Snyk Security Database

phoenix is a The official JavaScript client for the Phoenix web framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Elixir.Phoenix.Transports.LongPoll POST requests handling with Content-Type: application/x-ndjson. An attacker can exhaust system memory and schedulers, leading to a crash and termination of all active sessions by sending a large request body consisting entirely of newline bytes, which is split into a massive list of empty binaries and further processed without limits.

Note:

1. This is only exploitable if the longpoll transport is enabled on any Phoenix.Socket declaration, including the LiveView /live socket.

2. Longpoll is enabled for newly generated Phoenix projects since Phoenix 1.7.11.

ogham-mcp is a Shared memory MCP server — persistent, searchable, cross-client

Affected versions of this package are vulnerable to Use of Hard-coded Credentials due to hardcoded credentials present in the source files, including development database URLs and an API key. An attacker can gain unauthorized access to external services by extracting these credentials from the distributed source files.

Affected versions of this package are vulnerable to Access Control Bypass via the updateUserRealmRoles function. An attacker can escalate privileges by invoking the API with a valid token from one realm to modify user roles in another realm, potentially granting administrative access to unauthorized users.