node-security-poc

No d...

Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8

Developing a minimally HashDoS resistant, yet quickly reversible integer hash for V8 What happens when a hashing scheme needs to be both HashDoS resistant and quickly reversible? That's the puzzle we tried to solve for addressing CVE-2026-21717 in the March 2026 Node.js security release. This led...

DEBIAN-CVE-2026-25547

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, t...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in the fs.symlink function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions...

EUVD-2025-200922

Malicious code in elf-stats-festive-snowglobe-440 npm...

MAL-2025-171423 Malicious code in joshuahoward (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7cce4b043163f50039cd2ef6b1fea715d095a229d5b72e3c54f2a1ce9b774f6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-147983 Malicious code in slides-callisto-pegasus-dagda (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f8c6de5893d173108562b870f2f25e12c0603035a3c2a34d595c1f62804b2df This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in fitri-rendang24-kyuki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 86aa5b8809d980f9708c015eaa2c4f03d00c4c2045c8aef0c1974154be2560aa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-64436 KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes

KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could...

EUVD-2011-2853

Malware in sbrugna...

EUVD-2022-0513

Malicious code in bioql PyPI...

MAL-2025-47257 Malicious code in @operato/i18n (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fc67f45593512ec564f71036ae8e4d33dabfb3b45021a37f253ca8fb76d2027f Any computer that has this package installed or running should be considered fully compromised. All...

Malicious code in @zalastax/nolb-ha3 (npm)

The package @zalastax/nolb-ha3 was found to contain malicious code...

Mithril snapshots for Cardano database could be compromised by an adversary

Impact Mithril certification of Cardano database The Mithril network provides certification for snapshots of the Cardano database, enabling users to quickly bootstrap a Cardano node without relying on the slower peer-to-peer synchronization process. To generate a multi-signature, a minimum...

CVE-2022-39274

LoRaMac-node is a reference implementation and documentation of a LoRa network node. Versions of LoRaMac-node prior to 4.7.0 are vulnerable to a buffer overflow. Improper size validation of the incoming radio frames can lead to an 65280-byte out-of-bounds write. The function ProcessRadioRxDone...

PT-2024-35490 · Unknown · Bitcoin Core

Name of the Vulnerable Software and Affected Versions: Bitcoin Core versions prior to 25.1 Description: The issue allows an attacker to cause a node to not download the latest block. This can happen due to minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer...

PT-2023-30525 · Vantage6 · Vantage6

Name of the Vulnerable Software and Affected Versions: vantage6 versions prior to 4.1.2 Description: The issue arises when a node does not check if an image is allowed to run if a parent id is set. A malicious party that breaches the server may modify it to set a fake parent id and send a task of...

nodejs: Permissions policies can be bypassed via process.binding

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

Incorrect Signature Verification

coreos-installer is using incorrect signature verification. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original installation image can write arbitrary...

@11ty/eleventy (=0.3.3), @36node/swagen (=0.1.2) +2022 more potentially affected by CVE-2021-23369 via handlebars (>=4.0.0 <=4.7.6)

handlebars NPM version =4.0.0, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.1, =0.4.0, =3.0.0, =1.0.0, =0.1.0, =0.0.1, =0.0.1, =1.0.2-alpha.0, =1.0.0, =1.2.1 and more Source cves: CVE-2021-23369 Source advisory: SNYK:JS-HANDLEBARS-1056767...