Skip to content

[Aikido] Fix 71 critical issues in lodash-es, protobufjs, seroval and 20 more#33

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-51941171-cum3
Open

[Aikido] Fix 71 critical issues in lodash-es, protobufjs, seroval and 20 more#33
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-51941171-cum3

Conversation

@aikido-autofix

Copy link
Copy Markdown

Upgrade dependencies to fix critical RCE vulnerabilities in H3 (SSE injection), Lodash (code injection via template imports), Protobufjs (arbitrary code injection), Seroval (prototype pollution), and Undici (HTTP request smuggling).

⚠️ Incomplete breaking changes analysis (16/23 analyzed)

⚠️ Breaking changes analysis not available for: protobufjs, seroval, solid-js, launchdarkly-js-client-sdk, react-use, @grpc/grpc-js, @rtk-query/graphql-request-base-query

All breaking changes by upgrading lodash-es from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description
4.18.0
_.unset / _.omit: constructor and prototype are now blocked unconditionally as non-terminal path keys. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0
_.template: imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template" error, where previously they were accepted.

All breaking changes by upgrading next from version 14.2.35 to 15.5.16 (CHANGELOG)

Version Description
15.0.0
Remove deprecated analyticsId from config, and the corresponding performance-relayer files and tests
15.0.0
Remove squoosh in favor of sharp as optional dependency for next/image
15.0.0
Change default Content-Disposition to attachment for next/image
15.0.0
Error when src has leading or trailing space in next/image
15.0.0
Set upstream timeout to 7 seconds for next/image
15.0.0
Add sharp timeout of 10 seconds
15.0.0
Pages router: Enable strict next/head children reconciler by default
15.0.0
Disable automatic static generation for route handlers
15.0.0
Disable client router cache for page segments
15.0.0
Disable automatic fetch caching
15.0.0
Remove geo and ip from NextRequest
15.0.0
Update Dynamic APIs to be async (cookies, headers, params, searchParams)
15.0.0
Support ESLint v9 in plugin, config and next lint
15.0.0
Bump minimum Node.js version to 18.18 (up from 18.17)
15.1.0
Error on navigation API usage in pages router and middleware: navigation API usage is now forbidden in pages router and middleware, which will cause errors for code that previously used these APIs in those contexts.
15.1.0
Disallow multiple server directives at the same level (file or function): code with multiple server directives (like "use server" and "use cache") at the same level will no longer be allowed.
15.1.0
Forbid this and arguments in server functions: server functions can no longer use this or arguments, which will break existing server functions that rely on these features.
15.1.0
Forbid super in static class methods with server function directives: static class methods with server function directives cannot use super, breaking code that previously did so.
15.1.0
Emit build error when "use cache" is used without dynamicIO enabled: builds will now fail if "use cache" is used without enabling the dynamicIO flag.
15.1.0
Emit build error for unknown cache kinds: builds will fail when encountering unknown cache kinds, which may break builds that previously succeeded with warnings or were silently ignored.
15.1.0
Increase max cache tags to 128: while this is an increase, it establishes a new hard limit that could break code attempting to use more than 128 cache tags.
15.2.0
Removed internal_disableSyncDynamicAPIWarnings flag
15.2.0
Disabled colormin feature from cssnano
15.2.0
Turbopack now uses new backend by default
15.2.0
Removed experimental.reactOwnerStack flag
15.2.0
rootParams() is now a plain Promise (not exotic)
15.2.0
Removed --no-mangling CLI option for next build
15.2.0
Deprecated devIndicators options appIsrStatus and buildActivity
...

All breaking changes by upgrading @modelcontextprotocol/sdk from version 1.18.1 to 1.26.0 (CHANGELOG)

Version Description
1.21.0
Non-existent tool, disabled tool and inputSchema validation now return MCP protocol level errors instead of CallToolResult with isError: true
1.22.0
Implementation of SEP-986 specifies format for tool names, which may restrict previously valid tool name formats
1.23.0
Scope management adjusted to line up with SEP-835, which may change authorization behavior
1.25.0
Remove loose/passthrough types not allowed/defined by MCP spec + Task types - strict spec compliance enforcement removes previously accepted types

All breaking changes by upgrading @clerk/tanstack-react-start from version 0.26.10 to 0.29.11 (CHANGELOG)

Version Description
0.29.0
Bumped minimum required TanStack Start dependencies to 1.157.0+ and removed usage of deprecated json() in favor of standard Web APIs.

