Critical Node.js Vulnerability Can Cause Server Crashes via async_hooks Stack Overflow

Node.js has released updates to fix what it described as a critical security issue impacting "virtually every production Node.js app" that, if successfully exploited, could trigger a denial-of-service DoS condition. "Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion wi...

Node.js 20.x < 20.20.0 / 22.x < 22.22.0 / 24.x < 24.13.0 / 24.x < 24.13.0 / 25.x < 25.3.0 Multiple Vulnerabilities (Tuesday, January 13, 2026 Security Releases).

"The version of Node.js installed on the remote host is prior to 20.20.0, 22.22.0, 24.13.0, 24.13.0, 25.3.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, January 13, 2026 Security Releases advisory. - A flaw in Node.js's permission model allows a file's...

jsPDF has Local File Inclusion/Path Traversal vulnerability

Impact User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node proce...

EverShop 安全漏洞

EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop 2.1.0 and earlier versions, which stems from unlimited resource consumption when processing SVG files and could lead to a denial of service attack...

Security Bulletin: Vulnerability in node.js affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in node.js has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information. Vulnerabili...

CVE-2023-53940 Codigo Markdown Editor 1.0.1 Electron Arbitrary Code Execution via Markdown File

Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js childprocess module when the fil...

CVE-2023-53940 Codigo Markdown Editor 1.0.1 Electron Arbitrary Code Execution via Markdown File

Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js childprocess module when the fil...

Node.js React Server Components Denial of Service and Source Code Exposure (CVE-2025-55183, CVE-2025-55184)

Multiple Node.js React Server Components packages are affected by denial of service and source code exposure vulnerabilities. The following Node.js packages and versions are affected: - react-server-dom-webpack 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1 - react-server-dom-parcel 19.0....

Node.js: Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers

A vulnerability was identified in Node.js error handling where "Maximum call stack size exceeded" errors became uncatchable when asynchooks.createHook was enabled. Instead of reaching process.on'uncaughtException', the process terminated, making the crash unrecoverable...

EverShop 安全漏洞

EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop version 2.0.1 that originates from an unauthenticated user being able to upload files and create directories in the /api/images endpoint...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Application Modernization Accelerator. Vulnerability Details CVEID:CVE-2025-53066 DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP component could allow a remote attacker to cause high confidentiali...

Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2025-57353 DESCRIPTION: The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient...

TencentOS Server 3: nodejs:20 (TSSA-2024:0765)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0765 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

TencentOS Server 3: nodejs:16 (TSSA-2024:0107)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0107 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rdssuperuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service RDS...

EUVD-2025-175432

Malicious code in zenith-algol-nodejs-pegasus npm...

EUVD-2025-177557

Malicious code in nodejs-csrf-sagitta-materialize npm...

EUVD-2025-177555

Malicious code in nodejs-oberon-ignite-node-sass npm...

MAL-2025-188325 Malicious code in nodejs-csrf-sagitta-materialize (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55b4a0d0f7ff3dd984df6f9575fd59892f7044b99a492bdad2834ae0362abd51 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-122909

Malicious code in radiant-development-eslint-plugin-nodejs npm...