[SECURITY] Fedora 42 Update: nodejs20-20.20.2-4.fc42

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

CVE-2026-43997

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbolnodejs.util.inspect.custom. This vulnerability...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from sandbox escape exploits, allowing...

Basic FTP 资源管理错误漏洞

Basic FTP is a Node.js FTP client library developed by Patrick Juchli. Versions of Basic FTP prior to 5.3.1 had a resource management vulnerability. This vulnerability stemmed from the lack of restrictions on the size of control responses when parsing multiple lines of the FTP control channel...

Unity Linux 20.1060e / 20.1070e Security Update: nodejs (UTSA-2026-017544)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017544 advisory. Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change...

[SECURITY] Fedora 43 Update: nodejs22-22.22.2-2.fc43

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

UBUNTU-CVE-2026-42264

Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser in the HTTP adapter are read via direct property access without hasOwnProperty guards, making th...

NPM: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak

NPM: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

Security Bulletin: Vulnerabilities in Spring WebFlux, Jenkins, Spring Securiy, Spring Framework, and Node.js lodash might affect IBM Storage Defender Copy Data Management.

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Spring WebFlux, Jenkins, Spring Securiy, Spring Framework, and Node.js lodash. Vulnerabilities include an attacker, local attacker, remote attacker and authenticated attacker could exploit these vulnerabilitie...

EUVD-2026-26995

VM2 Has a WASM Sandbox Escape Node 25 only...

CVE-2026-42039

A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the toFormData function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js...

[SECURITY] Fedora 43 Update: nodejs20-20.20.2-3.fc43

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

[SECURITY] Fedora 44 Update: nodejs20-20.20.2-3.fc44

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Summary The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker who controls the .type property of a Blob/File-like object e.g., via a user-uploaded fil...

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-26332

vm2 (Node.js sandbox) contains a sandbox-escape vulnerability: prior to 3.11.0, SuppressedError can allow code execution outside the sandbox. The issue is fixed in version 3.11.0. Affected software: vm2; impact described as arbitrary code execution with sandbox escape. No exploitation details are...

CVE-2026-24120

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in versio...

RHCOS 2 : node.js (RHSA-2015:1545)

The remote Red Hat Enterprise Linux CoreOS 2 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2015:1545 advisory. - SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack CVE-2014-3566 Note that Nessus has not tested for this issue but has instead...

RHCOS 2 : node.js (RHSA-2015:1546)

The remote Red Hat Enterprise Linux CoreOS 2 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2015:1546 advisory. - SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack CVE-2014-3566 Note that Nessus has not tested for this issue but has instead...

Astra Linux - уязвимость в nodejs

If the Node.js HTTPS API was used incorrectly, and “undefined” was passed as the “rejectUnauthorized” parameter, no error would be returned, and connections to servers with expired certificates would be accepted...