Lucene search
K

7 matches found

Cvelist
Cvelist
•added 2026/06/23 5:18 p.m.•36 views

CVE-2026-49411 Deno Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address fo...

6.5CVSS0.00111EPSS
Exploits1References1
OSV
OSV
•added 2026/06/16 7:9 p.m.•5 views

GHSA-V8FW-85R8-5M23 Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Summary Deno's network permission model is designed so that --deny-net rules apply to the resolved IP address of a destination, not just the literal string supplied by the caller. That means --deny-net=127.0.0.1 or --deny-net=127.0.0.0/8 is expected to block any attempt to reach loopback,...

6.5CVSS5.6AI score0.00111EPSS
Exploits1References2
Positive Technologies
Positive Technologies
•added 2026/06/16 12:0 a.m.•18 views

PT-2026-50148

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.0 Description The Node.js compatibility TCP path fails to re-verify network permissions after hostname resolution. While the network permission model is intended to apply rules to the resolved IP address, affected...

6.5CVSS5.9AI score0.00111EPSS
Exploits1References6
Github Security Blog
Github Security Blog
•added 2026/05/05 12:40 a.m.•12 views

Axios: no_proxy bypass via IP alias allows SSRF

The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching — it does not resolve IP aliases or loopback...

7.5CVSS5.8AI score0.00301EPSS
Exploits1References3Affected Software1
OSV
OSV
•added 2026/05/05 12:40 a.m.•7 views

GHSA-M7PR-HJQH-92CM Axios: no_proxy bypass via IP alias allows SSRF

The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching — it does not resolve IP aliases or loopback...

6.8CVSS5.8AI score0.00301EPSS
Exploits1References3
Vulnrichment
Vulnrichment
•added 2026/04/24 5:57 p.m.•7 views

CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for noproxy hostname normalization bypass is incomplete. When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy...

6.8CVSS5.3AI score0.00301EPSS
Exploits1References1
CVE
CVE
•added 2026/04/24 5:57 p.m.•77 views

CVE-2026-42038

Axios no_proxy bypass via IP alias allows SSRF in older releases. Affected: Axios (browser/Node.js). Fault: shouldBypassProxy() uses pure string matching and does not resolve IP aliases or loopback equivalents, so requests to 127.0.0.1 or [::1] can be proxied when no_proxy=localhost. Impact: pote...

7.5CVSS5.3AI score0.00301EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder