CVE-2025-27210

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join API...

CVE-2025-27209

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even witho...

CVE-2025-27209

CVE-2025-27209 affects Node.js v24.x where the V8 string-hashing implementation (rapidhash) re-introduces a HashDoS risk: an attacker who controls input strings can induce hash collisions, potentially enabling a DoS-style attack without knowledge of the hash seed. The vulnerability is tied to the...

CVE-2025-27209

The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even witho...

Exploit for CVE-2025-27210

🔓 CVE-2025-27210 – High-Severity Path Traversal in Node.js o...

K000152630: Node.js vulnerability CVE-2025-27210

Security Advisory Description The cve record for the cve id does not exist. CVE-2025-27210 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently supported releases for potential vulnerability, and...

CVE-2025-7339

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead. Users should upgrade to version 1.1.0 to receive a patch. Uses are...

CVE-2025-7339

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead. Users should upgrade to version 1.1.0 to receive a patch. Uses are...

CVE-2025-7339

CVE-2025-7339 describes a vulnerability in the on-headers Node.js middleware where a bug in versions < 1.1.0 may cause response headers to be modified when an array is passed to response.writeHead(). The issue is patched in 1.1.0; users are urged to upgrade. A workaround is to pass an object t...

CVE-2025-7339

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead. Users should upgrade to version 1.1.0 to receive a patch. Uses are...

CVE-2025-7338 Multer vulnerable to Denial of Service via unhandled exception from malformed request

Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service DoS by sending a malformed multi-part upload request. This request causes an unhandled...

Node.js 24.x < 24.4.1 HashDoS Vulnerability - Windows

Node.js is prone to a HashDoS vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodejs:node.js"; ifdescription...

PT-2025-29924 · Unknown +1 · On-Headers +1

Name of the Vulnerable Software and Affected Versions: on-headers versions prior to 1.1.0 Description: on-headers is a Node.js middleware used for listening to response headers. A flaw in versions prior to 1.1.0 may allow unintended modification of response headers when an array is passed to...

Node.js 24.x < 24.4.1 HashDoS Vulnerability - Mac OS X

Node.js is prone to a HashDoS vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodejs:node.js"; ifdescription...

Node.js 20.x < 20.19.4, 21.x < 22.17.1, 23.x < 24.4.1 Path Traversal Protection Bypass Vulnerability - Windows

Node.js is prone to a path traversal bypass vulnerability in path.normalize. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Node.js: Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix

Summary: I found that Windows device names CON, PRN, AUX, etc. can still be used for path traversal attacks when working with UNC network paths, even after the CVE-2025-27210 patch. So basically, the fix only covered regular paths but missed the UNC path scenario when using path.join Description:...

Exploit for CVE-2025-27210

CVE-2025-27210NodeJSPathTraversalExploiter Proof of Conce...

Node.js 路径遍历漏洞

Node.js is an open source, cross-platform JavaScript runtime environment from the Node.js open source. A path traversal vulnerability exists in Node.js that stems from the possibility that the system may not properly handle device names in the event that an attacker sends a malicious URL, resulti...

Exploit for CVE-2025-23167

CVE-2025-23167 – Node.js HTTP Request Smuggling Exploit Worki...

GitHub Kanban MCP Server vulnerable to Command Injection

The MCP Server at https://github.com/Sunwood-ai-labs/github-kanban-mcp-server/ is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. Vulnerable tool The MCP Server exposes the tool addcomment which...