124 matches found
Budibase 安全漏洞
Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.39.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of the raw...
MAL-2026-4808 Malicious code in wm-idp-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain...
Malicious code in wm-idp-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain...
MAL-2026-4556 Malicious code in express-enrouten-async (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e Package name mimics the legitimate express-enrouten route-discovery library, but the shipped index.js only hardcodes two demo routes rather than...
Malicious code in express-enrouten-async (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e Package name mimics the legitimate express-enrouten route-discovery library, but the shipped index.js only hardcodes two demo routes rather than...
CVE-2026-43995 Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axios instead of using the secured wrapper. These tools include 1 OpenAPIToolkit/OpenAPIToolkit.ts, 2...
CVE-2026-43995
Flowise is affected by an SSRF-related vulnerability in which multiple tools (OpenAPIToolkit.ts, WebScraperTool.ts, MCP/core.ts, Arxiv/core.ts) directly import raw HTTP clients (node-fetch, axios) instead of the centralized httpSecurity.ts wrapper. This bypass allows outbound requests to evade th...
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
Summary A Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTPDENYLIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandb...
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...
GHSA-QQVM-66Q4-VF5C Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper httpSecurity.ts that implements deny-list validation and IP pinning logic. However, multiple tool implementations directly import and invoke raw HTTP clients node-fetch, axiosInstead of using the secured...
ROOT-APP-NPM-CVE-2022-0235 CVE-2022-0235 in @rootio/node-fetch - Patched by Root
Root has patched CVE-2022-0235 in the @rootio/node-fetch package for Root:npm. Multiple fixed versions available...
MiracleLinux 8 : nodejs:14 nodejs-nodemon-2.0.20-2.module+el8+1579+35966ec0, nodejs-packaging-23-3.module+el8+1579+35966ec0, nodejs-14.21.1-2.module+el8+1579+35966ec0 (AXSA:2023-4653:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-4653:01 advisory. minimist: prototype pollution CVE-2021-44906 node-fetch: exposure of sensitive information to an unauthorized actor CVE-2022-0235 nodejs-minimatch:...
MiracleLinux 7 : rh-nodejs14-nodejs-nodemon-2.0.20-2.el7, rh-nodejs14-nodejs-14.21.1-3.el7 (AXSA:2023-4997:01)
The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-4997:01 advisory. glob-parent: Regular Expression Denial of Service CVE-2021-35065 minimist: prototype pollution CVE-2021-44906 node-fetch: exposure of sensitive...
CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This...
EUVD-2020-1335
Malware in sbrugna...
Unity Linux 20.1060a / 20.1070a Security Update: nodejs-nodemon (UTSA-2025-003048)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-003048 advisory. node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor Tenable has extracted the preceding description block directly from the Unity...
EUVD-2022-0683
Malicious code in bioql PyPI...
EUVD-2022-6634
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2020-15168
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the...
MAL-2025-42035 Malicious code in node-fetch-v3 (npm)
The package node-fetch-v3 was found to contain malicious code...