{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/npm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@bitwarden/cli (2026.4.0)","@cap-js/sqlite (2.2.2)","@cap-js/postgres (2.2.2)","@cap-js/db-service (2.10.1)","mbt (1.2.48)","SAP Cloud Application Programming (CAP) Model","checkmarx/kics"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["npm","GitHub","SAP","Bitwarden","Checkmarx","Microsoft"],"content_html":"\u003cp\u003eThe npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string \u0026ldquo;Shai-Hulud: The Third Coming,\u0026rdquo; and the other, dubbed \u0026ldquo;Mini Shai-Hulud,\u0026rdquo; targeted the SAP developer ecosystem. The compromised packages are often part of SAP\u0026rsquo;s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a \u0026ldquo;preinstall\u0026rdquo; hook.\u003c/li\u003e\n\u003cli\u003eExecution of setup.mjs: During the \u003ccode\u003enpm install\u003c/code\u003e process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.\u003c/li\u003e\n\u003cli\u003eBun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.\u003c/li\u003e\n\u003cli\u003eExecution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.\u003c/li\u003e\n\u003cli\u003ePropagation: The malware searches for commits containing the keyword \u0026ldquo;OhNoWhatsGoingOnWithGitHub,\u0026rdquo; decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor npm install processes for unexpected execution of \u003ccode\u003enode setup.mjs\u003c/code\u003e (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Bun Process Execution\u0026rdquo; to identify potential execution of the Bun runtime from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual processes connecting to \u003ccode\u003eapi.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub\u003c/code\u003e (see IOCs) to detect potential C2 activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Github Commit By Claude Email\u0026rdquo; to identify commits authored with the email \u003ccode\u003eclaude@users.noreply.github.com\u003c/code\u003e to detect malicious commits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T00:10:33Z","date_published":"2026-05-02T00:10:33Z","id":"/briefs/2026-05-npm-supply-chain/","summary":"Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.","title":"Increased npm Supply Chain Attacks Targeting SAP Developers","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["rce","prototype pollution","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-42232, exists within the n8n workflow automation tool. This flaw allows an authenticated user, who possesses permissions to create or modify workflows, to achieve remote code execution (RCE). The attack vector involves exploiting global prototype pollution through the XML Node. Versions affected include those prior to 1.123.32, versions 2.17.0 up to but not including 2.17.4, and versions 2.18.0 up to but not including 2.18.1. Defenders should prioritize patching n8n instances due to the high potential for complete system compromise if exploited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to an n8n instance with workflow creation/modification privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious workflow that leverages the XML Node to inject a payload designed to trigger prototype pollution.\u003c/li\u003e\n\u003cli\u003eThe crafted XML node manipulates global object prototypes within the n8n application.\u003c/li\u003e\n\u003cli\u003eThe attacker introduces a property into a global object prototype that can be exploited by another node.\u003c/li\u003e\n\u003cli\u003eThe attacker adds a secondary node (e.g., Function node) that leverages the polluted prototype property.\u003c/li\u003e\n\u003cli\u003eThe secondary node\u0026rsquo;s execution triggers the polluted prototype, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the n8n server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the n8n server, potentially leading to data exfiltration, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to full system compromise, including data exfiltration, credential theft, and lateral movement within the network. Given the nature of n8n as an automation platform, successful attacks can severely impact connected systems and services. This vulnerability affects n8n users who have not upgraded to patched versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to remediate CVE-2026-42232.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, limit workflow creation and editing permissions to only fully trusted users as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, disable the XML node by adding \u003ccode\u003en8n-nodes-base.xml\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:53Z","date_published":"2026-04-29T21:25:53Z","id":"/briefs/2024-01-n8n-rce/","summary":"A vulnerability in n8n allows authenticated users with workflow creation permissions to achieve remote code execution (RCE) through global prototype pollution via the XML Node in versions prior to 1.123.32, versions 2.17.0 to 2.17.4, and versions 2.18.0 to 2.18.1.","title":"n8n XML Node Prototype Pollution Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["xss","oauth","n8n","CVE-2026-42235"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003en8n, a workflow automation platform, is susceptible to a cross-site scripting (XSS) vulnerability (CVE-2026-42235) related to the registration of malicious MCP OAuth clients. An unauthenticated attacker can register an OAuth client with a crafted \u003ccode\u003eclient_name\u003c/code\u003e containing malicious JavaScript. This vulnerability exists in versions prior to 2.14.2 and also affects versions 2.17.0 to 2.17.3 and 2.18.0. A successful exploit allows the attacker to execute arbitrary JavaScript within a victim\u0026rsquo;s authenticated n8n session, potentially leading to credential theft, session token theft, workflow manipulation, or privilege escalation. Defenders should prioritize patching to version 2.14.2 or later to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker registers a malicious MCP OAuth client with a crafted \u003ccode\u003eclient_name\u003c/code\u003e containing XSS payload.