Azure Linux 3.0 Security Update: nodejs / nodejs18 / reaper (CVE-2024-28863)

The version of nodejs / nodejs18 / reaper installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-28863 advisory. - node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the numbe...

Azure Linux 3.0 Security Update: cloud-hypervisor-cvm / edk2 / hvloader / nodejs / nodejs18 / openssl (CVE-2024-4603)

The version of cloud-hypervisor-cvm / edk2 / hvloader / nodejs / nodejs18 / openssl installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-4603 advisory. - Issue summary: Checking excessively long DSA ke...

Mageia: Security Advisory (MGASA-2025-0041)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Updated nodejs packages fix security vulnerabilities

Worker permission bypass via InternalWorker leak in diagnostics. CVE-2025-23083 GOAWAY HTTP/2 frames cause memory leak outside heap. CVE-2025-23085...

DEBIAN-CVE-2025-23085

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

AZL-56519 CVE-2025-23085 affecting package nodejs for versions less than 20.14.0-5

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

AZL-56476 CVE-2025-23085 affecting package nodejs18 for versions less than 18.20.3-3

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment from the Node.js open source. A security vulnerability exists in Node.js versions v18.x, v20.x, v22.x, and v23.x. The vulnerability stems from a memory leak that may occur when a remote peer suddenly closes a socket without...

ajax-request 安全漏洞

ajax-request is a nodejs HTTP request by nothing personal developer. A security vulnerability exists in ajax-request v1.2.3, which stems from the lib.post function containing a prototype contamination vulnerability...

Important: nodejs20

Issue Overview: Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values...

Important: nodejs20

Issue Overview: Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values...

Malicious code in sample-nodejs-vsk-with-adm (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 268548cd4032a80297c2f7fd9c2e1171027f9ecf4fabcb35debfb7c1fbc0cc13 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1173 Malicious code in sample-nodejs-vsk-with-adm (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 268548cd4032a80297c2f7fd9c2e1171027f9ecf4fabcb35debfb7c1fbc0cc13 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Improper Access Control

snowflake-connector-nodejs is vulnerable to Improper Access Control. The vulnerability is due to insufficient file permission checks due to an attacker with write access to the local cache directory being able to bypass temporary credential cache restrictions...

CVE-2025-23083 affecting package nodejs for versions less than 20.14.0-4

CVE-2025-23083 affecting package nodejs for versions less than 20.14.0-4. A patched version of the package is available...

Malicious code in nodejs-paypal-checkout-demo (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 909c8505097e7b62c38bde6c75bb0ba8516f566136ec093b913944bcbdd1130e Any computer that has this package installed or running should be considered...

snowflake-sdk may incorrectly validate temporary credential cache file permissions

Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux...

GHSA-XFHV-WQJ6-RX99 snowflake-sdk may incorrectly validate temporary credential cache file permissions

Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux...

CVE-2025-24791

CVE-2025-24791 affects snowflake-connector-nodejs (Snowflake NodeJS Driver) on Linux. The vulnerability allows bypassing file permissions checks for the temporary credential cache, exploitable by an attacker with write access to the local cache directory. Affected versions are 1.12.0 through 2.0....

CVE-2025-24791 snowflake-connector-nodejs has incorrect validation of temporary credential cache file permissions

snowflake-connector-nodejs is a NodeJS driver for Snowflake. Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This...