We’ve disclosed 3384 vulnerabilities
by Snyk Security
Researchers
How to fix?
Avoid using all malicious instances of the tukaani-project/xz
package.
njwt is a JWT Library for Node.js
Affected versions of this package are vulnerable to Prototype Pollution in the parse
method. An attacker can manipulate the prototype chain by injecting malicious properties.
litellm is a Library to easily interface with LLM API providers
Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the eval
function in the litellm.get_secret()
method. An attacker can execute arbitrary code by injecting malicious values into environment variables through the /config/update
endpoint, which allows for the update of settings in proxy_server_config.yaml
.
Affected versions of this package are vulnerable to Directory Traversal. An attacker can craft a URL to return any file as a download, including system files outside of Nexus Repository application scope, without any authentication.
Improper Certificate Validation in componentspace.saml2 (nuget)
Arbitrary Code Injection in mysql2 (npm)
Prototype Pollution in lodash (npm)
Prototype Pollution in lodash.zipobjectdeep (npm)
Remote Code Execution (RCE) in mysql2 (npm)
by Snyk Security
Researchers
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.