\u003c/li\u003e\n\u003cli\u003eA victim user navigates to the n8n instance and is presented with the malicious OAuth consent dialog.\u003c/li\u003e\n\u003cli\u003eThe victim user authorizes the malicious OAuth client, unknowingly injecting the attacker\u0026rsquo;s script into their session.\u003c/li\u003e\n\u003cli\u003eA second user, possibly an administrator, revokes the OAuth access granted to the malicious client.\u003c/li\u003e\n\u003cli\u003eThis revocation triggers a toast notification to the original victim user.\u003c/li\u003e\n\u003cli\u003eThe toast notification renders the attacker\u0026rsquo;s injected script from the crafted \u003ccode\u003eclient_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim user clicks on the link within the toast notification.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s authenticated n8n browser session, enabling the attacker to perform malicious actions such as stealing credentials, manipulating workflows, or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to significant compromise of an n8n instance. Attackers can steal user credentials and session tokens, allowing them to impersonate legitimate users. Malicious actors could also modify or create workflows, leading to data breaches, system disruption, or unauthorized access. Privilege escalation is also possible, potentially granting attackers administrative control over the n8n platform. The number of potential victims depends on the exposure and user base of the vulnerable n8n instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 2.14.2 or later to patch CVE-2026-42235, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious n8n MCP OAuth Client Registration\u003c/code\u003e to identify attempts to register OAuth clients with suspicious names.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, restrict access to the n8n instance and the MCP OAuth registration endpoint to trusted users only, as suggested in the advisory\u0026rsquo;s workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:44Z","date_published":"2026-04-29T21:25:44Z","id":"/briefs/2026-05-n8n-xss-oauth/","summary":"n8n is vulnerable to cross-site scripting (XSS) via a malicious MCP OAuth client, allowing an unauthenticated attacker to inject arbitrary JavaScript into an authenticated user's session.","title":"n8n MCP OAuth Client XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-n8n-xss-oauth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","rce","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical vulnerability exists within the n8n workflow automation platform, specifically affecting the parsing of XML request bodies in webhook handlers. This flaw stems from the use of the \u003ccode\u003exml2js\u003c/code\u003e library, which is susceptible to prototype pollution attacks. An authenticated user possessing the capability to create or modify workflows can leverage this vulnerability by sending a specially crafted XML payload. Successful exploitation results in the pollution of the JavaScript object prototype. Attackers can chain this pollution with the Git node\u0026rsquo;s SSH operations to achieve arbitrary remote code execution (RCE) on the underlying n8n host. The vulnerability affects n8n versions prior to 1.123.32, versions 2.17.0 to 2.17.3, and versions 2.18.0 to 2.18.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious XML payload designed to exploit the prototype pollution vulnerability in the \u003ccode\u003exml2js\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a workflow containing a webhook node configured to receive XML data.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted XML payload to the webhook endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003exml2js\u003c/code\u003e library parses the malicious XML, inadvertently polluting the JavaScript object prototype with attacker-controlled properties.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a Git node in the workflow.\u003c/li\u003e\n\u003cli\u003eThe polluted prototype modifies the behavior of the Git node\u0026rsquo;s SSH operations.\u003c/li\u003e\n\u003cli\u003eWhen the workflow executes, the Git node\u0026rsquo;s SSH operation is hijacked due to the prototype pollution, leading to arbitrary code execution on the n8n host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a malicious actor to execute arbitrary code on the n8n server. This grants them complete control over the n8n instance and potentially the underlying infrastructure. The vulnerability impacts any n8n instance accessible to authenticated users who can create or modify workflows. The number of affected installations is unknown, but the potential impact is high due to the sensitive nature of workflows often managed by n8n, which can include access to other systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to patch the vulnerability as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect n8n Prototype Pollution via Crafted XML Payload\u0026rdquo; to detect malicious XML payloads targeting the vulnerability. Enable webserver logs to activate this rule.