87 matches found
⚡ Weekly Recap: Hot CVEs, npm Worm Returns, Firefox RCE, M365 Email Raid & More
Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest...
Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft
Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack. The new supply chain campaign, dubbed Sha1-Hulud , has compromised hundreds of npm packages, according to reports from Aikido,...
CVE-2025-55152
CVE-2025-55152 affects the oak middleware (Deno/native HTTP stack) with vulnerable versions 17.1.5 and earlier. Public records describe a Regular Expression Denial of Service / DoS: using specially crafted values in the headers x-forwarded-proto or x-forwarded-for can cause substantial slowdown o...
Exploit for Code Injection in Xwiki
CVE-2025-24893 Install bun: bash curl -fsSL https://bun.c...
GHSA-356W-63V5-8WF4 Vite has an `server.fs.deny` bypass with an invalid `request-target`
Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. Impact Only apps with the following conditions are affected. - explicitly exposing the Vite dev server to the network using --host or server.host config option - running the Vite de...
CVE-2025-32395 Vite has an `server.fs.deny` bypass with an invalid `request-target`
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec RFC 9112 does not allow in request-target. Although an attacker can sen...
GHSA-V9MX-4PQQ-H232 Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo
Versions of the package bun before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects...