Rexxars

**Name of the Vulnerable Software and Affected Versions** eventsource-encoder versions prior to 1.0.2 **Description** The software fails to sanitize the `event` and `id` fields of an `EventSourceMessage` before serialization in the `encodeMessage()` function. An attacker who controls these fields can inject Server-Sent Events (SSE) line terminators (` `, `r`, or `r `), allowing them to forge additional SSE fields or entire messages on the stream. This can lead to spoofing events of arbitrary types, injecting fields such as `data:`, `id:`, or `retry:`, splitting a single encoding call into multiple browser events, or overriding the client's `Last-Event-ID`. **Recommendations** Update to version 1.0.2. As a temporary workaround, validate or strip line terminators from any untrusted value before passing it to the `encode` or `encodeMessage()` functions.

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 2.1.2 **Description** Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When a request with the `Authorization` header is sent to one domain and the response asks to redirect to a different domain, Deno's `fetch()` redirect handling creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. **Recommendations** For Deno versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the `fetch()` function's redirect handling for sensitive requests until a patch is available. Restrict access to the `fetch()` API to minimize the risk of exploitation. Avoid using the `Authorization` header in requests that may be redirected to different domains until the issue is resolved.