Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding

Summary A Denial of Service DoS vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Details The...

Node.js: Permission Model Bypass in realpathSync.native Allows File Existence Disclosure

Vulnerability description not provided...

Metasploit Wrap-Up 12/19/2025

React2Shell Payload Improvements Last week Metasploit released an exploit for the React2Shell vulnerability, and this week we have made a couple of improvements to the payloads that it uses. The first improvement affects all Metasploit modules. When an exploit is used, an initial payload is...

Security Bulletin: IBM Documentation Offline is vulnerable to `Node.js ReadFileUtf8 and HTTP Parser flaws` due to Node.js (CVE-2025-23165, CVE-2025-23167)

Summary IBM Documentation Offline utilizes Node.js as a third-party component, which contains two vulnerabilities that could potentially affect your product's stability and security. CVE-2025-23165 CVSS: 3.7 is a Denial of Service DoS vulnerability in the ReadFileUtf8 internal binding. Repeated u...

Node.js: Unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

A vulnerability was discovered in the Fetch API of Node.js that allowed an unbounded number of links in the decompression chain for HTTP responses. This could lead to resource exhaustion, as the default maxHeaderSize allowed a malicious server to insert thousands of compression steps, resulting i...

exploit-poc

Node.js Web Server Exploit PoC Node.js 웹서버에서 발생할 수 있는 보안 취약점...

Exploit for CVE-2025-55182

CVE-2025-55182 This repository contains a PoC reproduction of...

Exploit for CVE-2025-55182

CVE-2025-55182 Scanner & Exploit Lab This repository contains...

Node.js: CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown

Vulnerability description not provided...

编号撤回

Express.js is expressjs open source a fast, unconstrained, minimalist web framework for Node.js. This CVE number has been withdrawn...

Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows

Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that's targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control C2 server, Kaspersky researcher Lisandro Ubiedo said in an...

TencentOS Server 3: nodejs:20 (TSSA-2025:0462)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0462 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

Security Bulletin: URI Handling Vulnerability Causes Unbounded Memory Allocation (DoS)

Summary Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory Buffer/Blob and return...

Security Bulletin: Multiple vulnerabilities in IBM Planning Analytics Advanced Certified Containers

Summary Multiple vulnerabilities were addressed in IBM Planning Analytics Advanced Certified Containers 3.1.2. Vulnerability Details CVEID:CVE-2025-23166 DESCRIPTION: The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a...

GHSA-8WJ8-CFXR-9374 AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rdssuperuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service RDS...

EUVD-2025-112795

Malicious code in hermes-gacrux-meissa-cordelia npm...

EUVD-2025-113242

Malicious code in geckodriver-kastra-public-deneb npm...

EUVD-2025-71008

Malicious code in colouredcrayfishz3n npm...

EUVD-2025-69814

Malicious code in influentiallocustz3n npm...

Astra Linux - уязвимость в nodejs

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...