Snyk Security Database

astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in parseRequestBody(), when parsing Server Action requests. Attackers can trigger a crash by sending an excessively large POST request to an action endpoint, on a site with on-demand rendering. In the Node adapter (mode: 'standalone') an HTTP server with no body size protection is used, so the crashed process is automatically restarted, and repeated requests cause a persistent crash-restart loop.

Note: Action names are discoverable from HTML form attributes on any public page.

google-cloud-aiplatform is a Vertex AI API client library

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the _genai/_evals_visualization component. An attacker can execute arbitrary JavaScript code in a victim's Jupyter or Colab environment by injecting script escape sequences into model evaluation results or dataset JSON data.

org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.