AZL-55950 CVE-2025-22150 affecting package nodejs for versions less than 20.14.0-5

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If...

The vulnerability of the WebSocket module in Node.js operating systems on FortiOS and proxy servers, which allows attackers to elevate privileges to the “super-admin” level.

The vulnerability of the WebSocket module in Node.js operating systems on FortiOS and FortiProxy proxy servers relates to bypassing the authentication process by using an alternative path or channel. Exploiting this vulnerability allows a malicious actor to elevate their privileges to “super-admi...

CVE-2022-4904 affecting package nodejs 14.21.3-1

CVE-2022-4904 affecting package nodejs 14.21.3-1. No patch is available currently...

CVE-2024-27980 vulnerabilities

Vulnerabilities for packages: nodejs...

CVE-2024-27980 vulnerabilities

Vulnerabilities for packages: nodejs...

CVE-2024-27980

Due to the improper handling of batch files in childprocess.spawn / childprocess.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled...

Medium: nodejs

Issue Overview: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. CVE-2024-21538 Affected...

Medium: nodejs

Issue Overview: Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. CVE-2024-21538 Affected...

CVE-2024-55950

Tabby (formerly Terminus) prior to version 1.0.216 is affected by a vulnerability caused by overly permissive entitlements that enable dangerous capabilities (camera, microphone, and access to personal folders) through Apple Events, plus entitlements that can permit code injection. The root cause...

The vulnerability of the cross-spawn programming platform package in Node.js, which allows a hacker to trigger a service failure

The vulnerability of the Node.js software platform’s cross-spawn package, related to the use of a regular expression with inefficient computational complexity. Exploiting this vulnerability can allow a remote attacker to cause service interruptions...

22 bug fix and enhancement update

An update is available for module.nodejs-nodemon, nodejs-packaging, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...

Security update for nodejs18

This update for nodejs18 fixes the following issues: CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Update to 18.20.5 esm: mark import attributes and JSON module as stable deps: + upgrade npm to 10.8.2 + update simdutf to 5.6.0 +...

SUSE-SU-2024:4301-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Update to 18.20.5 esm: mark import attributes and JSON module as stable deps: + upgrade npm to 10.8.2 + update simdutf to 5.6.0 +...

Security update for nodejs20

This update for nodejs20 fixes the following issues: CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...

SUSE-SU-2024:4300-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...

Security update for nodejs20

This update for nodejs20 fixes the following issues: CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...

Security update for nodejs18

This update for nodejs18 fixes the following issues: CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Update to 18.20.5 esm: mark import attributes and JSON module as stable deps: upgrade npm to 10.8.2 update simdutf to 5.6.0 update brotli to 1.1.0...

Malicious code in binance-toolbox-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7a585655865db20c2d6f9419d9c516d93d59ac420d066bda570716d917933605 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

AZL-54017 CVE-2024-52798 affecting package nodejs-nodemon 2.0.3-4

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgra...

Malicious code in cdp-agentkit-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6d53da33893272680319756bf6d56dbd2de8b7d06bc19bd46c65f06c11336031 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...