Snyk Security Database

protobufjs is a protocol buffer for JavaScript (& TypeScript).

Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious sequences that decode to canonical characters. This is only exploitable if the application decodes protobuf binary data using the minimal UTF-8 decoder and relies on byte-level filtering before string decoding.

pytorch-lightning is a lightweight PyTorch wrapper for ML researchers. Scale your models. Write less boilerplate.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the LightningModule.load_from_checkpoint function. Any workflow that calls this function on an untrusted .ckpt inherits PyTorch’s unsafe unpickling defaults. Malicious checkpoints can embed arbitrary pickle gadgets, achieving code execution the moment Lightning restores weights.

org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can determine whether a guessed secret is correct by measuring the time taken to compare secrets, potentially allowing unauthorized access through a timing side-channel attack.