All breaking changes by upgrading defu from version 6.1.4 to 6.1.5 (CHANGELOG)

Version Description
v6.1.5
Inherited enumerable properties are now ignored, which may affect code that previously relied on merging inherited properties from prototype chains

All breaking changes by upgrading @opentelemetry/auto-instrumentations-node from version 0.67.2 to 0.75.0 (CHANGELOG)

Version Description
0.72.0
Removal of instrumentation-fastify from auto-instrumentations-node package

All breaking changes by upgrading js-cookie from version 3.0.5 to 3.0.7 (CHANGELOG)

Version Description
3.0.7
Prevent cookie attribute injection: CVE-2026-46625 - this security fix may restrict previously working behavior that involved cookie attribute injection

All breaking changes by upgrading lodash from version 4.17.21 to 4.18.1 (CHANGELOG)

Version Description
4.18.0
_.unset / _.omit now block constructor and prototype as non-terminal path keys unconditionally. Calls that previously returned true and deleted the property now return false and leave the target untouched.
4.18.0
_.template now throws "Invalid imports option passed into _.template" when imports keys contain forbidden identifier characters, which were previously allowed.

All breaking changes by upgrading esbuild from version 0.27.2 to 0.28.1 (CHANGELOG)

Version Description
0.28.0
Integrity check hashes for all platform-specific binary packages are now embedded in the top-level esbuild package, which could affect the fallback download path during installation

All breaking changes by upgrading ws from version 8.18.0 to 8.21.0 (CHANGELOG)

Version Description
8.21.0
Fixed a remote memory exhaustion DoS vulnerability by introducing maxBufferedChunks and maxFragments options that restrict the volume of tiny fragments and data chunks that can be sent by a peer
✅ 63 CVEs resolved by this upgrade, including 6 critical 🚨 CVEs

