2 matches found
Arbitrary Code Injection
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the yield iterator inside an async generator. An attacker can execute arbitrary commands on the host system by...
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
Impact The remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust...