HTTP Fetch, Linux Add User

Fetch and execute an ARMLE payload from an HTTP server. Create a new user with UID 0 Module Options msf use payload/cmd/linux/http/armle/adduser msf payloadadduser show actions ...actions... msf payloadadduser set ACTION msf payloadadduser show options ...show and set options... msf payloadadduse...

HTTPS Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an MIPSBE payload from an HTTPS server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/https/mipsbe/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp...

TFTP Fetch, Linux Command Shell, Reverse TCP Inline

Fetch and execute an MIPSBE payload from a TFTP server. Connect back to attacker and spawn a command shell Module Options msf use payload/cmd/linux/tftp/mipsbe/shellreversetcp msf payloadshellreversetcp show actions ...actions... msf payloadshellreversetcp set ACTION msf payloadshellreversetcp sh...

TFTP Fetch

Fetch and execute an MIPSLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsle/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show...

TFTP Fetch

Fetch and execute an ARMLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/armle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...

Astra Linux - уязвимость в node-undici

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch, allowing fetch to accept requests as valid even if they have been tampered. This vulnerability was patched in versions 5.28.4 and 6.11.1...

GHSA-67MH-4WV8-2F99 esbuild enables any website to send any requests to the development server and read the response

Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. Details esbuild sets Access-Control-Allow-Origin: header to all requests, including the SSE connection, which allows any websites to send any request to the...

CVE-2025-21620

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch redirect handling creates a follow-up redirect request that keeps the original...

GHSA-2452-6XJ8-JH47 Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by...

Use of Insufficiently Random Values in undici

Impact Undici fetch uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled websit...

GHSA-C76H-2CCP-4975 Use of Insufficiently Random Values in undici

Impact Undici fetch uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled websit...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from the hclgefetchpfreg function not properly distinguishing between TQP space information when reading TQP spac...

CLSA-2025-1737155612 git: Fix of CVE-2024-32004

CVE-2024-32004: fetch/clone: detect dubious ownership of local repositories...

Bible Module for ROBLOX 输入验证错误漏洞

Bible Module for ROBLOX is a module about the Bible by UnknownLua Personal Developer. It allows developers to easily access information from the Bible API software. An input validation error vulnerability exists in Bible Module for ROBLOX that stems from the FetchVerse and FetchPassage functions...

CVE-2025-21620

Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch redirect handling creates a follow-up redirect request that keeps the original...

fetch: Authorization headers not dropped when redirecting cross-origin

Summary When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. Details...

GHSA-F27P-CMV8-XHM6 fetch: Authorization headers not dropped when redirecting cross-origin

Summary When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain. Details...

Deno 信息泄露漏洞

Deno is a simple, modern and secure JavaScript and TypeScript runtime environment from Deno Open Source. An information disclosure vulnerability exists in Deno versions prior to 2.1.2, which stems from the fact that fetch redirect processing creates a subsequent redirect request that retains the...

PT-2025-4305 · Deno · Deno

Name of the Vulnerable Software and Affected Versions: Deno versions prior to 2.1.2 Description: Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. When a request with the Authorization header is sent to one domain and the response asks to redirect to a different...

CVE-2024-11616

Netskope was made aware of a security vulnerability in Netskope Endpoint DLP’s Content Control Driver where a double-fetch issue leads to heap overflow. The vulnerability arises from the fact that the NumberOfBytes argument to ExAllocatePoolWithTag, and the Length argument for RtlCopyMemory, both...