Snyk Security Database

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leading zeros resulting in its truncation. An attacker can obtain the secret key by analyzing both a faulty signature generated by a vulnerable implementation and a correct signature for the same inputs.

Note:

There is a distinct but related issue CVE-2024-48948.

chainlit is a Build Conversational AI.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the /project/element update flow when the SQLAlchemy data layer backend is configured. An attacker can cause the server to send arbitrary HTTP requests to internal network services or cloud metadata endpoints by supplying a user-controlled URL, and can store the retrieved responses through the configured storage provider. This is only exploitable if the SQLAlchemy data layer backend is enabled and the attacker is authenticated.

org.webjars.npm:svelte is a package for building web applications.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the improper sanitazation of user input in #hydratable_block() function hydratable process. An attacker can execute arbitrary JavaScript in the client’s browser by supplying a crafted key which is embedded into a <script> block without proper escaping. This can lead to session or token theft, DOM manipulation, or account takeover.

Note:

This is only exploitable if the experimental.async flag is enabled and untrusted user input is used as a key in hydratable.