pm2 is a production process manager for Node.js applications with a built-in load balancer.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the function _valid in the Config.js file, which is exposed to user input via validateJSON. An attacker can cause degradation of performance by sending specially crafted inputs that exploit inefficient regular expression complexity.

Note: This vulnerability is being verified and the advisory may be updated to reflect new information.

Affected versions of this package are vulnerable to SQL Injection through multiple vector store integrations. An attacker can read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the library in a web application.

org.apache.kafka:kafka-clients is a streaming platform that can publish and subscribe to streams of records, store streams of records in a fault-tolerant durable way, and process streams of records as they occur.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper handling of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url configurations. An attacker can read arbitrary contents of the disk and environment variables or make requests to an unintended location by manipulating these configurations.

Note: This is only exploitable if configurations can be specified by an untrusted party.