691 matches found
Reflected XSS in GraphQL Playground
Impact directly impacted: - [email protected] - all unsanitized user input for renderPlaygroundPage all of our consuming packages of graphql-playground-html are impacted: - [email protected] - unsanitized user input to expressPlayground -...
Information Exposure
Overview Versions of apollo-server-hapi prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...
@bakjs/graphql (>=2.0.0 <=2.2.0), @clevyr/pavo-hapi-graphql (>=0.0.1 <=0.0.5) +14 more potentially affected by unknown CVE via apollo-server-hapi (>=1.2.0 <=1.4.0)
apollo-server-hapi NPM version =1.2.0, =2.0.0, =0.0.1, =0.1.0, =1.0.0, =0.0.51, =3.0.0, =1.0.2, =1.0.1, =0.2.2, =0.2.37 - trailpack-apollo =3.0.0-alpha.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-W42G-7VFC-XF37...
Node.js third-party modules: Prototype pollution in multipart parsing
I would like to report a prototype pollution attack in fastify-multipart it allows to crash a remote server parsing multipart requests by sending a specially crafted request. Module module name: fastify-multipart version: all versions before Detailed steps to reproduce with all required...
Denial Of Service (DoS)
@hapi/ammo is vulnerable to denial of service DoS. The Range HTTP header parser causes the function to throw a system error when the header value is invalid, allowing an attacker to crash the application using a malicious header value...
Prototype Pollution
@hapi/subtext is vulnerable to prototype pollution. Lack of object validation allows an attacker to inject arbitrary Object properties which can potentially lead to execution of arbitrary code...
Denial of Service
Overview Affected versions of @commercial/hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will...
Denial of Service
Overview Versions of @hapi/hapi prior to 18.4.1 or 19.1.1 are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the...
Denial of Service
Overview All Versions of hapi are vulnerable to Denial of Service. The CORS request handler has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. If no unhandled exception handler is available, the application will exist, allowing an...
Prototype Pollution
Overview Versions of @hapi/subtext prior to 6.1.3 or 7.0.3 are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rul...
Prototype Pollution
Overview All versions of subtext are vulnerable to Prototype Pollution. A multipart payload can be constructed in a way that one of the parts’ content can be set as the entire payload object’s prototype. If this prototype contains data, it may bypass other validation rules which enforce access an...
Denial of Service
Overview Versions of subtext =4.1.0 are vulnerable to Denial of Service. The Content-Encoding HTTP header parser has a vulnerability which will cause the function to throw a system error if the header contains some invalid values. Because hapi rethrows system errors as opposed to catching expecte...
Denial of Service
Overview Versions of @hapi/ammo prior to 3.1.2 or 5.0.1 are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, t...
Denial of Service
Overview All versions of ammo are vulnerable to Denial of Service. The Range HTTP header parser has a vulnerability which will cause the function to throw a system error if the header is set to an invalid value. Because hapi is not expecting the function to ever throw, the error is thrown all the...
Prototype Pollution
@hapi/content causes prototype pollution. The vulnerability exists as it allows the value proto to be passed through the multipart name variable...
Prototype Pollution
@hapi/hoek is vulnerable to prototype pollution. Failure to validate object to prevent modification of object prototype in clone function allows an attacker to inject malicious object properties which can potentially lead to execution of arbitrary code. The vulnerability affects only applications...
Prototype Pollution
Overview Versions of @hapi/hoek prior to 8.5.1 and 9.0.3 are vulnerable to Prototype Pollution. The clone function fails to prevent the modification of the Object prototype when passed specially-crafted input. Attackers may use this to change existing properties that exist in all objects, which m...
Insufficient Entropy
Overview Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits method does not provide sufficient entropy and its generates digits that are not evenly distributed. Recommendation Upgrade to version 4.1.2. The package is deprecated and has been moved to...
Cross-Site Scripting
Overview Versions of @hapi/boom prior t 0.3.8 are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 0.3.8 or later. References - Snyk repor...
XML External Entity (XXE)
jamesagnew/hapi-fhir is vulnerable to XML External Entity XXE attacks. This attack occurs because the function FhirInstanceValidator accepts and processes XML input containing a reference to an external entity, allowing a remote attacker to access local or remote files and service conditions...