MAL-2025-32577 Malicious code in rvi-http-node-server (npm)

The package rvi-http-node-server was found to contain malicious code...

CVE-2024-23340

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...

CVE-2025-32395 Vite has an `server.fs.deny` bypass with an invalid `request-target`

Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec RFC 9112 does not allow in request-target. Although an attacker can sen...

PT-2025-15989 · Vite · Vite

Name of the Vulnerable Software and Affected Versions: Vite versions prior to 6.2.6 Vite versions prior to 6.1.5 Vite versions prior to 6.0.15 Vite versions prior to 5.4.18 Vite versions prior to 4.5.13 Description: Vite is a frontend tooling framework for javascript. The contents of arbitrary...

Linux Distros Unpatched Vulnerability : CVE-2024-27982

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request...

CVE-2025-27500 Cross Site Scripting potential in Ziti Console

OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint/api/upload on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which is then stored on the node and is available via URL...

Malicious code in node-server-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 99319a0fd3901abbb085faaaf7efaf653934eae74c3d6d4e442005aa875e822d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-362 Malicious code in node-server-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 99319a0fd3901abbb085faaaf7efaf653934eae74c3d6d4e442005aa875e822d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

nodejs: HTTP Request Smuggling via Content Length Obfuscation

An HTTP Request Smuggling vulnerability was found in Node.js due to Content-Length Obfuscation in the HTTP server. Malformed headers, particularly if a space is inserted before a content-length header, can result in HTTP request smuggling. This flaw allows attackers to inject a second request...

The team has identified a critical vulnerability in the http server of the most recent version of Node where malformed headers can lead to HTTP request smuggling. Specifically if a space is placed before a content-length header it is not interpreted correctly enabling attackers to smuggle in a second request within the body of the first.

...

DEBIAN-CVE-2024-27982

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in ...

GHSA-HGXW-5XG3-69JX @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed

Impact The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings. For example, if you have a simple application: ts import...

@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed

Impact The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty string, slashes /, and other strings. For example, if you have a simple application: ts import...

CVE-2024-32652 @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed

The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty...

CVE-2024-32652 @hono/node-server contains Denial of Service risk when receiving Host header that cannot be parsed

The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname such as an empty...

CVE-2024-32652

Summary: CVE-2024-32652 affects the Node.js adapter @hono/node-server. Before version 1.10.1, handling of invalid Host header values (e.g., empty strings or values not parseable as a hostname) could cause the application to hang via an Invalid URL error. The advisory states that 1.10.1 fixes the ...

PT-2024-24746

Name of the Vulnerable Software and Affected Versions @hono/node-server versions prior to 1.10.1 Description The application hangs when receiving a Host header with a value that @hono/node-server can't handle well. Invalid values are those that cannot be parsed by the URL as a hostname, such as a...

node-server 安全漏洞

node-server is an adapter that allows users to run Hono applications on Node.js. A security vulnerability exists in node-server versions prior to 1.10.1 that stems from a denial-of-service risk when receiving an unresolvable Host header...

The vulnerability of the HTTP-server in the Node.js software platform allows attackers to circumvent security restrictions and cause service failures.

The vulnerability of the HTTP server in the Node.js software platform is related to an uncontrolled resource consumption caused by reading an unlimited number of bytes from a single connection when processing HTTP requests with fragmented encoding. Exploiting this vulnerability allows a remote...

SUSE CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...