the same Dapr building blocks. None of the issues were of critical or high severity. We found a vulnerability in a 3rd-party dependency which was assigned a CVE1 of high severity, however it did not impact is not enabled by default. The vulnerability had the potential to crash a Dapr sidecar with an out-of-memory denial of service attack vector. We found the vulnerability a�er performing the threat modelling example, if Dapr sends a request to a NodeJS application that triggers a remote code execution vulnerability in the NodeJS 10 Dapr security audit 2023 application3, this is entirely the responsibility

over the WP1-3 scope items and spotted only one new finding classified as a security vulnerability. This problem, however, was given a High score in terms of risk because it enables an access severity rank is simply given in brackets following the title heading for each vulnerability. Each vulnerability is additionally given a unique identifier (e.g. DAP-02-001) for the purpose of facilitating Pollution through invocation (Low) Status: Open During a review of the previously reported vulnerability, it was noticed that the HTTP Parameter Pollution is still possible, as demonstrated via the Proof-of-Concept

severity rank is simply given in brackets following the title heading for each vulnerability. Each vulnerability is additionally given a unique identifier (e.g. DAP-01-001) for the purpose of facilitating invocation (Low) It was found that the HTTP API of Dapr is vulnerable to a HTTP Parameter Pollution vulnerability when a service is locally or remotely invoked. The method parameter is received from the path vulnerable code snippets that did not provide an easy way to be called. Conclusively, while a vulnerability is present, an exploit might not always be possible. DAP-01-001 WP1: Sidecar allows MDNS probes