Wesr

**Name of the Vulnerable Software and Affected Versions** GitPython versions 3.1.30 through 3.1.46 **Description** GitPython fails to properly validate certain Python keyword arguments, allowing a bypass of the safety checks intended to block dangerous Git options. While the library blocks options like `--upload-pack` and `--receive-pack` by default, using the underscore-form keyword arguments `upload pack` and `receive pack` bypasses this validation because the check occurs before the arguments are normalized into command-line flags. If an application passes attacker-controlled keyword arguments into the following functions, it can lead to arbitrary command execution even when `allow unsafe options` is set to `False`: - `Repo.clone from()` - `Remote.fetch()` - `Remote.pull()` - `Remote.push()` **Recommendations** Update GitPython to version 3.1.47. As a temporary workaround, avoid passing user-controlled input into the `upload pack` and `receive pack` parameters of the `Repo.clone from()`, `Remote.fetch()`, `Remote.pull()`, and `Remote.push()` functions.

Name of the Vulnerable Software and Affected Versions Discount versions 1.3.1.1 through 2.2.7.3 Description A signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than `INT MAX` are truncated to a signed `int` before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This issue affects the `RDiscount.new(input).to html` and `RDiscount.new(input).toc content` APIs. The vulnerability occurs because `RSTRING LEN(text)` is passed directly into `mkd string()`, which accepts an `int len`. The parser stores the remaining input length in a signed `int`, and if the Ruby string length exceeds `INT MAX`, the value can truncate to a negative `int`, leading to the out-of-bounds read. Recommendations Update to version 2.2.7.4 or later.

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions through 0.312.3 Description Strawberry GraphQL is susceptible to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify completion of a `connection init` handshake before processing start (subscription) messages. This allows an attacker to bypass the `on ws connect` authentication hook by connecting with the graphql-ws subprotocol and sending a start message directly, without a `connection init` message. The graphql-transport-ws subprotocol handler is not affected. Applications relying on `on ws connect` for authentication or authorization are affected. Recommendations Upgrade to version 0.312.3 or later. Alternatively, disable the legacy graphql-ws subprotocol by setting `subscription protocols=[GRAPHQL TRANSPORT WS PROTOCOL]` on your GraphQL view/router.