\u003c/li\u003e\n\u003cli\u003eLimit workflow creation and editing permissions to trusted users to mitigate the risk of exploitation, as described in the workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:25:02Z","date_published":"2026-04-29T21:25:02Z","id":"/briefs/2026-04-n8n-rce/","summary":"A prototype pollution vulnerability in n8n's XML webhook parser, exploitable by authenticated users, can lead to remote code execution on the n8n host.","title":"n8n Prototype Pollution in XML Webhook Body Parser Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-http-middleware"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","path-traversal","ssrf","denial-of-service","i18next"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003ei18next-http-middleware versions prior to 3.9.3 are susceptible to prototype pollution, path traversal, and SSRF attacks. The vulnerability stems from the insufficient validation of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters passed via HTTP requests to the \u003ccode\u003egetResourcesHandler\u003c/code\u003e and the \u003ccode\u003emissingKeyHandler\u003c/code\u003e. These handlers, intended to serve localization resources, expose attack surface because they process user-controlled input without proper sanitization. This allows attackers to manipulate object properties, access unintended files or internal services, and cause denial-of-service conditions. The vulnerability was discovered via an internal security audit. Defenders should upgrade to version 3.9.3 to remediate the risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to the \u003ccode\u003e/locales/resources.json\u003c/code\u003e endpoint, targeting the \u003ccode\u003egetResourcesHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes malicious \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e query parameters, such as \u003ccode\u003elng=__proto__\u0026amp;ns=isAdmin\u003c/code\u003e, or \u003ccode\u003ens=../../etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetResourcesHandler\u003c/code\u003e extracts the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e parameters without sufficient validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values are passed to \u003ccode\u003eutils.setPath(resources, [lng, ns], ...)\u003c/code\u003e which allows writing to the Object prototype if \u003ccode\u003elng\u003c/code\u003e is \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values are passed to \u003ccode\u003ei18next.services.backendConnector.load(languages, namespaces, ...)\u003c/code\u003e to load resource bundles. With filesystem or HTTP backends, this can enable path traversal or SSRF if \u003ccode\u003ens\u003c/code\u003e or \u003ccode\u003elng\u003c/code\u003e contain malicious path segments.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends a POST request with a body containing a malicious \u003ccode\u003e__proto__\u003c/code\u003e key to \u003ccode\u003emissingKeyHandler\u003c/code\u003e, for example \u003ccode\u003e{\u0026quot;__proto__\u0026quot;: {\u0026quot;isAdmin\u0026quot;: true}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emissingKeyHandler\u003c/code\u003e iterates over the request body using \u003ccode\u003efor...in\u003c/code\u003e, including inherited prototype properties, and forwards the malicious data into \u003ccode\u003esaveMissing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to prototype pollution, arbitrary file access, SSRF, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can have significant consequences. Prototype pollution allows attackers to manipulate object properties globally, leading to broken authorization checks (e.g., bypassing \u003ccode\u003eif (user.isAdmin)\u003c/code\u003e), type confusion errors, or potentially remote code execution. Path traversal enables access to sensitive files on the server, like configuration files or password databases, while SSRF allows attackers to interact with internal services. Finally, the unbounded growth of the \u003ccode\u003ei18next.options.ns\u003c/code\u003e list and repeated backend load calls can lead to denial of service due to memory and CPU exhaustion. This can impact availability of the service and potentially other services on the same host.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-http-middleware\u003c/code\u003e version 3.9.3 or later to address the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect exploitation attempts targeting the \u003ccode\u003egetResourcesHandler\u003c/code\u003e and \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement a WAF rule as a partial mitigation to block requests containing \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, \u003ccode\u003eprototype\u003c/code\u003e, \u003ccode\u003e..\u003c/code\u003e, or control characters in \u003ccode\u003elng\u003c/code\u003e/\u003ccode\u003ens\u003c/code\u003e query parameters or body keys as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-i18next-http-middleware-vuln/","summary":"Versions of i18next-http-middleware before 3.9.3 are vulnerable to prototype pollution, path traversal, and server-side request forgery (SSRF) due to improper validation of user-controlled language and namespace parameters, potentially leading to denial of service or remote code execution.","title":"i18next-http-middleware Prototype Pollution and Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-fs-backend"],"_cs_severities":["high"],"_cs_tags":["path-traversal","i18next","arbitrary-file-read","arbitrary-file-write","code-execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe i18next-fs-backend library, a file system backend for the i18next internationalization framework, is vulnerable to a path traversal attack in versions prior to 2.6.4. This vulnerability arises from the unsanitized use of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters when constructing file paths for loading and writing locale files. If an application exposes the language code to user input, an attacker can craft a malicious \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to escape the intended locale directory. Successful exploitation can lead to arbitrary file read, arbitrary file overwrite, and, if \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files are used for localization, arbitrary code execution. This vulnerability highlights the importance of input validation, especially when constructing file paths from user-controlled data. The vulnerability was patched in version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of \u003ccode\u003ei18next-fs-backend\u003c/code\u003e (versions prior to 2.6.4) and exposes the language code to user input via query parameters (e.g., \u003ccode\u003e?lng=\u003c/code\u003e), cookies, or request headers.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003elng\u003c/code\u003e value containing directory traversal sequences, such as \u003ccode\u003e../../../../etc\u003c/code\u003e, to target sensitive files outside the intended locale directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the application with the crafted \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application passes the unsanitized \u003ccode\u003elng\u003c/code\u003e value to the \u003ccode\u003ei18next.t()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library interpolates the malicious \u003ccode\u003elng\u003c/code\u003e value into the \u003ccode\u003eloadPath\u003c/code\u003e configuration option, without proper validation.  For example, \u003ccode\u003eloadPath: '/locales/{{lng}}/{{ns}}.json'\u003c/code\u003e becomes \u003ccode\u003e/locales/../../../../etc/{{ns}}.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe backend attempts to read the file specified by the crafted path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned as a translation resource, potentially exposing sensitive information. If the attacker crafted the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value to point to a \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e file containing malicious code, the backend will execute the file using \u003ccode\u003eeval()\u003c/code\u003e, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the application attempts to write a missing translation key using the crafted path (via \u003ccode\u003eaddPath\u003c/code\u003e), the attacker could overwrite arbitrary files on the system, potentially leading to application compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences. Arbitrary file read allows attackers to access sensitive data, such as configuration files, database credentials, or application source code. Arbitrary file overwrite can lead to application malfunction or complete compromise. If the application uses \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files for localization and the attacker is able to inject malicious code into those files through path traversal, arbitrary code execution can result, potentially allowing the attacker to gain full control of the server. The number of victims depends on the popularity and configuration of applications using the vulnerable \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-fs-backend\u003c/code\u003e version 2.6.4 or later to patch the path traversal vulnerability as this version introduces the \u003ccode\u003eisSafePathSegment\u003c/code\u003e and \u003ccode\u003einterpolatePath\u003c/code\u003e functions to sanitize the path.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values at the application boundary before passing them to \u003ccode\u003ei18next\u003c/code\u003e. Reject values containing \u003ccode\u003e..\u003c/code\u003e, \u003ccode\u003e/\u003c/code\u003e, \u003ccode\u003e\\\u003c/code\u003e, control characters, and limit the length to prevent path traversal as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e locale files, carefully review them for any suspicious or unexpected code. The advisory highlights that these files must be treated as trusted code.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing directory traversal sequences in the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e parameters. Deploy the first Sigma rule for this purpose.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-i18next-fs-backend-path-traversal/","summary":"i18next-fs-backend versions before 2.6.4 are vulnerable to path traversal due to insufficient sanitization of the lng and ns values, potentially allowing attackers to read arbitrary files, overwrite files, or execute code if .js or .ts locale files are in use.","title":"i18next-fs-backend Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-25-i18next-fs-backend-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","npm","token spoofing"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a package available on npm, contains a vulnerability in versions 2026.4.21 and earlier that allows for token spoofing within the MCP loopback path. This flaw stems from the acceptance of spoofable owner-context metadata from request headers. A malicious actor could exploit this by crafting requests that falsely present them as the owner, thereby bypassing authorization checks and potentially gaining unauthorized access to operations intended only for the owner. The vulnerability was reported by @VladimirEliTokarev and patched in version 2026.4.22. This issue matters for defenders because it can lead to privilege escalation and unauthorized modification of system configurations or data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenClaw instance (version \u0026lt;= 2026.4.21) utilizing the MCP loopback.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting the MCP loopback endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker injects a forged \u0026ldquo;sender-owner\u0026rdquo; header into the HTTP request, claiming owner privileges.\u003c/li\u003e\n\u003cli\u003eThe vulnerable OpenClaw instance incorrectly trusts the spoofed \u0026ldquo;sender-owner\u0026rdquo; header.\u003c/li\u003e\n\u003cli\u003eThe application bypasses owner authorization checks due to the forged header.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to owner-gated operations within the MCP loopback.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, such as modifying configurations or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eAttacker maintains unauthorized access, potentially escalating privileges further within the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow unauthorized access to critical system functions intended only for the owner. This could lead to configuration changes, data breaches, or other malicious activities depending on the specific owner-gated operations exposed within the OpenClaw MCP loopback. The severity depends on the permissions granted to the \u0026ldquo;owner\u0026rdquo; context within the application but could be critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.22 or later to remediate the vulnerability as described in the fix commit 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious HTTP requests containing potentially forged \u0026ldquo;sender-owner\u0026rdquo; headers targeting MCP loopback endpoints using the Sigma rule \u003ccode\u003eDetect OpenClaw MCP Loopback Owner Spoofing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and audit existing OpenClaw deployments to identify and patch vulnerable instances quickly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-openclaw-token-spoofing/","summary":"A vulnerability in OpenClaw versions 2026.4.21 and earlier allows a non-owner loopback client to spoof the owner context by manipulating request headers, potentially gaining unauthorized access to owner-gated operations.","title":"OpenClaw MCP Loopback Token Spoofing Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-token-spoofing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@xmldom/xmldom","xmldom"],"_cs_severities":["high"],"_cs_tags":["xml-injection","xxe","dom","xmldom"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e and \u003ccode\u003exmldom\u003c/code\u003e packages are vulnerable to XML injection due to the lack of validation when serializing \u003ccode\u003eDocumentType\u003c/code\u003e node fields. Specifically, the \u003ccode\u003einternalSubset\u003c/code\u003e, \u003ccode\u003epublicId\u003c/code\u003e, and \u003ccode\u003esystemId\u003c/code\u003e fields are serialized verbatim without any escaping or validation. This vulnerability affects \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e versions prior to 0.8.13 and versions 0.9.0 to 0.9.9, as well as \u003ccode\u003exmldom\u003c/code\u003e versions up to 0.6.0. The vulnerability is triggered when these fields are programmatically set to attacker-controlled strings, leading to potential arbitrary markup injection outside the DOCTYPE declaration during serialization using \u003ccode\u003eXMLSerializer.serializeToString\u003c/code\u003e. This can lead to downstream XML parsers being susceptible to XXE attacks. Defenders should audit serializeToString() call sites and add \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using a vulnerable version of \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e or \u003ccode\u003exmldom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker finds a code path where they can control the \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e properties of a \u003ccode\u003eDocumentType\u003c/code\u003e node.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious string containing XML injection payloads (e.g., closing DOCTYPE tags or injecting SYSTEM entities).\u003c/li\u003e\n\u003cli\u003eThe attacker uses programmatic calls to \u003ccode\u003ecreateDocumentType\u003c/code\u003e or direct property writes to set the malicious string as the value of the \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eXMLSerializer.serializeToString\u003c/code\u003e on the document, without the \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe vulnerable serializer emits a DOCTYPE declaration where the injected malicious string is included verbatim, causing the DOCTYPE declaration to be terminated early or to include injected entities.\u003c/li\u003e\n\u003cli\u003eThe serialized XML is passed to a downstream XML parser that performs entity expansion.\u003c/li\u003e\n\u003cli\u003eThe downstream XML parser expands the injected entities, leading to potential XXE attacks, information disclosure, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the injection of arbitrary XML markup, potentially enabling XXE attacks against downstream XML parsers. The impact includes potential information disclosure, arbitrary code execution, or denial-of-service if the downstream parser expands external entities. This vulnerability impacts applications using vulnerable versions of \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e and \u003ccode\u003exmldom\u003c/code\u003e that construct \u003ccode\u003eDocumentType\u003c/code\u003e nodes from user-controlled data and serialize the document without proper validation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e version 0.8.13 or later, or version 0.9.10 or later, to receive the fix.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of \u003ccode\u003exmldom\u003c/code\u003e greater than 0.6.0.\u003c/li\u003e\n\u003cli\u003eAudit all calls to \u003ccode\u003eXMLSerializer.serializeToString()\u003c/code\u003e and add the option \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e to enforce validation of \u003ccode\u003eDocumentType\u003c/code\u003e node fields, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eApplications that pass untrusted data to \u003ccode\u003ecreateDocumentType()\u003c/code\u003e or write untrusted values directly to a \u003ccode\u003eDocumentType\u003c/code\u003e node\u0026rsquo;s \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e properties should audit all \u003ccode\u003eserializeToString()\u003c/code\u003e call sites and add the option.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-xmldom-xml-injection/","summary":"The xmldom package is vulnerable to XML injection. The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. To address this applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node's publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.","title":"xmldom XML Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-xmldom-xml-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["vm2 (\u003c= 3.10.4)"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","rce","vm2"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe vm2 library, a popular Node.js sandbox environment, is susceptible to a critical sandbox breakout vulnerability. This flaw allows malicious code executed within the vm2 sandbox to escape its confines and execute arbitrary commands on the host operating system. The vulnerability leverages the \u003ccode\u003e__lookupGetter__\u003c/code\u003e method to bypass context isolation and gain access to host-level functions and objects. Previous attempts to mitigate similar issues were circumvented using \u003ccode\u003eObject.getOwnPropertyDescriptor\u003c/code\u003e to access the constructor property. The vulnerability affects vm2 versions 3.10.4 and earlier. Exploitation allows an attacker to achieve remote code execution with the privileges of the Node.js process running the vm2 sandbox, which could lead to significant system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker injects malicious JavaScript code into the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eThe injected code retrieves the \u003ccode\u003e__lookupGetter__\u003c/code\u003e method, which is used to access the getter of an object.