limit-size (>=0.1.3 <=0.1.4), limit-size-webpack-plugin (>=1.0.0 <=1.0.5) potentially affected by unknown CVE via byte-parser (=1.0.0)

byte-parser NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on byte-parser and may be impacted: - limit-size =0.1.3, =1.0.0, =1.0.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3846...

Malicious code in byte-parser (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

undici: undici: Denial of Service via crafted WebSocket frame with large length

A flaw was found in undici. A remote attacker could exploit this vulnerability by sending a specially crafted WebSocket frame with an extremely large 64-bit length. This causes undici's ByteParser to overflow its internal calculations, leading to an invalid state and a fatal TypeError. The primar...

undici: undici: Denial of Service via crafted WebSocket frame with large length

A flaw was found in undici. A remote attacker could exploit this vulnerability by sending a specially crafted WebSocket frame with an extremely large 64-bit length. This causes undici's ByteParser to overflow its internal calculations, leading to an invalid state and a fatal TypeError. The primar...

Uncaught Exception

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to termina...