Vulnerabilities

 16 via 24 paths

Dependencies

 477

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 10
  • 6
Status
  • 16
  • 0
  • 0

high severity

XML Entity Expansion

  • Vulnerable module: fast-xml-parser
  • Introduced through: secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai fast-xml-parser@4.5.1

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

Workaround

This vulnerability can be mitigated by disabling DOCTYPE parsing using the processEntities: false option.

PoC

const { XMLParser } = require('fast-xml-parser');

const entity = 'A'.repeat(1000);
const refs = '&big;'.repeat(100);
const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;

console.time('parse');
new XMLParser().parse(xml);
console.timeEnd('parse');

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade fast-xml-parser to version 4.5.4, 5.3.6 or higher.

References

XML Entity Expansion vulnerability report

high severity

XML Entity Expansion

  • Vulnerable module: fast-xml-parser
  • Introduced through: secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai fast-xml-parser@4.5.1

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue() function, which doesn't protect unlimited expansion of numeric entities the way it does DOCTYPE data (as described and fixed for CVE-2026-26278). An attacker can exhaust system memory and CPU resources by submitting XML input containing a large number of numeric character references - &#NNN; and &#xHH;.

Note: This is a bypass for the fix to the DOCTYPE expansion vulnerability in 5.3.6.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade fast-xml-parser to version 5.5.6 or higher.

References

XML Entity Expansion vulnerability report

high severity

Infinite loop

  • Vulnerable module: music-metadata
  • Introduced through: music-metadata@7.14.0 and secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot music-metadata@7.14.0
    Remediation: Upgrade to music-metadata@11.12.3.
  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai music-metadata@7.14.0

Overview

music-metadata is a Music metadata parser for Node.js, supporting virtual any audio and tag format.

Affected versions of this package are vulnerable to Infinite loop through the parseExtensionObject process in the ASF parser when handling a sub-object with objectSize = 0. An attacker can cause the application to hang indefinitely by providing a specially crafted .asf file that triggers an infinite loop during parsing.

Remediation

Upgrade music-metadata to version 11.12.3 or higher.

References

Infinite loop vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: qs
  • Introduced through: express@4.21.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot express@4.21.2 qs@6.13.0
    Remediation: Upgrade to express@4.22.0.
  • Introduced through: tg@gotois/ProstoDiary_bot express@4.21.2 body-parser@1.20.3 qs@6.13.0
    Remediation: Upgrade to express@4.22.0.

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

PoC


const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Remediation

Upgrade qs to version 6.14.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

  • Vulnerable module: undici
  • Introduced through: @digitalbazaar/vc@7.1.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot @digitalbazaar/vc@7.1.2 jsonld@8.3.3 @digitalbazaar/http-client@3.4.1 undici@5.29.0
    Remediation: Upgrade to @digitalbazaar/vc@7.3.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the PerMessageDeflate.decompress() method of the permessage-deflate extension. An attacker can cause excessive memory usage by sending specially crafted compressed WebSocket frames that decompress to a very large size, potentially leading to process crashes or unresponsiveness.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity

Uncaught Exception

  • Vulnerable module: undici
  • Introduced through: @digitalbazaar/vc@7.1.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot @digitalbazaar/vc@7.1.2 jsonld@8.3.3 @digitalbazaar/http-client@3.4.1 undici@5.29.0
    Remediation: Upgrade to @digitalbazaar/vc@7.3.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Uncaught Exception through improper validation of the server_max_window_bits parameter in the permessage-deflate extension. An attacker can cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw instance.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

Uncaught Exception vulnerability report

high severity

Improper Validation of Specified Quantity in Input

  • Vulnerable module: fast-xml-parser
  • Introduced through: secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai fast-xml-parser@4.5.1

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the DocTypeReader component when the maxEntityCount or maxEntitySize configuration options are explicitly set to 0. Due to JavaScript's falsy evaluation, the intended limits are bypassed. An attacker can cause unbounded entity expansion and exhaust server memory by supplying crafted XML input containing numerous large entities.

