We’ve disclosed3450vulnerabilities
by Snyk Security
Researchers
Snyk Vulnerability Database
The leading database for open source vulnerabilities and cloud misconfigurations.
Arbitrary Code Injection
Affecting react-server-dom-webpack package, versions >=19.0.0-rc.0 <19.0.1 , >=19.1.0 <19.1.2 , >=19.2.0 <19.2.1
How to fix?
Upgrade react-server-dom-webpack to version 19.0.1, 19.1.2, 19.2.1 or higher.
Vulnerabilities from the last week
Arbitrary Code Injection
Affects
@vitejs/plugin-rsc is a React Server Components (RSC) support for Vite.
Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe dynamic imports in the loadServerAction, decodeReply, and decodeAction server APIs. An attacker can execute arbitrary JavaScript code with Node.js privileges by sending crafted HTTP requests to the development server endpoints.
Exposed development servers, such as those running with the vite --host option, are vulnerable.
Open Redirect
Affects
taguette is a Free and open source qualitative research tool
Affected versions of this package are vulnerable to Open Redirect via the next parameter in the login and cookies prompt processes. An attacker can redirect users to arbitrary external websites by crafting malicious URLs containing a user-controlled next parameter.
Incorrect Authorization
Affected versions of this package are vulnerable to Incorrect Authorization in the process that creates Kubernetes Role bindings. An attacker can access sensitive information by executing GET requests in affected Pods using their Service Account to retrieve any Secret from the same namespace. This is only exploitable if Apache Kafka Connect or MirrorMaker 2 operands are deployed without at least one of the required TLS or authentication configurations.
Recent vulnerabilities disclosed by Snyk
- M
Cross-site Scripting (XSS) in @tiptap/extension-link (npm)- H
Incomplete Filtering of One or More Instances of Special Elements in validator (npm)- C
Prototype Pollution in expr-eval (npm)- C
Prototype Pollution in expr-eval-fork (npm)- H
Arbitrary Argument Injection in cloudinary (npm)
About Snyk
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.
