Weblover

Name of the Vulnerable Software and Affected Versions IBM Langflow Desktop versions 1.6.0 through 1.8.2 Description IBM Langflow Desktop versions 1.6.0 through 1.8.2 may allow an authenticated user to execute arbitrary code on the system. This is due to an insecure default setting that permits the deserialization of untrusted data within the FAISS component. Recommendations Update to a version later than 1.8.2.

**Name of the Vulnerable Software and Affected Versions** Ollama versions 0.11.5-rc0 through 0.13.5 **Description** Ollama contains a flaw due to insufficient validation of base64-encoded image data. Specifically, when processing image data through the `/api/chat` endpoint, the application does not verify the validity of the decoded media before passing it to the `mtmd helper bitmap init from buf` function. If this function returns NULL, indicating malformed input, the code proceeds to dereference the NULL pointer, leading to a segmentation fault and a denial of service. This can cause the model to become unavailable until the service is restarted. The vulnerability exists in the multi-modal model image processing functionality. **Recommendations** Update Ollama to a version newer than 0.13.5.

**Name of the Vulnerable Software and Affected Versions** Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 **Description** The software contains a regular expression denial of service (ReDoS) issue within the `UriTemplate` class when handling RFC 6570 exploded array patterns. The dynamically generated regular expression used for URI matching includes nested quantifiers, which can lead to catastrophic backtracking when processing specifically crafted inputs. This can cause excessive CPU usage, potentially making the Node.js process unresponsive and resulting in a denial of service. An attacker can exploit this by providing a malicious URI. **Recommendations** Upgrade to version 1.25.2.