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-33128
🚨 CRITICAL
[h3] createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization, allowing attackers who control SSE message fields to inject arbitrary events to connected clients.
CVE-2026-4800
🚨 CRITICAL
[lodash] A vulnerability in _.template allows arbitrary code execution through untrusted key names in options.imports or prototype pollution, as validation was incomplete after a prior CVE fix. An attacker can inject malicious code that executes during template compilation.
CVE-2025-13465
MEDIUM
[lodash] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-2950
MEDIUM
[lodash] Prototype pollution vulnerability in _.unset and _.omit functions allows attackers to bypass previous fixes using array-wrapped path segments, enabling deletion of properties from built-in prototypes. While this doesn't allow overwriting prototype behavior, it can cause denial of service or unexpected application behavior.
CVE-2026-41242
🚨 CRITICAL
[protobufjs] Arbitrary code injection vulnerability in protobuf type fields allows attackers to execute malicious code during object decoding. This enables remote code execution (RCE) when processing untrusted protobuf definitions.
CVE-2026-44293
HIGH
[protobufjs] A vulnerability in protobuf schema compilation allows attackers to inject arbitrary code into generated JavaScript functions through crafted bytes field default values. This enables remote code execution when processing malicious protobuf descriptors.
CVE-2026-44291
HIGH
[protobufjs] Prototype pollution vulnerability allows attackers to inject malicious strings into generated JavaScript code through polluted Object.prototype, enabling arbitrary code execution during protobuf encoding and decoding operations.
CVE-2026-44289
HIGH
[protobufjs] Unbounded recursion during protobuf decoding allows a crafted binary payload to exhaust the JavaScript call stack, causing a denial of service. The vulnerability affects both unknown group field skipping and nested message field decoding.
CVE-2026-44290
HIGH
[protobufjs] A prototype pollution vulnerability allows attackers to write to global JavaScript constructor properties through crafted protobuf schemas, corrupting built-in functionality and potentially enabling remote code execution. The flaw exists in schema option path handling that fails to properly restrict property traversal during option application.
CVE-2026-45740
HIGH
[protobufjs] Unbounded recursion in JSON descriptor parsing allows attackers to exhaust the JavaScript call stack by providing deeply nested namespace definitions, causing a denial of service during descriptor loading.
CVE-2026-48712
HIGH
[protobufjs] Unbounded recursion in protobuf message conversion to JSON/objects with nested Any values can exhaust the call stack, causing denial of service when processing attacker-controlled protobuf data.
AIKIDO-2026-10467
MEDIUM
[protobufjs] Prototype pollution vulnerability in message initialization allows attackers to inject malicious properties via the proto field, enabling prototype chain manipulation and unintended property injection across the application.
CVE-2026-44288
MEDIUM
[protobufjs] A UTF-8 decoder vulnerability allows attackers to bypass application-level checks by decoding overlong UTF-8 byte sequences into canonical characters, potentially enabling malicious strings to pass validation filters. This could lead to security bypasses in protobuf message processing.
CVE-2026-44292
MEDIUM
[protobufjs] Prototype pollution vulnerability in message constructors allows attackers to modify the prototype of message instances by providing a malicious proto property, potentially enabling arbitrary code execution or object manipulation.
CVE-2026-44294
MEDIUM
[protobufjs] Unescaped control characters in field names can be embedded into generated JavaScript functions, causing code injection that breaks encode, decode, verify, or conversion functions during compilation. An attacker can exploit this via a crafted schema or JSON descriptor to cause denial of service.
CVE-2026-23736
🚨 CRITICAL
[seroval] Improper input validation in JSON deserialization allows malicious object keys to cause prototype pollution, enabling attackers to modify object prototypes and potentially execute arbitrary code or manipulate application behavior.
CVE-2026-23737
HIGH
[seroval] Improper input handling in JSON deserialization allows arbitrary JavaScript code execution through constant value and error deserialization overrides. Attackers can exploit fromJSON and fromCrossJSON functions via multiple requests to achieve RCE in client-to-server scenarios.
CVE-2026-23957
HIGH
[seroval] A denial of service vulnerability exists where attackers can override encoded array lengths with excessively large values, causing the deserialization process to consume significant processing time and resources.
CVE-2026-24006
HIGH
[seroval] A stack overflow vulnerability occurs when serializing deeply nested objects, causing denial of service. The vulnerability is mitigated by introducing a configurable depth limit parameter that throws an error when exceeded.
CVE-2026-1525
🚨 CRITICAL
[undici] Duplicate HTTP Content-Length headers with case-variant names are allowed, creating malformed requests that can cause denial of service or enable HTTP request smuggling attacks in inconsistent header interpretation scenarios.
CVE-2026-1526
HIGH
[undici] A malicious WebSocket server can send compressed frames that expand to extremely large sizes in memory without limits, causing denial-of-service through memory exhaustion and process crash. The vulnerability stems from unbounded decompression in the permessage-deflate extension without size validation.
CVE-2026-1528
HIGH
