Unity Linux 20.1060e / 20.1070e Security Update: nodejs-hosted-git-info (UTSA-2026-016626)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016626 advisory. The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in...

Astra Linux – Vulnerability in node-hosted-git-info

Packages that use hosted-git-info before version 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS attacks due to the regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expressions have a polynomial worst-case time complexity...

CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-25534

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

PT-2026-25777

Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...

SUSE CVE-2021-23362

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...

The vulnerability of the fromUrl function in the hosted-git-info software, related to an incorrect regular expression, allows a hacker to trigger a service failure.

The vulnerability of the fromUrl function in the hosted-git-info software is related to incorrect interpretation of the regular expression. Exploiting this vulnerability could allow a malicious actor to cause service failures...

CentOS 8 : nodejs:12 (CESA-2021:3073)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:3073 advisory. - libuv: out-of-bounds read in uvidnatoascii can lead to information disclosures or crashes CVE-2021-22918 - nodejs-hosted-git-info: Regular Expression...

nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl()

A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression regexp function, shortcutMatch or fromUrl, then an attacker could craft a regexp which takes an ever increasing amount of time to process,...

GHSA-6H7W-FC84-X7P6 StaticFile.fromUrl can leak presence of a directory

Impact StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a directory, without first checking the...

GHSA-43F8-2H32-F4CJ Regular Expression Denial of Service in hosted-git-info

The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...

OESA-2021-1168 nodejs-hosted-git-info security update

Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab Security Fixes: The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected...

Regular Expression Denial Of Service (ReDoS)

hosted-git-info is vulnerable to regular expression denial of service ReDoS. An attacker can provide a malicious string via shortcutMatch in the function fromUrl in index.js to crash the application...

AZL-44058 CVE-2021-23362 affecting package js-jquery 3.5.0-4

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...

DEBIAN-CVE-2021-23362

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...

CVE-2021-23362

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...

UBUNTU-CVE-2021-23362

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...

CVE-2021-23362

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...