We’ve disclosed3401vulnerabilities
by Snyk Security
Researchers
Upgrade postgresql
to version 13.19, 14.16, 15.11, 16.7, 17.3 or higher.
@react-router/express is an Express server request handler for React Router
Affected versions of this package are vulnerable to HTTP Request Smuggling via Host
or X-Forwarded-Host
headers. An attacker can spoof the URL used in an incoming request's Host
or X-Forwarded-Host
header by passing in a URL pathname as the port
of a URL.
dtale is a Web Client for Visualizing Pandas Objects
Affected versions of this package are vulnerable to Arbitrary Command Injection by modifying the global application settings to enable enable_custom_filters
. The attacker can then exploit access to the /dtale/test-filter
endpoint to execute arbitrary commands.
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to the custom UndertowHeaderFilterStrategy
only filtering outgoing and not incoming headers. An attacker can manipulate header entries to invoke arbitrary methods from the Bean registry or use expressions as part of the method parameters, leading to unauthorized actions on components like camel-bean
and camel-exec
.
This vulnerability is a special case of the vulnerabilities described in CVE-2025-27636 and CVE-2025-29891, applying only to the Undertow component.
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.