Note:

This is only exploitable if the application is configured with processEntities enabled and either maxEntityCount or maxEntitySize set to 0.

PoC

const { XMLParser } = require("fast-xml-parser");

// Developer intends: "no entities allowed at all"
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxEntityCount: 0,    // should mean "zero entities allowed"
    maxEntitySize: 0       // should mean "zero-length entities only"
  }
});

// Generate XML with many large entities
let entities = "";
for (let i = 0; i < 1000; i++) {
  entities += `<!ENTITY e${i} "${"A".repeat(100000)}">`;
}

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  ${entities}
]>
<foo>&e0;</foo>`;

// This should throw "Entity count exceeds maximum" but does not
try {
  const result = parser.parse(xml);
  console.log("VULNERABLE: parsed without error, entities bypassed limits");
} catch (e) {
  console.log("SAFE:", e.message);
}

// Control test: setting maxEntityCount to 1 correctly blocks
const safeParser = new XMLParser({
  processEntities: {
    enabled: true,
    maxEntityCount: 1,
    maxEntitySize: 100
  }
});

try {
  safeParser.parse(xml);
  console.log("ERROR: should have thrown");
} catch (e) {
  console.log("CONTROL:", e.message);  // "Entity count (2) exceeds maximum allowed (1)"
}

Remediation

Upgrade fast-xml-parser to version 5.5.7 or higher.

References

Improper Validation of Specified Quantity in Input vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: qs
  • Introduced through: express@4.21.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot express@4.21.2 qs@6.13.0
    Remediation: Upgrade to express@4.22.0.
  • Introduced through: tg@gotois/ProstoDiary_bot express@4.21.2 body-parser@1.20.3 qs@6.13.0
    Remediation: Upgrade to express@4.22.0.

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memory by submitting a parameter containing a large number of comma-separated values, resulting in the allocation of excessively large arrays.

Note: This is only exploitable if the comma option is explicitly set to true. arrayLimit is properly enforced for index and bracket notation.

PoC

const qs = require('qs');

const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)
const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };

try {
  const result = qs.parse(payload, options);
  console.log(result.a.length);  // Outputs: 26 (bypass successful)
} catch (e) {
  console.log('Limit enforced:', e.message);  // Not thrown
}

Remediation

Upgrade qs to version 6.14.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Improper Validation of Specified Index, Position, or Offset in Input

  • Vulnerable module: uuid
  • Introduced through: secretary-ai@github:gotois/secretary-ai and telegram-bot-api-express@1.3.7

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai @langchain/langgraph@1.2.6 uuid@10.0.0
  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai @langchain/langgraph@1.2.6 @langchain/langgraph-checkpoint@1.0.2 uuid@10.0.0
  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai @langchain/langgraph@1.2.6 @langchain/langgraph-sdk@1.8.10 uuid@13.0.2
  • Introduced through: tg@gotois/ProstoDiary_bot telegram-bot-api-express@1.3.7 node-telegram-bot-api@0.67.0 @cypress/request@3.0.10 uuid@8.3.2

Overview

uuid is a RFC4122 (v1, v4, and v5) compliant UUID library.

Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes (small buf or large offset). This inconsistency allows silent partial writes into caller-provided buffers.

PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Remediation

Upgrade uuid to version 11.1.1, 14.0.0 or higher.

References

Improper Validation of Specified Index, Position, or Offset in Input vulnerability report

high severity

Incorrect Regular Expression

  • Vulnerable module: fast-xml-parser
  • Introduced through: secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai fast-xml-parser@4.5.1

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML entities by crafting entity names containing ., which is interpreted as a regex wildcard, allowing malicious content to be substituted in place of standard entities when the XML is parsed and subsequently rendered or used in sensitive contexts.

