CVE-2025-66202 Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765

Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8,...

Interpretation Conflict

Overview Affected versions of this package are vulnerable to Interpretation Conflict in path matching. An attacker can gain unauthorized access to restricted endpoints by sending requests with URL-encoded restricted characters in the path, which bypasses middleware and security controls...

GHSA-GM3X-23WP-HC2C Path Normalization Bypass in Traefik Router + Middleware Rules

Impact There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the followin...

Path Normalization Bypass in Traefik Router + Middleware Rules

Impact There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted character from the followin...

traefik -- Bypassing security controls via special characters

The traefik project reports: There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path; if the request path contains an encoded restricted...

Security Bulletin: IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997.

Summary IBM Edge Data Collector uses http-proxy-middleware - 2.0.7 which is vulnerable to CVE-2025-32996, CVE-2025-32997. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-32996 DESCRIPTION: In http-proxy-middleware before 2.0.8 and 3.x before...

CVE-2025-54305

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTEADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user wit...

CVE-2025-61757: Imperva Customers Protected Against Critical Oracle Identity Manager Authentication Bypass Leading to Remote Code Execution

At the end of October 2025, Oracle released an emergency security alert addressing CVE-2025-61757, a high-severity authentication-bypass flaw that enables remote code execution in the Identity Manager product of Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. Multiple threat actors a...

PT-2025-48291

Name of the Vulnerable Software and Affected Versions Astro versions 5.15.7 and below Description Astro, a web framework, is affected by a double URL encoding bypass. This allows unauthenticated attackers to bypass path-based authentication checks in Astro middleware, potentially granting...

Malicious code in @ensdomains/durin-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 27a9df78efcaffb2ba4d2a6dd6d6e8041525a63fb4b205797b27a5bb3c7a4012 The package @ensdomains/durin-middleware was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-198798

Malicious code in @ensdomains/durin-middleware npm...

MAL-2025-190729 Malicious code in @ensdomains/durin-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 27a9df78efcaffb2ba4d2a6dd6d6e8041525a63fb4b205797b27a5bb3c7a4012 The package @ensdomains/durin-middleware was found to contain malicious code. Source: ghsa-malware...

Oracle Fusion Middleware Identity Manager authentication bypass

Added: 11/24/2025 Background Oracle Fusion Middleware is a platform for creating and running applications. Problem An authentication bypass vulnerability in the Identity Manager component allows remote attackers to execute arbitrary commands by appending ;.wadl to a URL. Resolution See Oracle Pat...

body-parser 安全漏洞

body-parser is a Node.js parsing middleware open-sourced by expressjs. A security vulnerability exists in body-parser version 2.2.0, which stems from inefficient handling of URL-encoded bodies and could lead to a denial-of-service attack...

Oracle Fusion Middleware Identity Manager authentication bypass

Added: 11/24/2025 Background Oracle Fusion Middleware is a platform for creating and running applications. Problem An authentication bypass vulnerability in the Identity Manager component allows remote attackers to execute arbitrary commands by appending ;.wadl to a URL. Resolution See Oracle Pat...

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-61757 CVSS score: 9.8, a...

Vulnerabilities fixed in Oracle Fusion Middleware

Oracle has fixed vulnerabilities in Oracle Fusion Middleware components. The vulnerabilities allow unauthenticated attackers to access critical data over HTTP, which can lead to partial denial-of-service. The severity of these vulnerabilities is underscored by CVSS scores of 7.5, indicating...

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities KEV Catalog, based on evidence of active exploitation. CVE-2025-61757link is external Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability This type of vulnerability is a frequent attack...

Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability

Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager...

CVE-2025-64765

Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the...