ROS-20260410-73-0004

A vulnerability in the Node.js software platform involves an incorrect restriction of the path name of a restricted directory. Exploitation of the vulnerability could allow an attacker to compromise the system...

ROS-20260410-73-0002

A vulnerability in the Node.js software platform involves cross-boundary critical data deletion errors. Exploitation of the vulnerability could allow an attacker acting remotely to impact the confidentiality and integrity of protected information...

ROS-20260410-73-0003

A vulnerability in the Node.js software platform involves cross-boundary critical data deletion errors. Exploitation of the vulnerability could allow an attacker acting remotely to impact the confidentiality and integrity of protected information...

ROS-20260410-73-0005

A vulnerability in the Node.js software platform involves an incorrect restriction of the path name of a restricted directory. Exploitation of the vulnerability could allow an attacker to compromise the system...

Important Photon OS Security Update - PHSA-2026-5.0-0814

Updates of 'nodejs' packages of Photon OS have been released...

undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression

A flaw was found in undici. A remote attacker can exploit this vulnerability by sending a specially crafted compressed frame, known as a "decompression bomb," during permessage-deflate decompression. The undici WebSocket client does not properly limit the size of decompressed data, leading to...

nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.

A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

CVE-2026-39911

Hashgraph Guardian up to version 3.5.0 exposes an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker. Authenticated Standard Registry users can pass user-supplied JavaScript expressions to the Node.js Function() constructor, enabling arbitrary code execution wi...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression

A flaw was found in undici. A remote attacker can exploit this vulnerability by sending a specially crafted compressed frame, known as a "decompression bomb," during permessage-deflate decompression. The undici WebSocket client does not properly limit the size of decompressed data, leading to...

Basic FTP 安全漏洞

Basic FTP is a Node.js FTP client library developed by Patrick Juchli. Versions of Basic FTP prior to 5.2.1 contained a security vulnerability; this vulnerability stemmed from the possibility of CRLF sequences being present in file path parameters, which could lead to FTP command injection attack...

RHEL 10 : nodejs22 (RHSA-2026:7310)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7310 advisory. Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an...

RHEL 9 : nodejs:24 (RHSA-2026:7350)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7350 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

EUVD-2026-20501

Axios HTTP/2 Session Cleanup State Corruption Vulnerability...

New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto

Netskope Threat Labs report a new ClickFix attack using fake CAPTCHAs to deploy Tor-backed NodeJS malware and drain crypto wallets on Windows...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to path traversal (CVE-2026-29087) and timing oracle attacks (GHSA-gq3j-xvxp-8hrf)

Summary Node.js module hono is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to path traversal CVE-2026-29087 and timing oracle attacks GHSA-gq3j-xvxp-8hrf. This bulletin provides patch information to address the...

Exploit for Improper Input Validation in Nodejs Node.Js

Node.js-specific security flaws Constant Hashtable Seeds...

Security Bulletin: IBM OpenAPI SDK Generator (Node.js) is affected by the Axios supply chain attack

Summary Due to an Axios supply chain attack, a fix for IBM Node.js SDK Core https://github.com/IBM/node-sdk-core was made available on April 2, 2026 21:03 UTC to mitigate the attack. If you used a previous version there is a possibility the affected Axios package could have been available on your...

CVE-2026-34211 SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions...