1.4.0 **Description** Forge, a native implementation of Transport Layer Security in JavaScript, has an issue where the `pki.verifyCertificateChain()` function does not properly enforce RFC 5280 basicConstraints requirements. Specifically, when an intermediate certificate is missing both the `basicConstraints` and `keyUsage` extensions, any leaf certificate can act as a Certificate Authority (CA) and sign other certificates, which Forge will incorrectly accept as valid. This bypass allows for the creation of untrusted certificate chains. **Recommendations** Update to Forge version 1.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** `yaml` versions prior to 1.10.3 `yaml` versions prior to 2.8.3 **Description** The `yaml` library is susceptible to a stack overflow when parsing YAML documents. The issue occurs during the node resolution/composition phase, which uses recursive function calls without a depth limit. An attacker providing malicious YAML input, approximately 2–10 KB in size, can trigger a `RangeError: Maximum call stack size exceeded`. This error is not a `YAMLParseError`, potentially leading to unexpected exceptions in applications that only handle YAML-specific errors. The impact can range from request failures to the termination of the Node.js process. Flow sequences, with their minimal byte overhead per nesting level, facilitate deep nesting and exacerbate the problem. The library's `Parser` (CST phase) is not affected, as it employs an iterative, stack-based approach. The affected APIs include `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. **Recommendations** Versions prior to 1.10.3: Upgrade to version 1.10.3 or later. Versions prior to 2.8.3: Upgrade to version 2.8.3 or later.

**Name of the Vulnerable Software and Affected Versions** Uptime Kuma versions 1.23.0 through 2.2.0 **Description** Uptime Kuma is an open source, self-hosted monitoring tool. Versions 1.23.0 through 2.2.0 do not fully implement the fix for GHSA-vffh-c9pq-4crh, leaving the application susceptible to Server-side Template Injection (SSTI). The mitigations added to the Liquid engine (`root`, `relativeReference`, `dynamicPartials`) only block paths enclosed in quotes. An attacker can bypass these mitigations by using unquoted absolute paths, allowing them to read any file on the server. The original fix in `notification-provider.js` only addresses the initial stages of file resolution in LiquidJS, but the `require.resolve()` fallback in `liquid.node.js` lacks containment checks. This allows unquoted absolute paths, such as `/etc/passwd`, to be successfully resolved. The blocking of quoted paths is a coincidental result of the quote characters causing a `MODULE NOT FOUND` error, rather than an intentional security measure. **Recommendations** Update to Uptime Kuma version 2.2.1 or later.