Lucene search
+L

68 matches found

OSV
OSV
added 2026/03/30 8:16 p.m.6 views

UBUNTU-CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7.3AI score0.26356EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/30 7:7 p.m.3 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7AI score0.26356EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/30 7:7 p.m.2 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7.1AI score0.26356EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2026/03/30 7:7 p.m.4 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7.8AI score0.26356EPSS
Exploits0
Cvelist
Cvelist
added 2026/03/30 7:7 p.m.170 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS0.26356EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/03/30 7:7 p.m.2 views

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

7.5CVSS7AI score0.26356EPSS
Exploits0
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.9 views

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Security vulnerabilities exist in Node.js versions 20.x, 22.x, 24.x, and 25.x. These vulnerabilities stem from improper handling of HTTP requests. When the request header contains the name...

7.5CVSS7.1AI score0.26356EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/03/28 12:25 a.m.5 views

SUSE CVE-2026-33495

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the...

6.5CVSS5.9AI score0.00233EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/27 10:51 p.m.12 views

CVE-2026-33495

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the...

6.5CVSS5.9AI score0.00233EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/26 5:26 p.m.2 views

CVE-2026-33495 Ory Oathkeeper has an authentication bypass by usage of untrusted header

ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the...

6.5CVSS5.8AI score0.00233EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/25 7:32 p.m.6 views

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...

6.1CVSS5.8AI score0.0012EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/03/25 3:18 p.m.5 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in Node.js HTTP request handling. The flaw triggers when an incoming request includes a header named proto and the server application accesses req.headersDistinct. This causes dest"proto" to incorrectly resolve to...

8.7CVSS7.1AI score0.26356EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/03/25 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-21710

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses...

7.5CVSS7.1AI score0.26356EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/03/24 12:0 a.m.5 views

Node.js 20.x < 20.20.2 Multiple Vulnerabilities (Tuesday, March 24, 2026 Security Releases).

The version of Node.js installed on the remote host is prior to 20.20.2. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, March 24, 2026 Security Releases advisory. - A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of ...

7.5CVSS6.9AI score0.26356EPSS
Exploits0References10
Snyk
Snyk
added 2026/03/23 1:53 p.m.3 views

Use of Less Trusted Source

Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Use of Less Trusted Source in the request.protocol and request.host getters. An attacker can manipulate the perceived protocol and host by sending crafted X-Forwarded-Proto and...

6.1CVSS5.8AI score0.0012EPSS
Exploits0References2
OSV
OSV
added 2026/03/20 8:50 p.m.14 views

GHSA-VHR5-GGP3-QQ85 Ory Oathkeeper has an authentication bypass by usage of untrusted header

Description Ory Oathkeeper is often deployed behind other components like CDNs, WAFs, or reverse proxies. Depending on the setup, another component might forward the request to the Oathkeeper proxy with a different protocol http vs. https than the original request. In order to properly match the...

6.5CVSS5.8AI score0.00233EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.6 views

PT-2026-26779

Name of the Vulnerable Software and Affected Versions Ory Oathkeeper affected versions not specified Description Ory Oathkeeper, when deployed behind components like CDNs or reverse proxies, may incorrectly evaluate rules due to improper handling of the X-Forwarded-Proto header. The configuration...

6.5CVSS5.7AI score0.00233EPSS
Exploits0References6
EUVD
EUVD
added 2025/11/13 10:46 p.m.12 views

EUVD-2025-175298

Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass...

6.5CVSS6.3AI score0.01189EPSS
Exploits2References5
Github Security Blog
Github Security Blog
added 2025/11/13 10:46 p.m.14 views

Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

Summary In impacted versions of Astro using on-demand rendering, request headers x-forwarded-proto and x-forwarded-port are insecurely used, without sanitization, to build the URL. This has several consequences the most important of which are: - Middleware-based protected route bypass only via...

6.5CVSS6.3AI score0.01189EPSS
Exploits2References6Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.21 views

EUVD-2018-11829

Malware in sbrugna...

5.3CVSS5.5AI score0.01112EPSS
Exploits0References2
Rows per page
Query Builder