Prototype Pollution

Overview mixin-deep is a package that deeply mixes the properties of objects into the first object. Affected versions of this package are vulnerable to Prototype Pollution. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload...

Prototype Pollution

Overview assign-deep is a library for deeply assigning the values of all enumerable-own-properties and symbols from one or more source objects to a target object. Affected versions of this package are vulnerable to Prototype Pollution. The function assign-deep could be tricked into adding or...

Denial of Service

Overview Versions of memjs prior to 1.2.2 are vulnerable to Denial of Service DoS. The package fails to sanitize the value option passed to the Buffer constructor, which may allow attackers to pass large values exhausting system resources. Recommendation Upgrade to version 1.2.2 or later...

GHSA-WRW9-M778-G6MC Memory Exposure in bl

Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.appendnumber in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later...

Remote Code Execution

handlebars is vulnerable to remote code execution. The vulnerability exists because it is possible to manipulate the template and access the constructor in the template, allowing an attacker to inject arbitrary code through it...

Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR

/ Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that cause type confusions between...

SpiderMonkey IonMonkey Type Confusion

Spidermonkey: IonMonkey's type inference is incorrect for constructors entered via OSR Related CVE Numbers: CVE-2019-9791. A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that...

Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR

Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR / A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that cause type confusions between...

Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR

/ A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement OSR allows the compilation of JITed functions that cause type confusions between arbitrary objects. Prerequisites: 1. Spidermonkey can represent "plain" objects either as...

Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey

The type inference system allows the compilation of functions that can cause type confusions between arbitrary objects when compiled through the IonMonkey just-in-time JIT compiler and when the constructor function is entered through on-stack replacement OSR. This allows for possible arbitrary...

Monero: Potential use-after-free due to struct array_entry_t lacking an explicit copy constructor

struct arrayentryt in contrib/epee/include/storages/portablestoragebase.h does not implement a copy constructor. Wherever there is code that attempts to copy-construct arrayentryt, the compiler inserts a copy constructor for arrayentryt that merely copies over the values. The struct possesses an...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of safer-eval before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. Recommendation Upgrade to version 1.3.2. References GitHub Advisory...

Arbitrary Code Execution

Overview safer-eval is a safer approach for eval in node and browser. Affected versions of this package are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. Remediation Upgrade safer-eval to version 1.3.2 or higher...

Jenkins - Remote Code Execution Exploit

Exploit for java platform in category web applications Jenkins - Remote Code Execution Exploit In the exploitation, the target is always escalating the read primitive or write primitive to code execution! From the previous section, we can write malicious JAR file into remote Jenkins server by...

Jenkins Remote Code Execution

In the exploitation, the target is always escalating the read primitive or write primitive to code execution! From the previous section, we can write malicious JAR file into remote Jenkins server by Grape. However, the next problem is how to execute code? By diving into Grape implementation on...

Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)

In the exploitation, the target is always escalating the read primitive or write primitive to code execution! From the previous section, we can write malicious JAR file into remote Jenkins server by Grape. However, the next problem is how to execute code? By diving into Grape implementation on...

Jenkins Plugin Script Security 1.50Declarative 1.3.4.1Groovy 2.61.1 - Remote Code Execution (PoC)

Jenkins Plugin Script Security 1.50Declarative 1.3.4.1Groovy 2.61.1 - Remote Code Execution PoC In the exploitation, the target is always escalating the read primitive or write primitive to code execution! From the previous section, we can write malicious JAR file into remote Jenkins server by...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...

GHSA-CX8M-8XMX-Q8V3 Denial of Service in memjs

Versions of memjs prior to 1.2.2 are vulnerable to Denial of Service DoS. The package fails to sanitize the value option passed to the Buffer constructor, which may allow attackers to pass large values exhausting system resources. Recommendation Upgrade to version 1.2.2 or later...

Denial of Service in memjs

Versions of memjs prior to 1.2.2 are vulnerable to Denial of Service DoS. The package fails to sanitize the value option passed to the Buffer constructor, which may allow attackers to pass large values exhausting system resources. Recommendation Upgrade to version 1.2.2 or later...