Snyk Security Database

liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the date filter in filters/date.ts and the strftime formatter in strftime.ts. An attacker can exhaust memory or hang rendering by supplying a crafted date format string that includes extremely large numeric width directives or non-string format values that expand into large padding allocations. The vulnerable code builds padding one character at a time and does not account for the allocation cost of strftime width handling in its memory accounting path, so a user-controlled template or data value can drive unbounded allocation work during date formatting. This can crash the process or make the application unresponsive while rendering attacker-controlled templates.

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Session Fixation via /proxy reverse proxy requests. A malicious HF Space can hijack user sessions and gain unauthorized access to other users' authenticated contexts by injecting malicious cookies through a shared HTTP client used in the reverse proxy endpoint. This allows the attacker's cookies to be replayed in subsequent proxy requests to other legitimate targets, impacting all users of the same deployment.

Affected versions of this package are vulnerable to Use of a One-Way Hash with a Predictable Salt in the getSecretKeySaltGenerator function of the Password Hash Handler component. An attacker can compromise the confidentiality of hashed secrets by exploiting the use of a predictable salt in password hashing, allowing easier brute force or precomputed attacks.