Node.js cached-path-relative module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the cachedPathRelative function. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Node.js convert-svg-core, convert-svg-to-png, and convert-svg-to-jpeg modules could allow a remote attacker to traverse directories on the system, caused by improper input validation by the SVG file. An attacker could send a specially-crafted SVG file containing “dot dot” sequences (/../) to view arbitrary files on the system.
Node.js @isomorphic-git/cors-proxy module is vulnerable to server-side request forgery, caused by missing sanitization and validation of the redirection action in middleware.js. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
Upgrade to the latest version of cached-path-relative, available from the NPM Web site.