[undici] A server can send a WebSocket frame with an extremely large 64-bit length value, causing ByteParser integer overflow that results in a fatal TypeError and process termination (DoS).
CVE-2026-2229
HIGH
[undici] A malicious WebSocket server can crash the client process by sending an invalid server_max_window_bits parameter in the permessage-deflate extension, causing an uncaught RangeError when creating a zlib decompressor with an out-of-range value.
CVE-2026-22036
HIGH
[undici] An unbounded decompression chain vulnerability allows a malicious server to insert thousands of compression steps, causing excessive CPU usage and memory allocation. This results in denial of service through resource exhaustion.
CVE-2026-1527
MEDIUM
[undici] HTTP request smuggling vulnerability allowing CRLF injection through the upgrade option, enabling arbitrary header injection and premature request termination to smuggle data to non-HTTP services.
AIKIDO-2026-10369
LOW
[undici] Prototype pollution vulnerability allows attackers to modify object prototypes through specially crafted input with keys like __proto__ or constructor, potentially influencing application behavior or enabling further attacks.
AIKIDO-2026-10022
LOW
[undici] A malicious server can send HTTP responses with excessive layered Content-Encoding headers, forcing the client into recursive decompression that exhausts CPU and memory resources, causing denial-of-service. This was mitigated by limiting the encoding chain to a maximum of 5 layers.
CVE-2026-41248
🚨 CRITICAL
[@clerk/shared] A route matcher bypass vulnerability allows crafted requests to skip middleware gating and reach downstream handlers, potentially enabling unauthorized access to protected resources.
CVE-2026-42349
HIGH
[@clerk/shared] Authorization predicates can incorrectly return true for combined checks (reverification with role/permission/feature/plan, or billing with role/permission), allowing unauthorized access to gated actions when conditions should fail.
CVE-2026-44578
HIGH
[next] Self-hosted applications are vulnerable to server-side request forgery (SSRF) through crafted WebSocket upgrade requests, allowing attackers to proxy requests to arbitrary destinations and potentially expose internal services or cloud metadata. Vercel-hosted deployments are unaffected.
AIKIDO-2026-10758
HIGH
[next] A WebSocket upgrade proxying vulnerability allows attackers to craft requests that trigger outbound connections to arbitrary destinations, enabling server-side request forgery and potential exposure of internal services. This affects self-hosted deployments and can be exploited to reach internal or external targets.
GHSA-q4gf-8mx6-v5v3
HIGH
[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, causing denial of service (DoS).
AIKIDO-2026-10762
HIGH
[next] A deserialization vulnerability in server function endpoints allows attackers to consume excessive CPU through crafted input, causing denial of service by exhausting request handling capacity and degrading application availability.
AIKIDO-2026-10757
HIGH
[next] A vulnerability in Pages Router with i18n allows attackers to bypass middleware authorization checks by accessing locale-less data routes, enabling unauthorized access to protected page data through alternate paths.
CVE-2026-44573
HIGH
[next] A vulnerability allows unauthorized access to protected page data in applications using Pages Router with i18n configuration, as middleware authorization checks are bypassed for locale-less data route requests. An attacker can retrieve sensitive SSR JSON data without passing authorization checks, resulting in information disclosure.
GHSA-8h8q-6873-q5fj
HIGH
[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, causing denial of service (DoS).
CVE-2026-29057
MEDIUM
[next] HTTP request smuggling vulnerability in Next.js rewrites with chunked DELETE/OPTIONS requests allows attackers to bypass route restrictions and access unintended backend endpoints. An attacker could smuggle malicious requests to internal or admin routes through request boundary disagreement between proxy and backend.
AIKIDO-2026-10755
MEDIUM
[next] Inline beforeInteractive script serialization insufficiently escapes untrusted input, allowing attackers to break script boundaries and execute arbitrary JavaScript in the browser when untrusted data is passed to script props.
CVE-2026-44580
MEDIUM
[next] A cross-site scripting (XSS) vulnerability exists in applications using beforeInteractive scripts with untrusted content, where serialized script content is not properly escaped, allowing attackers to execute arbitrary JavaScript in visitors' browsers.
AIKIDO-2026-10754
MEDIUM
[next] The Image Optimization API fails to enforce consistent maximum-size limits when loading local images into memory, allowing attackers to exhaust process memory through large local assets and cause denial of service in self-hosted configurations.
CVE-2026-44577
MEDIUM
[next] A memory exhaustion vulnerability in the Image Optimization API allows attackers to trigger out-of-memory conditions by requesting large local assets through the /_next/image endpoint without size limits. This can cause denial of service by consuming excessive server memory.
CVE-2026-44572
MEDIUM
[next] A vulnerability allows attackers to send a crafted x-nextjs-data header on requests to middleware-handled paths, causing the redirect response to use an internal header instead of the standard Location header, which browsers cannot follow. If deployed behind a caching CDN or reverse proxy, this can poison the cache and cause denial of service for affected redirect paths.
AIKIDO-2026-10753
MEDIUM
[next] A cache poisoning vulnerability allows attackers to cause incorrect React Server Component payloads to be cached and served to users under shared-cache conditions, potentially returning malformed responses and compromising application functionality.
