Sebastianosrt

Name of the Vulnerable Software and Affected Versions Haraka versions prior to 3.1.4 Description Haraka, a Node.js mail server, is susceptible to a crash when processing emails containing the ' proto ': header. This occurs because the header parser stores headers in a plain object, and when the key is ' proto ', it attempts to call the 'push' function on the Object prototype, resulting in a TypeError. In single-process mode, this crash terminates the entire server. In cluster mode, the master process restarts the worker, leading to session loss. Recommendations Update Haraka to version 3.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Qwik versions up to and including 1.19.0 **Description** Qwik is susceptible to Remote Code Execution (RCE) due to an unsafe deserialization issue within the `server$` RPC mechanism. This allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. The issue affects deployments where the `require()` function is available at runtime. Approximately 46,000 services utilizing Qwik have been identified. The `server$` RPC mechanism is the component directly involved in this issue. **Recommendations** Update to Qwik version 1.19.1 or later.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 8.6.3 Parse Server versions prior to 9.1.1-alpha.4 **Description** Parse Server is susceptible to a security issue where an unauthenticated attacker can create a forged Google authentication token using `alg: "none"` to gain access as any user associated with a Google account, without needing their credentials. All deployments utilizing Google authentication are potentially affected. The issue stems from trusting the JWT header and using a custom key fetcher that accepted unknown key IDs. **Recommendations** Versions prior to 8.6.3 should be upgraded to version 8.6.3 or later. Versions prior to 9.1.1-alpha.4 should be upgraded to version 9.1.1-alpha.4 or later. As a temporary workaround, disable Google authentication until an upgrade is possible.

**Name of the Vulnerable Software and Affected Versions** Http4s versions 1.0.0-M1 through 1.0.0-M44 Http4s versions prior to 0.23.31 **Description** Http4s is susceptible to HTTP Request Smuggling because of incorrect handling of the HTTP trailer section. This can allow attackers to circumvent front-end server security measures, conduct attacks on current users, and corrupt web caches. Exploitation requires the web application to be deployed behind a reverse proxy that forwards trailer headers. **Recommendations** Update to Http4s version 1.0.0-M45 or later. Update to Http4s version 0.23.31 or later.

Name of the Vulnerable Software and Affected Versions: h2 versions prior to 4.3.0 Description: h2 is a pure-Python implementation of a HTTP/2 protocol stack. A request splitting issue allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. Recommendations: Update to version 4.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Eventlet versions prior to 0.40.3 **Description** The Eventlet WSGI parser is susceptible to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This issue could allow attackers to bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. **Recommendations** Update to Eventlet version 0.40.3 or later. As a workaround, avoid using Eventlet WSGI when facing untrusted clients.