\u003c/li\u003e\n\u003cli\u003eThe malicious code obtains the \u003ccode\u003eapply\u003c/code\u003e method from the \u003ccode\u003eBuffer\u003c/code\u003e object within the sandbox.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapply\u003c/code\u003e method is used to invoke the host version of \u003ccode\u003e__lookupGetter__\u003c/code\u003e with \u003ccode\u003eBuffer\u003c/code\u003e and \u003ccode\u003e__proto__\u003c/code\u003e as arguments, gaining access to the host\u0026rsquo;s prototype lookup method.\u003c/li\u003e\n\u003cli\u003eThe host\u0026rsquo;s \u003ccode\u003eFunction.prototype\u003c/code\u003e object is retrieved using the prototype lookup method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econstructor\u003c/code\u003e property of the \u003ccode\u003eFunction.prototype\u003c/code\u003e object is accessed using \u003ccode\u003eObject.getOwnPropertyDescriptor\u003c/code\u003e to bypass previous mitigation attempts.\u003c/li\u003e\n\u003cli\u003eThe host \u003ccode\u003eFunction\u003c/code\u003e constructor is used to create a new function that returns the \u003ccode\u003eprocess\u003c/code\u003e object, granting access to Node.js runtime functions on the host.\u003c/li\u003e\n\u003cli\u003eThe code then uses \u003ccode\u003echild_process.execSync\u003c/code\u003e to execute arbitrary commands on the host system (e.g., \u003ccode\u003etouch pwned\u003c/code\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the host system. Given the critical nature of many applications that employ sandboxing, this can lead to complete system compromise, data exfiltration, and denial of service. The vulnerability affects vm2 versions up to and including 3.10.4. The impact includes remote code execution, potentially leading to sensitive data exposure, system takeover, or further lateral movement within a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of vm2 greater than 3.10.4 to remediate CVE-2026-24118.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization to minimize the risk of malicious code injection into the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on the host system for suspicious activity originating from Node.js processes, which may indicate a sandbox escape (see the process_creation Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of commands such as \u003ccode\u003echild_process.execSync\u003c/code\u003e called from within vm2 sandboxes to detect potential exploitation attempts (see the \u003ccode\u003enodejs_child_process_exec\u003c/code\u003e Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vm2-sandbox-breakout/","summary":"VM2 is vulnerable to a sandbox breakout via the `__lookupGetter__` method, enabling attackers to execute arbitrary commands on the host system by exploiting context switching and property descriptor manipulation, leading to remote code execution.","title":"VM2 Sandbox Escape via __lookupGetter__ Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-vm2-sandbox-breakout/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-http-middleware"],"_cs_severities":["medium"],"_cs_tags":["crlf-injection","http-response-splitting","denial-of-service","i18next"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003ei18next-http-middleware\u003c/code\u003e library, in versions prior to 3.9.3, exhibits a vulnerability stemming from insufficient sanitization of user-controlled language values. These values are written into the \u003ccode\u003eContent-Language\u003c/code\u003e HTTP response header. The \u003ccode\u003eutils.escape()\u003c/code\u003e function, employed for sanitization, performs HTML-entity encoding but fails to strip critical characters like carriage return and line feed. When the application uses an older \u003ccode\u003ei18next\u003c/code\u003e (\u0026lt; 19.5.0) or produces raw detected values, CRLF sequences within the \u003ccode\u003elng\u003c/code\u003e parameter reach \u003ccode\u003eres.setHeader('Content-Language', ...)\u003c/code\u003e without proper escaping. This flaw can result in HTTP response splitting (Node.js \u0026lt; 14.6.0) or a denial-of-service condition (Node.js \u0026gt;= 14.6.0), impacting all concurrent users of the affected process.  The same vulnerability is triggered multiple times per request. This issue is resolved in version 3.9.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an application using a vulnerable version of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e. The request includes a \u003ccode\u003elng\u003c/code\u003e parameter with a payload containing CRLF sequences (e.g., \u003ccode\u003e%0d%0a\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-http-middleware\u003c/code\u003e receives the request and extracts the language value from the \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe extracted language value is passed through \u003ccode\u003eutils.escape()\u003c/code\u003e, which performs HTML-entity encoding but does not remove CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe middleware attempts to set the \u003ccode\u003eContent-Language\u003c/code\u003e header using \u003ccode\u003eres.setHeader()\u003c/code\u003e, incorporating the unsanitized language value.\u003c/li\u003e\n\u003cli\u003eIf the Node.js version is less than 14.6.0, the \u003ccode\u003eres.setHeader()\u003c/code\u003e function processes the CRLF sequences, resulting in HTTP response splitting. This allows the attacker to inject arbitrary headers and control parts of the response body.