Nothing quite like watching your cluster burn because an engine forgot how subtraction works.
🧮 LiquidJS Math Nightmare
If your Node apps render untrusted LiquidJS templates, your memory limits are useless. Attackers can bypass `memoryLimit` constraints by passing reverse range expressions, driving the internal allocator counter negative. Chain this with a string flattening filter, and a 400-byte payload triggers an uncatchable V8 fatal error. It bypasses all error handling and hard-crashes the container. Bump to 10.25.0.
🕸️ 15-Byte Broker Takedown
Speaking of integer overflows, the NATS server has a pre-auth panic in its WebSocket handler. Attackers send a crafted 15-byte WebSocket frame to force a massive negative integer conversion on the payload length. The resulting bounds check failure nukes the entire Go process. One unauthenticated packet takes down your entire event-driven layer. Lock down exposed WS ports and patch immediately.
👀 Observability Leaks
While fixing NATS, check your monitoring routes. If you use MQTT with NATS, the broker misclassifies MQTT passwords as JWTs and dumps them in plaintext directly on its observability endpoints. Anyone who can reach your metrics can scrape edge credentials for free network access. Firewall those monitoring ports and rotate your passwords.