CVE-2026-44576
MEDIUM
[next] Applications using React Server Components are vulnerable to cache poisoning due to improper response variant partitioning in shared caches, allowing attackers to serve component payloads instead of HTML and poison cache entries for subsequent visitors. This enables unauthorized content injection and potential remote code execution through malicious component payloads.
AIKIDO-2026-10756
MEDIUM
[next] A vulnerability in App Router allows malformed CSP nonce values from request headers to be reflected into HTML, potentially poisoning cached content and enabling script execution for other users in shared-cache deployments.
CVE-2026-44581
MEDIUM
[next] App Router applications using CSP nonces are vulnerable to stored cross-site scripting when deployed behind shared caches, as malformed nonce values from request headers can be unsafely reflected into HTML, allowing attackers to poison cached responses and execute scripts for subsequent visitors.
AIKIDO-2026-10752
LOW
[next] RSC cache-busting values can collide in shared cache deployments, allowing attackers to poison cache variants and serve incorrect component responses to users. This vulnerability stems from insufficient collision resistance in response variant separation.
AIKIDO-2026-10751
LOW
[next] A vulnerability in middleware redirect handling allows attackers to manipulate redirect responses and poison caches by spoofing internal-data headers, causing subsequent users to receive broken cached redirects until expiry.
CVE-2026-44582
LOW
[next] React Server Component responses are vulnerable to cache poisoning due to insufficient response partitioning, allowing attackers to manipulate cache entries and serve incorrect content to users. This can lead to information disclosure or content manipulation through collisions in cache-busting values.
CVE-2026-42047
HIGH
[inngest] Unauthenticated attackers can exfiltrate environment variables via PATCH, OPTIONS, or DELETE requests to the serve() HTTP handler, exposing secrets and credentials. This occurs because unhandled HTTP methods return diagnostic information containing process.env contents.
CVE-2025-66414
HIGH
[@modelcontextprotocol/sdk] DNS rebinding vulnerability in HTTP-based MCP servers allows malicious websites to bypass same-origin policy and invoke tools or access resources on unauthenticated localhost servers. The vulnerability requires DNS rebinding protection to be explicitly enabled, as it is disabled by default.
CVE-2026-25536
HIGH
[@modelcontextprotocol/sdk] A cross-client response data leak vulnerability occurs when a single McpServer instance and transport are reused across multiple client connections, allowing responses intended for one client to be leaked to others. This enables information disclosure and potential unauthorized access to sensitive data between clients.
AIKIDO-2026-445064
HIGH
[esbuild] A vulnerability allows attackers to redirect binary downloads to malicious sources by manipulating the NPM_CONFIG_REGISTRY environment variable, enabling remote code execution since downloaded binaries lack SHA-256 integrity verification before execution.
CVE-2026-35209
HIGH
[defu] Prototype pollution vulnerability in the defu function allows attackers to override default object properties through crafted __proto__ payloads in unsanitized user input, potentially leading to application logic bypass or information disclosure.
CVE-2026-41907
HIGH
[uuid] A buffer overflow vulnerability allows v3, v5, and v6 UUID functions to write beyond caller-provided buffer boundaries when given small buffers or large offsets, causing silent data corruption. This can lead to memory corruption and potential code execution or information disclosure.
AIKIDO-2026-10892
MEDIUM
[uuid] UUID functions v3(), v5(), and v6() can write past the end of a caller-provided buffer due to missing offset validation, enabling buffer overflow attacks. The fix adds bounds checks to prevent out-of-range writes.
CVE-2026-44902
HIGH
[@opentelemetry/auto-instrumentations-node] A malformed HTTP request to the Prometheus metrics endpoint causes an uncaught TypeError, crashing the Node.js process due to missing error handling in URL parsing. This results in a Denial of Service vulnerability.
CVE-2026-45736
HIGH
[ws] is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
CVE-2026-48779
HIGH
[ws] A remote peer can send high volumes of tiny fragmented WebSocket messages to force excessive memory allocation of structural wrappers, bypassing message-size limits and causing denial of service through out-of-memory process termination.
CVE-2026-46625
HIGH
[js-cookie] A prototype pollution vulnerability allows attackers to inject malicious cookie attributes (domain, secure, samesite, expires, path) by exploiting unsafe property copying from JSON-parsed objects. This enables attackers to bypass cookie security restrictions set by developers.
CVE-2026-48068
HIGH
[@grpc/grpc-js] Invalid HTTP/2 stream initiation can crash server processes, causing denial of service. All gRPC servers are affected by this vulnerability.
CVE-2026-48069
HIGH
[@grpc/grpc-js] An invalid incoming compressed message can cause a client or server process to crash, resulting in a denial of service affecting all users of the library.
CVE-2026-12143
HIGH
[form-data] A CRLF injection vulnerability in the field and filename arguments allows attackers to inject headers or multipart parts into requests, potentially enabling form field manipulation or bypass attacks when untrusted input is used as field names or filenames.

🔄 Upgrade impact analysis is in progress. Breaking changes will be added here once finalized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants