Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

CVE-2026-41636

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

PT-2026-35704

Name of the Vulnerable Software and Affected Versions Apache Thrift versions prior to 0.23.0 Description Uncontrolled Recursion occurs in the Node.js bindings of Apache Thrift. Uncontrolled recursion is a condition where a function calls itself without a proper termination condition, potentially...

EUVD-2019-0255

Malware in sbrugna...

Embedded Malicious Code

Overview @duckdb/node-bindings is a Node bindings to the DuckDB C API. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected...

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: -...

@argilzar/cli-plugin-export-parquet (>=1.0.4 <=1.3.4), @chainbound/payflow-mcp (>=0.0.1 <=0.0.2) +38 more potentially affected by unknown CVE via @duckdb/node-bindings (>=1.1.2-alpha.1 <=1.3.2-alpha.26)

@duckdb/node-bindings NPM version =1.1.2-alpha.1, =1.0.4, =0.0.1, =1.0.2, =1.0.1, =1.1.2-alpha.1, =1.6.0, =1.0.2, =0.0.1, =0.1.0, =1.2.1, =1.0.0, =0.2.0, =0.4.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-46993...

Malicious code in @duckdb/node-bindings (npm)

The DuckDB Node.js package @duckdb/node-bindings version 1.3.3 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and...

MAL-2025-46993 Malicious code in @duckdb/node-bindings (npm)

The DuckDB Node.js package @duckdb/node-bindings version 1.3.3 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and...

DuckDB 安全漏洞

DuckDB is an in-process SQL OLAP database management system from DuckDB open source. A security vulnerability exists in DuckDB that stems from malicious code being planted in npm packages that could interfere with cryptocurrency transactions. The following products and versions are affected: duck...

Embedded Malicious Code

Overview @duckdb/node-bindings is a Node bindings to the DuckDB C API. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected...

CVE-2016-10585

libxl provides Node bindings for the libxl library for reading and writing excel XLS and XLSX spreadsheets. libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an...

Remote code execution

libxl provides Node bindings for the libxl library for reading and writing excel XLS and XLSX spreadsheets. libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an...