Tweidinger

**Name of the Vulnerable Software and Affected Versions** Seroval versions 1.4.0 and below **Description** Seroval allows JavaScript value stringification, including complex structures beyond the capabilities of JSON.stringify. In versions 1.4.0 and below, serializing objects with significant depth can cause a maximum call stack limit error. Version 1.4.1 introduces a `depthLimit` parameter in serialization/deserialization methods, which throws an error if the depth limit is exceeded. **Recommendations** Update to version 1.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** seroval versions 1.4.0 and below **Description** seroval provides JavaScript value stringification, handling complex structures beyond the capabilities of JSON.stringify. A flaw in input validation in versions 1.4.0 and below can lead to prototype pollution during JSON deserialization when processing malicious object keys. This issue specifically impacts the JSON deserialization functionality. **Recommendations** Update to version 1.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** seroval versions 1.4.0 and below **Description** seroval is a JavaScript library that facilitates value stringification, including complex structures. In versions 1.4.0 and below, overriding RegExp serialization with excessively large patterns can exhaust JavaScript runtime memory during deserialization. Overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). Catastrophic backtracking is a condition where a regular expression engine takes an extremely long time to complete its search due to the structure of the pattern. **Recommendations** Configure `disabledFeatures` to disable RegExp serialization entirely.

**Name of the Vulnerable Software and Affected Versions** seroval versions 1.4.0 and below **Description** seroval facilitates JavaScript value stringification, including complex structures beyond the capabilities of JSON.stringify. In affected versions, replacing encoded array lengths with excessively large values causes a significant increase in processing time during deserialization. This can lead to performance issues or potential denial-of-service conditions. **Recommendations** Update to version 1.4.1 or later. seroval no longer encodes array lengths; it computes length using `Array.prototype.length` during deserialization.

**Name of the Vulnerable Software and Affected Versions** Netmaker versions prior to 0.15.1 **Description** The issue is related to Improper Authorization functions, which allow non-privileged users to run privileged API calls. If users without admin privileges are added to the Netmaker platform, they can use their auth tokens to run admin-level functions via the API. Additionally, differing response codes based on function calls may allow non-users to brute force the determination of network names on the system. **Recommendations** For versions prior to 0.15.1, update to version 0.15.1 by following these steps: 1. Run `docker-compose down` 2. Run `docker pull gravitl/netmaker:v0.15.1` 3. Run `docker-compose up -d`