dment This issue was found to be a duplicate. The original vulnerability with details can be found [here](https://security.snyk.io/vuln/via the build cache process. An attacker can inject compromised artifacts into trusted production environments by submitting pull requests from untrusted environments, leading to the distribution of malicious builds. This attack is possible because artifacts from untrusted sources are accepted into the cache before security controls are applied, bypassing encryption, access controls, and checksum validation.).

reflex is a Web apps in pure Python.

Affected versions of this package are vulnerable to Open Redirect via the redirect_to query parameter in the /auth-codespace route, which is assigned directly to client-side links without validation and triggers automatic navigation. An attacker can cause users to be redirected to arbitrary external domains by crafting a link with a malicious redirect_to value. This is only exploitable if the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set in the deployment environment.

Affected versions of this package are vulnerable to Expression Language Injection in route definitions. An attacker with permission to define routes can expose the server's file structure or other sensitive environment variables by crafting a SpEL expression to access sensitive system beans such as @systemProperties and @systemEnvironment

Note: Additional fixed versions might be available for commercial users of Spring Enterprise.