Yuki Matsuhashi

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

**Name of the Vulnerable Software and Affected Versions** morgan versions 1.2.0 through 1.10.1 **Description** The logging middleware fails to neutralize control characters when the `:remote-user` token extracts the Basic auth username from the Authorization request header. An unauthenticated attacker can send a crafted Authorization Basic header containing Carriage Return (CR) or Line Feed (LF) bytes to inject forged log lines. This breaks the one-request-per-line structure of access logs, enabling log forgery against downstream log consumers. The issue affects the built-in combined, common, default, and short formats, as well as any custom format referencing `:remote-user`. **Recommendations** Upgrade to version 1.11.0. As a temporary workaround, use a custom format string that does not include `:remote-user`.

**Name of the Vulnerable Software and Affected Versions** exifreader versions prior to 4.39.0 **Description** A crafted image containing an ICC mluc tag can specify an attacker-controlled record count combined with a zero record size. During the parsing process, the software repeatedly processes the same record and appends entries to an array without sufficient bounds validation, leading to excessive memory growth. This can result in a denial of service through memory exhaustion in applications that parse images supplied by attackers. **Recommendations** Update to version 4.39.0 or later.

**Name of the Vulnerable Software and Affected Versions** exifreader versions prior to 4.39.0 **Description** Improper handling of highly compressed data leads to data amplification when decompressing PNG zTXt metadata without enforcing a maximum decompressed output size. If asynchronous parsing is enabled, a specially crafted PNG file with a highly compressed zTXt chunk can cause the software to materialize an excessively large Comment value in memory. **Recommendations** Update to version 4.39.0 or later.

**Name of the Vulnerable Software and Affected Versions** jsondiffpatch versions prior to 0.7.6 **Description** Improper sanitization of JSON values and property names in the annotated formatter allows for Cross-site Scripting (XSS). This occurs when an application compares untrusted JSON or object data and renders the annotated formatter output in the Document Object Model (DOM), enabling the browser to interpret attacker-controlled HTML. **Recommendations** Update to version 0.7.6 or later.

**Name of the Vulnerable Software and Affected Versions** jsondiffpatch versions prior to 0.7.6 **Description** Prototype Pollution occurs when attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like ` proto ` or `constructor.prototype`, allowing modification of `Object.prototype`. This can affect application behavior throughout the entire Node.js process. The issue is triggered via the 'jsondiffpatch.patch()' and 'jsondiffpatch/formatters/jsonpatch.patch()' endpoints by supplying crafted delta or JSON Patch documents. **Recommendations** Update to version 0.7.6 or later. Review applications that process untrusted JSON Patch input.

**Name of the Vulnerable Software and Affected Versions** @fastify/accepts-serializer versions prior to 6.0.4 **Description** An issue exists where serializer-selection results are cached using the request `Accept` header as a key without a size limit or eviction policy. A remote unauthenticated client can send numerous distinct but matching `Accept` header variants, causing the cache to grow unbounded. This can lead to the exhaustion of the Node.js heap and result in a process crash, causing a Denial of Service (DoS). **Recommendations** Update to version 6.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** Spring MVC (affected versions not specified) Spring WebFlux (affected versions not specified) **Description** Applications using Spring MVC or Spring WebFlux are susceptible to cache poisoning during the resolution of static resources. This occurs when resource chain support is configured with caching enabled and support for encoded resources resolution is added, provided the resource cache is empty. An attacker can send malicious requests to poison the resource cache with resources using incorrect encoding, potentially leading to a denial of service by breaking the front-end application for clients. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebFlux server application (affected versions not specified) **Description** A WebFlux server application that processes multipart requests creates temporary files for parts larger than 10 K. Under certain conditions, these temporary files may not be deleted after the request is fully processed, which allows an attacker to consume available disk space. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LogonTracer versions prior to 2.0.0 **Description** An OS command injection flaw exists in LogonTracer, an open-source tool used for investigating malicious Windows logons. This issue allows an authenticated, logged-in user to execute arbitrary OS commands with full system privileges. **Recommendations** Update to version 2.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** LogonTracer versions prior to 2.0.0 **Description** A cypher injection issue exists where loading specially crafted Windows event log data can allow the contents of the database to be altered. Cypher injection is a type of attack where an attacker inserts malicious code into a Cypher query, which is a graph query language, to manipulate the database. **Recommendations** Update to version 2.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Multer versions prior to 2.1.1 **Description** A flaw exists in Multer, a node.js middleware used for processing `multipart/form-data`. This issue can be exploited to cause a Denial of Service (DoS) by submitting specially crafted requests, which may lead to a stack overflow. **Recommendations** Upgrade to version 2.1.1 to address the issue.