CVE-2025-61668

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.

...

Security Bulletin: Vulnerabilities in Bouncy Castle, Eclipse JGit and Node.js diff might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Bouncy Castle, Eclipse JGit and Node.js diff. Vulnerabilities include vulnerable to padding oracle attack, allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistic...

Malicious code in nodejs-example-google-cloud-trace (npm)

--- -= Per source details. Do not edit below this line.=-...

GHSA-6XV4-9CQP-92RH messageformat prototype pollution vulnerability

The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Java, Node.js and IBM WebSphere Application Server Liberty

Summary There are multiple vulnerabilities in Java, Node.js and IBM WebSphere Application Server Liberty used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2025-36047 DESCRIPTION: IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of...

CVE-2025-57354

A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying...

CVE-2025-57347

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during property assignment operations. This flaw allows attackers to exploit prototype pollution...

GHSA-G38C-WXJF-XRH6 `git-comiters` Command Injection vulnerability

Background on the vulnerability This vulnerability manifests with the library's primary exported API: gitCommitersoptions, callback which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD. However, the library does not saniti...

Security Bulletin: IBM Watsonx BI is affected by use of on-headers in node.js middleware used for listening when a response writes headers

Summary IBM Watsonx BI is affected by use of on-headers in node.js middleware used for listening when a response writes headers. It has a bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead Vulnerability Detail...

📄 Node.JS 4.1.1 Directory Listing

Node.JS versions 4.1.1 and below suffer from a Range header issue that results in a directory listing. !/bin/bash Exploit Title: Node.JS -u \n" exit else echo -e "\n+ TARGET: $TARGET$URI\n" curl -s -H "Range: 99999" $TARGET$URI | html2text | sed '1d;$d' fi...

Flowise has Remote Code Execution vulnerability

Description Cause of the Vulnerability The CustomMCP node allows users to input configuration settings for connecting to an external MCP Model Context Protocol server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it...

UBUNTU-CVE-2025-58754

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory...

Security Bulletin: Multiple vulnerabilities in NodeJS affect IBM Business Automation Workflow Configuration Editor

Summary IBM Business Automation Workflow Configuration Editor packages a vulnerable version of the NodeJS runtime and a vulnerable module. Vulnerability Details CVEID:CVE-2025-23165 DESCRIPTION: In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uvfss.file: a...

CVE-2025-59037 DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

DuckDB is an analytical in-process SQL database management system. On 08 September 2025, the DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of DuckDB's packages that included malicious code to...

MAL-2025-46642 Malicious code in winston-loopback-nodejs-bulma (npm)

The package winston-loopback-nodejs-bulma was found to contain malicious code...

MAL-2025-42185 Malicious code in @amiga-fwk-nodejs/log (npm)

The package @amiga-fwk-nodejs/log was found to contain malicious code...

DSA-5991-1 nodejs - security update

Bulletin has no description...

Linux Distros Unpatched Vulnerability : CVE-2021-33623

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method...

ROS-20250827-06

A vulnerability in the pbkdf2 library of the Node.js software platform is related to a flaw in the input data validation mechanism. of input data. Exploitation of the vulnerability could allow an attacker acting remotely to forge a digital signature by sending specially crafted packets...