Zebbern

Name of the Vulnerable Software and Affected Versions: basic-ftp versions 5.2.0 Description: basic-ftp is an FTP client for Node.js. Versions prior to 5.2.1 are susceptible to FTP command injection due to improper handling of CRLF sequences (r ) within file path parameters used in high-level path APIs like `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The `protectWhitespace()` function inadequately sanitizes paths, and the `FtpContext.send()` function directly appends r to commands, allowing attacker-controlled paths to split intended FTP commands. This can lead to arbitrary file deletion, directory manipulation, file exfiltration, potential server command execution, session hijacking, and service disruption. The vulnerability stems from the interaction between insufficient path sanitization in `protectWhitespace()` and the direct socket write in `send()`. Affected methods include `cd()`, `remove()`, `list()`, `downloadTo()`, `uploadFrom()`, `rename()`, and `removeDir()`. An attacker controlling file path parameters can inject arbitrary FTP protocol commands. Recommendations: Sanitize all path inputs before passing them to basic-ftp. Reject or strip r and characters from all path inputs in the `protectWhitespace()` function.

Name of the Vulnerable Software and Affected Versions RedwoodSDK versions 1.0.0-beta.50 through 1.0.5 Description RedwoodSDK server functions exported from "use server" files were callable via GET requests, circumventing intended HTTP method restrictions. In applications using cookie-based authentication, this permitted cross-site GET requests to initiate state modifications, as browsers include SameSite=Lax cookies with top-level GET requests. This impacted all server functions, including `serverAction()` handlers and directly exported functions within "use server" files. Recommendations Update to RedwoodSDK version 1.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** pdf-image versions through 2.0.0 **Description** The pdf-image npm package versions through 2.0.0 allows for OS command injection via the `pdfFilePath` parameter. The `constructGetInfoCommand` and `constructConvertCommandForPage` functions utilize `util.format()` to incorporate user-supplied file paths into shell command strings, which are then executed using `child process.exec()`. This allows for remote code execution. **Recommendations** Versions prior to 2.0.1 should be used. As a temporary workaround, avoid using the `pdfFilePath` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** textract versions through 2.5.0 **Description** The software is susceptible to an OS Command Injection issue through the file path parameter in multiple extractors. Processing files with malicious filenames allows the `filePath` to be directly passed to `child process.exec()` in `lib/extractors/doc.js`, `rtf.js`, `dxf.js`, `images.js`, and `lib/util.js` without sufficient sanitization. The vulnerable parameter is `filePath`. The vulnerable function is `child process.exec()`. **Recommendations** Versions prior to 2.5.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** thumbler versions prior to 1.1.3 **Description** The software contains a flaw that allows for the injection of operating system commands. This occurs through the `input`, `output`, `time`, or `size` parameters within the `thumbnail()` function. The issue arises because user-supplied input is directly incorporated into a shell command string passed to `child process.exec()` without adequate sanitization or escaping. This lack of proper handling enables an attacker to execute arbitrary commands on the system. **Recommendations** Update thumbler to version 1.1.3 or later.