\u003c/li\u003e\n\u003cli\u003eIf the Node.js version is 14.6.0 or greater, \u003ccode\u003eres.setHeader()\u003c/code\u003e throws an \u003ccode\u003eERR_INVALID_CHAR\u003c/code\u003e error because the value contains CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe middleware fails to catch this error, and the exception propagates, leading to an unhandled exception.\u003c/li\u003e\n\u003cli\u003eThe unhandled exception causes the Node.js process to terminate or become unresponsive, resulting in a denial-of-service condition for all concurrent users sharing that process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to inject arbitrary HTTP headers, leading to session fixation, cache poisoning, or reflected XSS attacks. In Node.js versions 14.6.0 and later, exploitation leads to a denial-of-service condition, potentially impacting all users of an application instance. This can result in significant disruption of service availability and potential data compromise. The number of affected applications is unknown, but any application using a vulnerable version of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ei18next-http-middleware\u003c/code\u003e to version 3.9.3 or later to address the vulnerability by patching the \u003ccode\u003eutils.sanitizeHeaderValue()\u003c/code\u003e function, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect i18next-http-middleware CRLF Injection Attempt\u003c/code\u003e to monitor for exploitation attempts by detecting suspicious URL-encoded characters in HTTP requests.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to reject requests containing \u003ccode\u003e\\r\u003c/code\u003e or \u003ccode\u003e\\n\u003c/code\u003e characters in query parameters, cookies, and path segments as a partial mitigation, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to ensure events related to potential exploits are captured for analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-i18next-http-middleware-crlf/","summary":"i18next-http-middleware versions before 3.9.3 are vulnerable to HTTP response splitting and denial-of-service attacks due to unsanitized Content-Language headers, potentially leading to session fixation, cache poisoning, reflected XSS, or complete service disruption depending on the Node.js version.","title":"i18next-http-middleware HTTP Response Splitting and DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-crlf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["marked"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","javascript","marked","vulnerability"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical Denial of Service (DoS) vulnerability has been identified in \u003ccode\u003emarked@18.0.0\u003c/code\u003e. This vulnerability arises from the processing of a specific 3-byte input sequence: a tab character, a vertical tab character, and a newline character (\u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e). An unauthenticated attacker can exploit this by sending this sequence to a Node.js application utilizing the vulnerable version of the \u003ccode\u003emarked\u003c/code\u003e library. This input triggers an infinite recursion loop within the \u003ccode\u003emarked\u003c/code\u003e tokenizer during parsing, leading to unbounded memory allocation and ultimately causing the host Node.js application to crash due to Memory Exhaustion (OOM). This vulnerability allows for a total loss of availability for any application using the vulnerable library to process potentially untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted input string containing the sequence \u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e to a Node.js application using \u003ccode\u003emarked@18.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003espace()\u003c/code\u003e tokenizer in \u003ccode\u003emarked\u003c/code\u003e consumes the initial tab character (\u003ccode\u003e\\x09\u003c/code\u003e) using the regex \u003ccode\u003e/^(?:[ \\t]*(?:\\n|$))+/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newline block rule fails to match the remaining \u003ccode\u003e\\x0b\\n\u003c/code\u003e sequence because the vertical tab is not accounted for in the rule \u003ccode\u003e[ \\t]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe parser falls through to the \u003ccode\u003etext\u003c/code\u003e tokenizer (\u003ccode\u003e/^[^\\n]+/\u003c/code\u003e), which matches the \u003ccode\u003e\\x0b\\n\u003c/code\u003e sequence.\u003c/li\u003e\n\u003cli\u003eInside the \u003ccode\u003eblockTokens()\u003c/code\u003e function, the \u003ccode\u003etext\u003c/code\u003e tokenizer creates a text token.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eblockTokens()\u003c/code\u003e function then calls \u003ccode\u003einlineTokens()\u003c/code\u003e on the same input (\u003ccode\u003e\\x0b\\n\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einlineTokens()\u003c/code\u003e function\u0026rsquo;s text rule matches \u003ccode\u003e\\x0b\\n\u003c/code\u003e and recursively calls \u003ccode\u003einlineTokens()\u003c/code\u003e again, leading to an infinite loop.\u003c/li\u003e\n\u003cli\u003eEach recursive call allocates new token objects and concatenates strings, causing memory usage to grow until the Node.js heap limit is reached, resulting in a crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in a High-Severity Denial of Service (DoS) via Memory Exhaustion. Any application, API, chatbot, or documentation system using \u003ccode\u003emarked@18.0.0\u003c/code\u003e to parse untrusted user input is vulnerable. The attack requires minimal resources from the attacker, only the ability to send a 3-byte payload, to cause a total loss of availability. The vulnerability affects \u003ccode\u003enpm/marked\u003c/code\u003e versions greater than or equal to 18.0.0 and less than or equal to 18.0.