Remediation

Upgrade fast-xml-parser to version 4.5.4, 5.3.5 or higher.

References

Incorrect Regular Expression vulnerability report

medium severity

Buffer Overflow

  • Vulnerable module: fast-xml-parser
  • Introduced through: secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai fast-xml-parser@4.5.1

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to Buffer Overflow via the XMLBuilder when preserveOrder:true is set. An attacker can cause the application to crash by providing specially crafted input data.

Workaround

This vulnerability can be mitigated by using preserveOrder:false or by validating input data before passing it to the builder.

Remediation

Upgrade fast-xml-parser to version 4.5.4, 5.3.8 or higher.

References

Buffer Overflow vulnerability report

medium severity

Infinite loop

  • Vulnerable module: file-type
  • Introduced through: music-metadata@7.14.0 and secretary-ai@github:gotois/secretary-ai

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot music-metadata@7.14.0 file-type@16.5.4
    Remediation: Upgrade to music-metadata@11.3.0.
  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai music-metadata@7.14.0 file-type@16.5.4
  • Introduced through: tg@gotois/ProstoDiary_bot secretary-ai@github:gotois/secretary-ai jimp@0.22.12 @jimp/custom@0.22.12 @jimp/core@0.22.12 file-type@16.5.4

Overview

Affected versions of this package are vulnerable to Infinite loop in the FileTypeParser class. This is triggered when the ASF (WMV/WMA) parser receives input including an ASF sub-header with a size value of 0. An attacker can interrupt service with a 55-byte payload.

Remediation

Upgrade file-type to version 21.3.1 or higher.

References

Infinite loop vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: path-to-regexp
  • Introduced through: express@4.21.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot express@4.21.2 path-to-regexp@0.1.12
    Remediation: Upgrade to express@4.22.0.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when including multiple regular expression parameters in a single segment, separated by something that is not a period (.). Poor performance will block the event loop and can lead to a DoS.

Note:

This is caused by an incomplete fix for CVE-2024-45296 as it only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade path-to-regexp to version 0.1.13 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

HTTP Request Smuggling

  • Vulnerable module: undici
  • Introduced through: @digitalbazaar/vc@7.1.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot @digitalbazaar/vc@7.1.2 jsonld@8.3.3 @digitalbazaar/http-client@3.4.1 undici@5.29.0
    Remediation: Upgrade to @digitalbazaar/vc@7.3.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to HTTP Request Smuggling in the processHeader() while handling HTTP/1.1 requests containing duplicate Content-Length headers with differing casing. An attacker can bypass access controls, poison caches, hijack credentials, or cause service disruption by sending specially crafted HTTP requests that are interpreted inconsistently by proxies and backend servers.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: undici
  • Introduced through: @digitalbazaar/vc@7.1.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot @digitalbazaar/vc@7.1.2 jsonld@8.3.3 @digitalbazaar/http-client@3.4.1 undici@5.29.0
    Remediation: Upgrade to @digitalbazaar/vc@7.3.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the decompression chain. An attacker can cause high CPU usage and excessive memory allocation by sending HTTP responses with a large number of chained compression steps in the Content-Encoding header.

Remediation

Upgrade undici to version 6.23.0, 7.18.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

CRLF Injection

  • Vulnerable module: undici
  • Introduced through: @digitalbazaar/vc@7.1.2

Detailed paths

  • Introduced through: tg@gotois/ProstoDiary_bot @digitalbazaar/vc@7.1.2 jsonld@8.3.3 @digitalbazaar/http-client@3.4.1 undici@5.29.0
    Remediation: Upgrade to @digitalbazaar/vc@7.3.0.

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to CRLF Injection via the upgrade option of the client.request() function. An attacker can inject malicious data into HTTP headers or prematurely terminate HTTP requests by sending specially crafted input, potentially leading to unauthorized information disclosure or bypassing of security controls.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

CRLF Injection vulnerability report