Astra Linux - уязвимость в http-parser

Node.js versions before 10.23.1, 12.20.1, 14.15.4, and 15.5.1 allow for two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields. In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling...

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

nodejs: Nodejs denial of service

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

PT-2026-32033

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc url parameter during document upload...

BIT-NODE-MIN-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20.x, 22.x, 24.x, and 25.x of Node.js have security vulnerabilities. These vulnerabilities stem from HMAC verification using a comparison that does not maintain constant time, whi...

@chocolatey-software/astro (>=2.0.0 <=2.5.0), choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2026-27729 via @astrojs/node (>=9.2.2 <=9.5.2)

@astrojs/node NPM version =9.2.2, =2.0.0, =0.3.1, =0.4.0 Source cves: CVE-2026-27729 Source advisory: OSV:GHSA-JM64-8M5Q-4QH8...

CVE-2025-55132

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-only...

CVE-2025-55130

The CVE-2025-55130 entry describes a path traversal bypass in Node.js permission model: crafted relative symlink paths can cause reads/writes outside the allowed directory when --allow-fs-read/--allow-fs-write checks pass, enabling read/write of sensitive files and potential system compromise. Af...

CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

Node.js security vulnerabilities

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20, 22, 24, and 25 of Node.js contain security vulnerabilities. These vulnerabilities stem from flaws in the permission model, which could allow attackers to bypass file system...

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in node

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in node Vulnerability Details CVEID:CVE-2021-43803 DESCRIPTION: Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In...

EUVD-2018-0725

Malware in sbrugna...

EUVD-2020-29056

Malware in sbrugna...

@codingducksrl/nx-duck (>=0.4.1 <=0.4.6), @nativescript/plugin-tools (>=5.5.0 <=5.5.3) +11 more potentially affected by CVE-2025-10894 via @nx/node (>=20.0.0-beta.0 <=20.9.0-canary.20250415-bc685ce)

@nx/node NPM version =20.0.0-beta.0, =0.4.1, =5.5.0, =4.0.0, =2.12.0, =20.0.0-beta.0, =20.0.0-beta.0, =20.0.0-beta.0, =20.0.0, =20.0.0, =0.2.0, =20.0.0, =20.2.1-dev.3 - @terrxo/nx-cloudflare =4.0.1 - @ziacik/azure-func =4.0.0 Source cves: CVE-2025-10894 Source advisory: OSV:MAL-2025-41441...

@caliobase/caliobase-nx (>=0.3.53 <=0.3.54), @nestledjs/all (>=0.0.1 <=0.1.22) +4 more potentially affected by CVE-2025-10894 via @nx/node (>=21.0.0-beta.0 <=21.5.0-canary.20250904-2c678a1)

@nx/node NPM version =21.0.0-beta.0, =0.3.53, =0.0.1, =0.0.1, =0.0.1, =21.0.0, =21.0.0, =21.5.0-canary.20250904-ec1f1a4 Source cves: CVE-2025-10894 Source advisory: OSV:GHSA-CXM3-WV7P-598C...

@codingducksrl/nx-duck (>=0.4.1 <=0.4.6), @nativescript/plugin-tools (>=5.5.0 <=5.5.3) +11 more potentially affected by CVE-2025-10894 via @nx/node (>=20.0.0-beta.0 <=20.9.0-canary.20250415-bc685ce)

@nx/node NPM version =20.0.0-beta.0, =0.4.1, =5.5.0, =4.0.0, =2.12.0, =20.0.0-beta.0, =20.0.0-beta.0, =20.0.0-beta.0, =20.0.0, =20.0.0, =0.2.0, =20.0.0, =20.2.1-dev.3 - @terrxo/nx-cloudflare =4.0.1 - @ziacik/azure-func =4.0.0 Source cves: CVE-2025-10894 Source advisory: OSV:GHSA-CXM3-WV7P-598C...

@caliobase/caliobase-nx (>=0.3.53 <=0.3.54), @nestledjs/all (>=0.0.1 <=0.1.22) +4 more potentially affected by CVE-2025-10894 via @nx/node (>=21.0.0-beta.0 <=21.5.0-canary.20250904-2c678a1)

@nx/node NPM version =21.0.0-beta.0, =0.3.53, =0.0.1, =0.0.1, =0.0.1, =21.0.0, =21.0.0, =21.5.0-canary.20250904-ec1f1a4 Source cves: CVE-2025-10894 Source advisory: SNYK:JS-NXNODE-12205640...