Snyk

**Name of the Vulnerable Software and Affected Versions** Code Agent versions all **Description** A remote code execution vulnerability has been identified, enabling an attacker to execute arbitrary code within the Code Agent container. Exploiting this issue requires an attacker to have network access to the Code Agent within the deployment environment. External exploitation is unlikely and depends on cluster misconfigurations and/or chaining with another vulnerability. However, internal exploitation could still be possible with a cluster misconfiguration. **Recommendations** For all versions, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** deno versions prior to 1.31.0 **Description** The issue is related to Regular Expression Denial of Service (ReDoS) due to the `upgradeWebSocket` function, which contains regexes in the form of `/s*,s*/`, used for splitting the `Connection/Upgrade` header. A specially crafted `Connection/Upgrade` header can be used to significantly slow down a web socket server. **Recommendations** For deno versions prior to 1.31.0, it is recommended that users upgrade to Deno 1.31.0. As a temporary workaround, consider restricting access to the `upgradeWebSocket` function until a patch is available. Avoid using the `Connection/Upgrade` header with specially crafted values in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** lite-web-server (affected versions not specified) **Description** The issue concerns a Denial of Service (DoS) condition that occurs when an attacker sends an HTTP request containing control characters that the `decodeURI()` function cannot parse. This can lead to a service disruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** lite-dev-server versions all **Description** The issue arises due to missing input sanitization and the employment of sandboxes to the `req.url` user input that is passed to the server code, leading to Directory Traversal. **Recommendations** For all versions, consider disabling the vulnerable functionality related to the `req.url` input until a proper fix is available, and ensure proper input sanitization for the `req.url` variable to prevent Directory Traversal attacks.

**Name of the Vulnerable Software and Affected Versions** easy-static-server versions all **Description** The issue arises due to missing input sanitization and the employment of sandboxes to the `req.url` user input that is passed to the server code, leading to Directory Traversal. **Recommendations** For all versions, consider disabling the `req.url` input processing until a proper fix is implemented to sanitize the input and prevent Directory Traversal attacks. Restrict access to sensitive directories and files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** lite-server versions all **Description** The issue arises when an attacker sends an HTTP request that includes control characters, which the `decodeURI()` function is unable to parse, leading to a Denial of Service (DoS). This occurs when the `decodeURI()` function encounters characters it cannot process, resulting in the service becoming unavailable. **Recommendations** For all versions, consider disabling the `decodeURI()` function or restricting HTTP requests that include control characters until a patch is available. As a temporary workaround, restrict access to the HTTP endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.