Fedora 41 : nodejs18 (2025-e330d34ecc)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-e330d34ecc advisory. Update to version 18.20.6 rhbz2341760 rhbz2340936 rhbz2300997 Resolves CVE-2025-23084 Tenable has extracted the preceding description block directly from the...

BIT-NODE-2025-23084

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory...

BIT-NODE-MIN-2025-23084

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for June 2024.

Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF034 and 23.0.2-IF006. Vulnerability Details CVEID:CVE-2024-28849 DESCRIPTION: Node.js follow-redirects module could allow a remote authenticated...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open-Source Software (OSS) components

Summary There are vulnerabilities in multiple Open-Source Software OSS components consumed by IBM Planning Analytics Workspace. These issues have been addressed in IBM Planning Analytics Workspace by upgrading or removing the vulnerable libraries. Please refer to the table in the Related...

Lazarus Group Uses React-Based Admin Panel to Control Global Cyber Attacks

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control C2 infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service [CVE-2024-52798]

Summary node.js module path-to-regexp is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in node.js module...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to use of insufficient random values [CVE-2025-22150]

Summary Node.js module undici is used by IBM App Connect Enterprise Certified Container for http calls. IBM App Connect Enterprise Certified Container DesignerAuthoring, IntegrationServer and IntegrationRuntime operands are vulnerable to use of insufficient random values. This bulletin provides...

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboards that use COS S3 storage are vulnerable to denial of service and security restrictions bypass [CVE-2024-48948] [CVE-2024-48949]

Summary Node.js module elliptic is used by IBM App Connect Enterprise Certified Container for signature validation. IBM App Connect Enterprise Certified Container Dashboard operands that use COS S3 storage are vulnerable to denial of service and security restrictions bypass. This bulletin provide...

Security Bulletin: IBM Maximo Application Suite uses grpc-js-1.8.21.tgz which is vulnerable to CVE-2024-37168

Summary IBM Maximo Application Suite uses grpc-js-1.8.21.tgz which is vulnerable to CVE-2024-37168. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-37168 DESCRIPTION: gRPC on Node.js is vulnerable to a denial of service, caused ...

Security Bulletin: Due to use of Node.js IBM DataPower Gateway vulnerable to denial of service (CVE-2024-45590)

Summary Node.js is used by IBM DataPower Gateway as part of the user interface. Vulnerability Details CVEID:CVE-2024-45590 DESCRIPTION: expressjs body-parser is vulnerable to a denial of service, caused by a flaw when url encoding is enabled. By sending a specially crafted payload, a remote...

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands are vulnerable to denial of service [CVE-2024-21536]

Summary Node.js module http-proxy-middleware is used by IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring components, which are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module...

Security Bulletin: Multiple vulnerabilities may affect IBM Decision Optimization for Cloud Pak for Data (CVE-2024-42459, CVE-2024-42460 and CVE-2024-42461)

Summary There are multiple vulnerabilities in Node.js Elliptic used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-42461 DESCRIPTION: Node.js Elliptic module coul...

Security Bulletin: IBM Data Product Hub uses Node.js axios & elliptic modules which are vulnerable (CVE-2024-39338, CVE-2024-42459, CVE-2024-42460, CVE-2024-42461)

Summary IBM Data Product Hub has dependencies on Node.js axios & elliptic modules which are vulnerable CVE-2024-39338, CVE-2024-42459, CVE-2024-42460, CVE-2024-42461. This bulletin contains information regarding the vulnerabilities and their fixture. Vulnerability Details CVEID:CVE-2024-42461...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to micromatch-4.0.5.tgz CVE-2024-4067

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to micromatch-4.0.5.tgz CVE-2024-4067. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: Node.js micromatch module is vulnerable to a denial of...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to braces-3.0.2.tgz CVE-2024-4068

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to braces-3.0.2.tgz CVE-2024-4068. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-4068 DESCRIPTION: Node.js braces module is vulnerable to a denial of service,...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to denial of service vulnerability in gRPC on Node.js [CVE-2024-37168]

Summary Potential denial of service vulnerability in gRPC on Node.js CVE-2024-37168 have been identified that could affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-3716...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to denial of service vulnerability in Node.js ws module [ CVE-2024-37890]

Summary Potential denial of service vulnerability in Node.js ws module CVE-2024-37890 have been identified that could affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js braces module denial of service vulnerability [ CVE-2024-4068]

Summary Potential Node.js braces module denial of service vulnerability CVE-2024-4068 have been identified that could affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-40...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and server-side request forgery [CVE-2024-45590] [CVE-2024-39338]

Summary Node.js modules expressjs and axios are used by IBM App Connect Enterprise Certified Container for making and responding to HTTP communications. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and server-side request forgery. This bulletin...