Security
Headlines
HeadlinesLatestCVEs

Tag

#nodejs

CryptoChameleon Phishing Scam Targets Crypto Users and FCC Employees

By Deeba Ahmed Lookout urges crypto users to be on the lookout of the new and tricky phishing campaign. This is a post from HackRead.com Read the original post: CryptoChameleon Phishing Scam Targets Crypto Users and FCC Employees

HackRead
Open in Source
#web#ios#android#mac#nodejs#git#oauth#auth
GHSA-9vx6-7xxf-x967: OpenZeppelin Contracts base64 encoding may read from potentially dirty memory

### Impact The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. Although the `encode` function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios: - A `bytes memory` struct is allocated just after the input and the first bytes of it are non-zero. - The memory pointer is set to a non-empty memory location before allocating the input. Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker. ### Patches Upgrade to 5.0.2 or 4.9.6. ### References This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@rileyholterhus on X)

North Korean Hackers Targeting Developers with Malicious npm Packages

A set of fake npm packages discovered on the Node.js repository has been found to share ties with North Korean state-sponsored actors, new findings from Phylum show. The packages are named execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils. One of the packages in question, execution-time-async, masquerades as its legitimate

GHSA-2fc9-xpp8-2g9h: `@backstage/backend-common` vulnerable to path traversal through symlinks

### Impact Paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. ### Patches Patched in `@backstage/backend-common` version `0.21.1`. Patched in `@backstage/backend-common` version `0.20.2`. Patched in `@backstage/backend-common` version `0.19.10`. ### For more information If you have any questions or comments about this advisory: - Open an issue in the [Backstage repository](https://github.com/backstage/backstage) - Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)

GHSA-c9vv-fhgv-cjc3: agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`

## Impact The library offers a function to generate an ed25519 key pair via `Ed25519KeyIdentity.generate` with an optional param to provide a 32 byte seed value, which will then be used as the secret key. **When no seed value is provided, it is expected that the library generates the secret key using secure randomness**. However, a recent change **broke this guarantee** and **uses an insecure seed for key pair generation**. Since the private key of this identity (`535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller. Users are asked to take proactive measures mentioned below in Workarounds:Users to protect their assets. ## Patches Patch for the vulnerability is **available in v1.0.1** for all the packages listed in the advisory. Please upgrade and deploy your canisters immediately. ## Workarounds ### Developers The recomm...

Ubuntu Security Notice USN-6643-1

Ubuntu Security Notice 6643-1 - Emre Durmaz discovered that NPM IP package incorrectly distinguished between private and public IP addresses. A remote attacker could possibly use this issue to perform Server-Side Request Forgery attacks.

GHSA-5jjq-8cvj-v6m9: Cross-site Scripting in Serenity

Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.

GHSA-3787-6prv-h9w3: Undici proxy-authorization header not cleared on cross-origin redirect in fetch

### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

GHSA-9f24-jqhm-jfcw: fetch(url) leads to a memory leak in undici

### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body.

GHSA-pmgm-h3cc-m4hj: React Native Document Picker Directory Traversal vulnerability

Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.