Security Bulletin: IBM App Connect Enterprise is vulnerable to a Denial of Service due to Node.js module Multer ( CVE-2025-47935 & CVE-2025-47944 )

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor is vulnerable to a Denial of Service due to Node.js module Multer. Vulnerability Details CVEID:CVE-2025-47935 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. Versions prior to 2.0.0 are...

CVE-2025-6547

A flaw was found in the npm pbkdf2 library, allowing signature spoofing. Under specific use cases, pbkdf2 may return static keys. This issue only occurs when running the library on Node.js...

pbkdf2 silently disregards Uint8Array input, returning static keys

Summary On historic but declared as supported Node.js versions 0.12-2.x, pbkdf2 silently disregards Uint8Array input This only affects Node.js = 0.12 and there seems to be ongoing effort in this repo to maintain that Support Uint8Array input input is typechecked against Uint8Array, and the error...

CVE-2025-6547 On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: =3.1.2...

CVE-2025-6547

CVE-2025-6547 is an Improp er Input Validation flaw in pbkdf2 (affecting pbkdf2

CVE-2025-6547 On Node.js < 3, pbkdf2 silently disregards Uint8Array input, returning static keys

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: =3.1.2...

CVE-2025-6545 pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2...

CVE-2025-6545 pbkdf2 silently returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos supported by Node.js

Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2...

Security Bulletin: IBM Application Modernization Accelerator is affected by multiple vulnerabilities found in Java and Node.js

Summary There are multiple vulnerabilities in Java and Node.js used by IBM Application Modernization Accelerator CVE-2025-21587, CVE-2025-30698, CVE-2025-4447, CVE-2025-47935, CVE-2025-47944, CVE-2025-27789, CVE-2025-46653, CVE-2025-48997, CVE-2025-48050. Vulnerability Details CVEID:CVE-2025-2158...

Alibaba Cloud Linux 3 : 0090: nodejs:20 (ALINUX3-SA-2025:0090)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2025:0090 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-23165: In Node.js, the ReadFileUt...

PT-2025-26634 · Node.Js +2 · Node.Js +2

Name of the Vulnerable Software and Affected Versions: pbkdf2 versions 3.0.10 through 3.1.2 Description: The issue is related to an Improper Input Validation vulnerability in pbkdf2, allowing Signature Spoofing by Improper Validation. This vulnerability is associated with program files...

Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities

Summary IBM Security Guardium Insights has addressed the following vulnerabilities Vulnerability Details CVEID:CVE-2020-13949 DESCRIPTION: Apache Thrift is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted messages, a remote attacker could exploi...

CVE-2025-50182

CVE-2025-50182 : Affects urllib3 (Python HTTP client). The issue is that prior to 2.5.0, when urllib3 is used in environments like Pyodide (Python in a browser/Node via Fetch/XMLHttpRequest), redirects are not controlled; Pyodide determines redirect behavior, and retries/redirect params are ignor...

CVE-2025-50182 urllib3 does not control redirects in browsers and Node.js

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means...

CVE-2025-50182 urllib3 does not control redirects in browsers and Node.js

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means...

Security Bulletin: IBM App Connect Enterprise is vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to Node.js module snowflake ( CVE-2025-46328 )

Summary IBM App Connect Enterprise Discovery Connectors is vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to Node.js module snowflake Vulnerability Details CVEID:CVE-2025-46328 DESCRIPTION: snowflake-connector-nodejs is a NodeJS driver for Snowflake. Versions starting from 1.10...

Astra Linux - уязвимость в nodejs

The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...

TencentOS Server 3: nodejs:18 (TSSA-2025:0194)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0194 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

TencentOS Server 3: nodejs:20 (TSSA-2024:0109)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0109 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

TencentOS Server 3: nodejs:18 (TSSA-2023:0204)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0204 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...