LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

Summary A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data...

EUVD-2022-6906

Malicious code in bioql PyPI...

EUVD-2022-2198

Malicious code in bioql PyPI...

PharStreamWrapper for Typo3 unsafe deserialization vulnerability

PharMetaDataInterceptor in the PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism...

GHSA-3HXW-G85P-QGXM PharStreamWrapper for Typo3 unsafe deserialization vulnerability

PharMetaDataInterceptor in the PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism...

CVE-2019-11831

The PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL...

CVE-2019-11831

The PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL...

CVE-2019-11830

PharMetaDataInterceptor in the PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism...

CVE-2019-11831

Removed by vendor...

CVE-2019-11831

The PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL...

CVE-2019-11831

CVE-2019-11831 affects Drupal’s TYPO3 phar-stream-wrapper integration. The vulnerability arises from incomplete validation in the phar:// stream wrapper library, enabling directory traversal that bypasses a deserialization protection mechanism. Affected: phar-stream-wrapper versions 2.x before 2....

CVE-2019-11830

PharMetaDataInterceptor in the PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism...

CVE-2019-11830

The vulnerability CVE-2019-11830 affects TYPO3 in the PharStreamWrapper (phar-stream-wrapper) 2.x before 2.1.1 and 3.x before 3.1.1. The issue stems from misparsing Phar stubs, allowing bypass of deserialization protection. Impact is high (CVE-2019-11830) with critical, network-exposed access. Re...

The vulnerability of the Jackson-databind library arises from the lack of class protection for slf4j-ext, which allows attackers to execute arbitrary code.

The vulnerability of the Jackson-databind library arises from the lack of protection for the slf4j-ext class against polymorphic deserialization. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...