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the \u003ccode\u003emarked\u003c/code\u003e library that addresses the infinite recursion vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js application logs for error messages indicating memory exhaustion or crashes, which might indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize or reject input containing the malicious \u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e sequence.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003emarked\u003c/code\u003e process crashes due to memory exhaustion to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-marked-dos/","summary":"A denial of service vulnerability exists in marked version 18.0.0 due to infinite recursion when processing a specific 3-byte sequence (tab, vertical tab, and newline), leading to unbounded memory allocation and application crash.","title":"Denial of Service Vulnerability in marked via Infinite Recursion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-marked-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw (\u003c= 2026.4.21)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","symlink","race-condition","npm"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenClaw package or leverages an existing package.\u003c/li\u003e\n\u003cli\u003eThe package contains a symlink within the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application attempts to write to a file via the symlink.\u003c/li\u003e\n\u003cli\u003eBetween the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.\u003c/li\u003e\n\u003cli\u003eOpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to overwrite or modify arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this capability to gain elevated privileges or compromise sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Sandbox Escape via Symlink\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-openclaw-symlink/","summary":"A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.","title":"OpenClaw Symlink Race Condition Allows Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","n8n"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003en8n, a workflow automation platform, is susceptible to a denial-of-service (DoS) vulnerability due to insufficient resource controls on the MCP OAuth client registration endpoint. This vulnerability, identified as CVE-2026-42236, allows an unauthenticated remote attacker to send large registration payloads to the server, potentially exhausting server memory resources. Even if the MCP is disabled via the enable/disable toggle, client registrations are still possible. The attack results in the n8n instance becoming unavailable, disrupting normal operations. The vulnerability affects n8n versions before 1.123.32, versions 2.0.0 to 2.17.4, and versions 2.18.0 to 2.18.1. Patches are available in n8n versions 1.123.32, 2.17.4, and 2.18.1 to address this issue by implementing an upper bound on registered clients and disabling client creation when MCP is disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an n8n instance running a vulnerable version (e.g., \u0026lt; 1.123.32, 2.0.0 \u0026lt; x \u0026lt; 2.17.4, or 2.18.0 \u0026lt; x \u0026lt; 2.18.1).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP POST request to the MCP OAuth client registration endpoint. The exact URI path for this endpoint is not specified in the advisory, but it is related to MCP OAuth client registration.\u003c/li\u003e\n\u003cli\u003eThe POST request contains a large payload designed to consume significant server memory during processing.\u003c/li\u003e\n\u003cli\u003eThe n8n instance processes the registration request without proper resource limitations or input validation on the payload size.\u003c/li\u003e\n\u003cli\u003eThe server allocates memory to handle the large payload, potentially leading to memory exhaustion.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple such requests in rapid succession, exacerbating the memory exhaustion issue.\u003c/li\u003e\n\u003cli\u003eThe n8n instance becomes unresponsive due to memory starvation, resulting in a denial of service.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access or use the n8n platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, rendering the n8n instance unavailable to legitimate users. The advisory does not specify the number of victims or sectors targeted. However, any organization using a vulnerable version of n8n is at risk. If the attack succeeds, critical workflow automation processes managed by n8n will be interrupted, potentially leading to business disruptions and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to version 1.123.32, 2.17.4, or 2.18.1, or later to remediate the vulnerability as mentioned in the \u003cstrong\u003ePatches\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, restrict network access to the n8n instance to prevent requests from untrusted sources, as outlined in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, reduce the maximum accepted payload size by lowering the \u003ccode\u003eN8N_PAYLOAD_SIZE_MAX\u003c/code\u003e environment variable as described in the \u003cstrong\u003eWorkarounds\u003c/strong\u003e section.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to the MCP OAuth client registration endpoint (path not specified in advisory) that may indicate exploitation attempts. Create detection rules for this activity on \u003cstrong\u003ewebserver\u003c/strong\u003e logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-n8n-dos/","summary":"n8n is vulnerable to an unauthenticated denial of service (DoS) attack due to missing resource controls in the MCP OAuth client registration endpoint, allowing an attacker to exhaust server memory by sending large registration payloads, leading to service unavailability; this is resolved in versions 1.123.32, 2.17.4, and 2.18.1 and tracked as CVE-2026-42236.","title":"n8n Unauthenticated Denial of Service via MCP Client Registration","url":"https://feed.craftedsignal.io/briefs/2024-01-n8n-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Npm","version":"https://jsonfeed.org/version/1.1"}