CVE-2025-53620

The CVE-2025-53620 issue affects @builder.io/qwik-city (Qwik meta-framework) where executing a Qwik Server Action QRL may load the file containing the symbol; if an invalid qfunc is sent, the server does not handle the thrown error, causing a Node.js process exit. This is documented as a vulnerab...

CVE-2025-53620 Crashing any Qwik Server

@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in...

Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests

Summary Possibility to craft a request that will crash the Qwik Server in the default configuration. Details When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then...

GHSA-QR9H-J6XG-2J72 Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests

Summary Possibility to craft a request that will crash the Qwik Server in the default configuration. Details When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then...

USN-7599-2 python-pip vulnerability

USN-7599-1 fixed vulnerabilities in python-urllib3. This update provides the corresponding update for python-pip for CVE-2025-50181. Original advisory details: Jacob Sandum discovered that urllib3 handled redirects even when they were explicitly disabled while using the PoolManager. An attacker...

USN-7599-1 python-urllib3 vulnerabilities

Jacob Sandum discovered that urllib3 handled redirects even when they were explicitly disabled while using the PoolManager. An attacker could possibly use this issue to obtain sensitive information. CVE-2025-50181 Illia Volochii discovered that urllib3 incorrectly handled retry and redirect...

nodejs: Remote Crash via SignTraits::DeriveBits() in Node.js

A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits. This vulnerability can allow a remote attacker to crash the Node.js runtime via untrusted input, triggering an exception in a background thread...

nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS

A flaw was found in the ReadFileUtf8 internal binding of Node.js. This vulnerability can allow an attacker to cause an application denial of service via repeated file read operations that trigger an unrecoverable memory leak due to a corrupted pointer in the underlying file system binding...

nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling

A flaw was found in the HTTP parser of Node.js. This vulnerability allows attackers to perform request smuggling and bypass proxy-based access controls via improperly terminated HTTP/1 headers using \r\n\rX instead of the standard \r\n\r\n...

CVE-2025-26621 OpenCTI vulnerable to Denial of Service through web hook

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

Multer 安全漏洞

Multer is an expressjs open source middleware for Node.js. A security vulnerability exists in Multer versions prior to 2.0.0, which stems from improper handling of streams and could lead to resource exhaustion and memory leaks...

SUSE CVE-2025-23165

In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uvfss.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory...

DEBIAN-CVE-2025-47153

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs20.19.0+dfsg-2i386.deb for Debian GNU/Linux, have an inconsistent offt size e.g., building on i386 Debian always uses FILEOFFSETBITS=64 for the libuv dynamic library, but uses the...

OESA-2025-1274 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

undici: Undici Uses Insufficiently Random Values

A flaw was found in the undici package for Node.js. Undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests t...

nodejs: Node.js Worker Thread Exposure via Diagnostics Channel

A flaw was found in the Node.js diagnosticschannel. This vulnerability allows an attacker to reinstate and misuse worker constructors, potentially bypassing the Permission Model via hooking into events when a worker thread is created...

PT-2025-7066 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: parse-duraton versions prior to 2.1.3 Description: The issue is related to an event loop delay due to the CPU-bound operation of resolving the provided string, which can range from 0.5ms to 50ms per operation, depending on the size of the inp...

SUSE CVE-2025-23083

With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage...

CVE-2025-23083

With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage...

ALPINE-CVE-2025-23083

With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage...