CVE-2025-29774

CVE-2025-29774 concerns the xml-crypto Node.js library. The issue allows an attacker to modify a valid signed XML message such that signature verification still passes, enabling bypass of authentication/authorization in systems that rely on xml-crypto for verifying signed XML. Affected versions a...

CVE-2025-29774 xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References

xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. Th...

PT-2025-11287

Name of the Vulnerable Software and Affected Versions xml-crypto versions prior to 6.0.1 xml-crypto versions prior to 3.2.1 xml-crypto versions prior to 2.1.6 Description The xml-crypto library for Node.js contains a vulnerability that allows an attacker to modify a valid signed XML message in a...

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities found in Java, Node.js and IBM WebSphere Application Server Liberty

Summary There are multiple vulnerabilities in Java, Node.js and IBM WebSphere Application Server Liberty used by IBM Cloud Transformation Advisor. Vulnerability Details CVEID:CVE-2024-43799 DESCRIPTION: pillarjs send is vulnerable to cross-site scripting, caused by improper validation of...

The vulnerability of the Node.js software platform, related to the lack of memory release after the effective lifespan, allows a hacker to trigger a service failure.

The vulnerability of the Node.js software platform lies in the lack of memory release after the effective lifespan of the application. Exploiting this vulnerability can allow a remote attacker to cause service interruptions...

Security Bulletin: Multiple vulnerabilities in nodejs affect IBM Business Automation Workflow Configuration Editor (nodejs January security release)

Summary IBM Business Automation Workflow Configuration Editor repackages a nodejs runtime and multiple application level models. Vulnerabilities have been reported for the runtime and some modules.. Vulnerability Details CVEID:CVE-2025-23083 DESCRIPTION: With the aid of the diagnosticschannel...

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to cross-site scripting [CVE-2025-26791]

Summary node.js module DOMPurify is used by IBM App Connect Enterprise Certified Container DesignerAuthoring operands. DesignerAuthoring operands are vulnerable to cross-site scripting. This bulletin provides patch information to address the reported vulnerability in node.js module DOMPurify...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2024-55565]

Summary Node.js module nanoid is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module nanoid...

Security Bulletin: Vulnerability in Node.js affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component.

Summary Potential vulnerability in Node.js has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information. Vulnerabili...

CVE-2024-28607

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally routable via a falsy isPrivate return value...

CVE-2024-28607

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally routable via a falsy isPrivate return value...

CVE-2024-28607

CVE-2024-28607 affects the ip-utils package for Node.js up to version 2.4.0. The root cause is a faulty isPrivate check that can misclassify certain IPs (e.g., 0x7f.1) as globally routable, enabling SSRF. Documented impacts are SSRF risk; no explicit remediation or patch/version guidance is prese...

CVE-2024-28607

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally routable via a falsy isPrivate return value...

CVE-2024-28607

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally routable via a falsy isPrivate return value...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to remote security bypass due to Node.js package

Summary Node.js is used by the DataStage on Cloud Pak for Data ds-canvas service as part of Javascript processing. Vulnerability Details CVEID:CVE-2023-39331 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file...

CVE-2025-27597

Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the...

CVE-2025-27597 Vue I18n Prototype Pollution in `handleFlatJson`

Vue I18n is the internationalization plugin for Vue.js. @intlify/message-resolver and @intlify/vue-i18n-core are vulnerable to Prototype Pollution through the entry function: handleFlatJson. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the...

Updates on CVE for End-of-Life Versions

Updates on CVE for End-of-Life Versions Update on the issuance of CVEs to mark End-of-Life Node.js Versions TL;DR: CVE-2025-23087, CVE-2025-23088, and CVE-2025-23089 issued to tag EOL versions have been rejected by the CVE Program. The Node.js team has, therefore, decided to update previous...

Linux Distros Unpatched Vulnerability : CVE-2025-23085

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected b...

Linux Distros Unpatched Vulnerability : CVE-2025-23083

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also...