Vulnerabilities

 2 via 2 paths

Dependencies

 350

Source

 GitHub

Commit

 64a18cca

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 1
Severity
  • 1
  • 2
Status
  • 3
  • 0
  • 0

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: astro
  • Introduced through: astro@5.18.1

Detailed paths

  • Introduced through: cv@tellebma/cv#64a18cca43a1c10f36065109e771ae89bca8c0a0 astro@5.18.1
    Remediation: Upgrade to astro@6.0.0.

Overview

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /_server-islands/[name] route handler, which buffers and parses the entire request body as JSON without enforcing a size limit. An attacker can cause the server process to exhaust available memory and crash by sending a single unauthenticated request with a crafted payload containing many small JSON objects, resulting in significant memory amplification.

Remediation

Upgrade astro to version 6.0.0-beta.20 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Uncontrolled Recursion

  • Vulnerable module: yaml
  • Introduced through: @astrojs/check@0.9.8

Detailed paths

  • Introduced through: cv@tellebma/cv#64a18cca43a1c10f36065109e771ae89bca8c0a0 @astrojs/check@0.9.8 @astrojs/language-server@2.16.6 volar-service-yaml@0.0.70 yaml-language-server@1.20.0 yaml@2.7.1

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion in the compose/resolve phase due to using recursive function calls without a depth bound. An attacker can cause the application to throw a RangeError and potentially terminate the Node.js process by supplying a deeply nested YAML payload that exhausts the call stack.

PoC

const YAML = require('yaml');

// ~10 KB payload: 5000 levels of nested flow sequences
const payload = '['.repeat(5000) + '1' + ']'.repeat(5000);

try {
  YAML.parse(payload);
} catch (e) {
  console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
  console.log(e.message);          // Maximum call stack size exceeded
}

Remediation

Upgrade yaml to version 1.10.3, 2.8.3 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

MPL-2.0 license

  • Module: lightningcss
  • Introduced through: @tailwindcss/vite@4.2.2

Detailed paths

  • Introduced through: cv@tellebma/cv#64a18cca43a1c10f36065109e771ae89bca8c0a0 @tailwindcss/vite@4.2.2 @tailwindcss/node@4.2.2 lightningcss@1.32.0

MPL-2.0 license

MPL-2.0 license vulnerability report