Explore packages and vulnerabilities by …
Operating system
Infrastructure as Code
Vulnerabilities from the last week
Prototype Pollution
NO KNOWN SECURITY ISSUESKEY ECOSYSTEM PROJECTSUSTAINABLEACTIVE
Affects
axios is a promise-based HTTP client for the browser and Node.js.
Affected versions of this package are vulnerable to Prototype Pollution via the mergeDirectKeys function in mergeConfig. An attacker can force a request configuration to inherit attacker-controlled properties by supplying a polluted Object.prototype, causing Axios to read inherited values, such as validateStatus, during config merging.
This lets a malicious page or library alter how responses are handled, including making 4xx and 5xx responses be treated as successful and bypassing normal error handling in applications that rely on Axios defaults.
SQL Injection
Affects
litellm is a Library to easily interface with LLM API providers
Affected versions of this package are vulnerable to SQL Injection via the token lookup query in the combined view path. An attacker can extract or manipulate records by supplying a crafted token value that is interpolated directly into the WHERE v.token = '{token}' clause. This affects the proxy’s combined-view token resolution logic and can expose or alter tenant-scoped data returned by the database query.
Workarounds
- Set
disable_error_logs: trueundergeneral_settingsto prevent unauthenticated input from reaching the vulnerable proxy API key verification query path.
Insertion of Sensitive Information into Log File
org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. Kafka is vulnerable to the disclosure of sensitive information via the toString methods of IncrementalAlterConfigsRequest and AlterUserScramCredentialsRequest. An attacker can expose config values, SCRAM salts, and salted passwords by triggering request logging or any code path that renders these request objects as strings. This leaks administrative secrets and credential material into logs and diagnostics, allowing unauthorized readers of those logs to recover protected configuration values and authentication data.
Workarounds
- Keep Kafka clients at the default
INFOlog level and do not enableDEBUGlogging forNetworkClient, so request and response objects are not rendered into logs, and sensitive config values, SCRAM salts, and salted passwords are not exposed.
Recent vulnerabilities disclosed by Snyk
- M
Improper Input Validation in django-mdeditor (pip)- C
Remote Code Execution (RCE) in simple-git (npm)- C
- M
Cross-site Scripting (XSS) in github.com/yuin/goldmark/renderer/html (golang)- M
Division by zero in jsrsasign (npm)
Snyk security
researchers
have disclosed
3486
vulnerabilities
About Snyk dependencies vulnerability database
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
