Linux Distros Unpatched Vulnerability : CVE-2025-23166

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the...

Node.js: CWE-195 in ExternalMemoryAccounter::Increase()

Summary: V8's ExternalMemoryAccounter::Increase expects an unsigned sizet argument, but a signed ssizet which in some cases results in garbage collection to happen during garbage collection. Here's a simplified version of what happens full backtrace has been attached in the issue:...

Linux Distros Unpatched Vulnerability : CVE-2017-15010

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A ReDoS regular expression denial of service flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP reques...

Linux Distros Unpatched Vulnerability : CVE-2018-12115

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and...

Linux Distros Unpatched Vulnerability : CVE-2021-31597

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but ...

Linux Distros Unpatched Vulnerability : CVE-2019-15606

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons CVE-2019-15606 No...

Linux Distros Unpatched Vulnerability : CVE-2019-15605

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed CVE-2019-15605 Note that Nessus relies on...

Linux Distros Unpatched Vulnerability : CVE-2021-22883

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' ar...

Linux Distros Unpatched Vulnerability : CVE-2020-8287

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields...

CVE-2025-55195

@std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution PP vulnerability. This is because the library is merging an untrusted object with an empt...

Malicious code in node.js (npm)

The package node.js was found to contain malicious code...

MAL-2025-28333 Malicious code in openset (npm)

The package openset was found to contain malicious code...

CVE-2025-55195 @std/toml Prototype Pollution in Node.js and Browser

@std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution PP vulnerability. This is because the library is merging an untrusted object with an empt...

CVE-2025-55195 @std/toml Prototype Pollution in Node.js and Browser

@std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution PP vulnerability. This is because the library is merging an untrusted object with an empt...

Linux Distros Unpatched Vulnerability : CVE-2024-22018

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises fro...

Node.js Multiple Packages Embedded Malicious Code (CVE-2025-54313)

Multiple nodejs packages were embedded with malicious code. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. The following nodejs packages and versions are affected: - @pkgr/core 0.2.8 - eslint-config-prettier 8.10.1, 9.1.1, 10.1.6,...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js (CVE-2025-23165 & CVE-2025-23166) )

Summary IBM App Connect Enterprise is vulnerable to Missing Release of Memory after Effective Lifetime and Uncaught Exception due to Node.js. Vulnerability Details CVEID:CVE-2025-23165 DESCRIPTION: In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uvfss.file...

CVE-2025-54798

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4...

CVE-2025-54871

Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRONRUNASNODE. This environment variable allows arbitrary Node.js code to be...

CVE-2025-54798

CVE-2025-54798 concerns the tmp package for Node.js. In versions 0.2.3 and earlier, it is vulnerable to arbitrary temporary file and directory writes via the symbolic link dir parameter. The issue is fixed in version 0.2.4; users should upgrade to 0.2.4 or later to mitigate. The connected IBM bul...