CVE-2025-30218 Next.js may leak x-middleware-subrequest-id to external hosts

Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host ...

Information Exposure

Overview org.apache.maven.scm:maven-scm-providers-git is a SCM Provider implementation for Git Affected versions of this package are vulnerable to Information Exposure due to improper handling of passwords in different components. When a git password contains special characters, a discrepancy in...

Amazon tough 安全漏洞

Amazon tough is a Rust client library for The Update Framework TUF repository from Amazon.com, USA. A security vulnerability exists in Amazon tough versions prior to 0.20.0 that stems from the client failing to detect a rollback of a delegated target during a target rollback, which could cause th...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1

Summary In addition to updates of open source dependencies, the following security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.1 Vulnerability Details CVEID:CVE-2022-21724 DESCRIPTION: PostgreSQL JDBC Driver PgJDBC could allow a remote authenticated attack...

Malicious code in cdn-icon-fetch (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8c5df12b33f292879e5c1199fb8a0130cbbb1a1cd4cf1d3e72cb723143ccaa1d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-GM45-Q3V2-6CF8 Fast-JWT Improperly Validates iss Claims

Summary The fast-jwt library does not properly validate the iss claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519page-9. Details The iss issuer claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential...

Embedded Malicious Code

Overview cdn-icon-fetch is a Malicious package. Affected versions of this package are vulnerable to Embedded Malicious Code. Once this package is installed and executed, it downloads a Javascript file from a cdn-static-server.vercel.app URL, which appears to be an image hosting site. However, by...

Linux Distros Unpatched Vulnerability : CVE-2024-22025

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in Node.js has been identified, allowing for a Denial of Service DoS attack through resource exhaustion when using the fetch function to retriev...

Linux Distros Unpatched Vulnerability : CVE-2019-8515

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A cross-origin issue existed with the fetch API. This was addressed with improved input validation. This issue is fixed in iOS 12.2, tvOS 12.2, Safari 12.1,...

Server-side Request Forgery (SSRF)

Overview rembg is a Remove image background Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /api/remove endpoint, which takes a URL query parameter to fetch, process, and return images. An attacker can access pictures hosted on the internal network of...

Linux Distros Unpatched Vulnerability : CVE-2010-1637

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to sc...

MAL-2025-1589 Malicious code in fetch-tickers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7f0187567d205aa7da957efef8fc0b7abd060a5e4496f0028b5be6748eba2b74 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1588 Malicious code in fetch-futures (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 36303469b4b722a511ff26abb00c2f9d98e2bbc9e5a983883772746c507de77b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in fetch-tickers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7f0187567d205aa7da957efef8fc0b7abd060a5e4496f0028b5be6748eba2b74 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in fetch-futures (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 36303469b4b722a511ff26abb00c2f9d98e2bbc9e5a983883772746c507de77b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in typescript-fetch-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e8cbef6fc47f35e73ce5047126081811e0bfd94bf56f17ed66e7a534c89568d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1637 Malicious code in typescript-fetch-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e8cbef6fc47f35e73ce5047126081811e0bfd94bf56f17ed66e7a534c89568d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

UBUNTU-CVE-2022-49218

In the Linux kernel, the following vulnerability has been resolved: drm/dp: Fix OOB read when handling Post Cursor2 register The linkstatus array was not large enough to read the Adjust Request Post Cursor2 register, so remove the common helper function to avoid an OOB read, found with a...

CVE-2022-49218 drm/dp: Fix OOB read when handling Post Cursor2 register

In the Linux kernel, the following vulnerability has been resolved: drm/dp: Fix OOB read when handling Post Cursor2 register The linkstatus array was not large enough to read the Adjust Request Post Cursor2 register, so remove the common helper function to avoid an OOB read, found with a...

Metasploit Weekly Wrap-Up 02/21/2025

BeyondTrust exploit + fetch payload updates This Metasploit release includes an exploit module that chains two vulnerabilities, one exploited in the wild by APT groups and another one, a 0-day discovered by Rapid7 during the vulnerability analysis. This week's release also includes a significant...