Hello Zabbix Community,

We are currently using Zabbix version 6.2.0 in our environment, and after running a security scan through Snyk, we discovered several vulnerabilities that we believe require attention and discussion. Here’s a summary of the findings:

Critical Issues:

• None identified

High Severity:

1. Server-side Request Forgery (SSRF)
   • CVE: CVE-2023-42282, CVE-2024-29415
   • CWE: CWE-918
   • Affected: package.json
   • Fixability: Fixable
   • POC Available
2. Uncontrolled Resource Consumption
   • CVE: CVE-2024-4068
   • CWE: CWE-400
   • Affected: package.json
   • Fixability: Fixable
   • POC Available
3. Prototype Pollution
   • CWE: CWE-1321
   • Affected: package.json
   • No known exploit currently available
4. Inefficient Regular Expression Complexity
   • CVE: CVE-2024-4067
   • CWE: CWE-1333
   • Affected: package.json
   • No known exploit currently available

Medium Severity:

1. Uncontrolled Resource Consumption ('Resource Exhaustion')
   • CVE: CVE-2024-28863
   • CWE: CWE-400
   • Affected: package.json
   • Fixability: Partially fixable
   • POC Available
2. Missing Release of Resource after Effective Lifetime
   • CWE: CWE-772
   • Affected: package.json
   • Fixability: Fixable
   • POC Available

We are currently staging an upgrade to a newer version of Zabbix and are curious whether these vulnerabilities will be resolved post-upgrade. Any insight or experiences regarding fixes in future releases would be helpful.

I would appreciate the community’s input on the following:

1. Are there any planned patches or updates in future Zabbix releases to address these vulnerabilities?
2. Has anyone encountered or mitigated similar issues, particularly for SSRF and resource consumption vulnerabilities?
3. Are there any temporary mitigation strategies for these vulnerabilities that we could implement while awaiting a fix?

Looking forward to any advice or information the community can provide.

Best regards,