We’ve disclosed 3373 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
Affected versions of this package are vulnerable to Improper Privilege Management due to incorrect configuration of the role trust policy for IAM roles associated with Amplify projects. Specifically, when the Authentication component is removed, a Condition
property is also removed while leaving "Effect":"Allow" intact. This oversight allows the sts:AssumeRoleWithWebIdentity
action to be available without any conditions, potentially enabling unauthorized access to an organization's AWS resources. This issue arises if an authorized AWS user removes the Authentication component, which could realistically occur if there's a decision to discontinue using built-in Cognito resources or to switch to a different identity provider.
llama-index is an Interface between LLMs and your data
Affected versions of this package are vulnerable to Command Injection due to the safe_eval
function. An attacker can execute arbitrary code on the server hosting the application by crafting input that, while not containing an underscore, still results in the execution of OS commands.
org.webjars.npm:phin is a The ultra-lightweight Node.js HTTP client
Affected versions of this package are vulnerable to Information Exposure Through Sent Data due to the handling of HTTP headers during redirects when followRedirects
is enabled. An attacker can potentially intercept sensitive information by exploiting how headers are included in outgoing requests after a redirect.
Prototype Pollution in lodash (npm)
Prototype Pollution in lodash.zipobjectdeep (npm)
Remote Code Execution (RCE) in mysql2 (npm)
Prototype Poisoning in mysql2 (npm)
Improper Input Validation in mysql2 (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.