4323 matches found
CVE-2025-61668
CVE-2025-61668 affects Volto (Plone ReactJS frontend). Versions 16.34.0 and earlier; 17.0.0–17.22.1; 18.0.0–18.27.1; and 19.0.0-alpha.1–19.0.0-alpha.5 allow an anonymous user to trigger a NodeJS server crash by visiting a specific URL. Root cause: improper handling of a crafted URL request leadin...
CVE-2025-61668 @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...
GHSA-M8RJ-PPPH-MJ33 @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. Patches The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your...
MAL-2025-47700 Malicious code in nodejs-example-google-cloud-trace (npm)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in nodejs-example-google-cloud-monitoring (npm)
--- -= Per source details. Do not edit below this line.=-...
Node.js: Memory leak that enables remote Denial of Service against applications processing TLS client certificates
A memory leak was discovered in Node.js's OpenSSL integration when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. The vulnerability was triggered when applications called socket.getPeerCertificatetrue, causing steady memory growth through repeated TLS connectio...
messageformat prototype pollution vulnerability
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing...
CVE-2025-57353
The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing...
CVE-2025-57354
A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying...
CVE-2025-57354
A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. The affected versions prior to 0.18.6 allow attackers to manipulate the library's translation functionality by supplying...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2025.
Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 24.0.0-IF006, 24.0.1-IF004 and 25.0.0-IF001. Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random...
ROS-20250923-02
Vulnerability in the setuid module of the Node.js software platform is related to context switching bugs privileges. Exploitation of the vulnerability could allow an attacker to escalate privileges...
CLSA-2025-1758294053 nodejs: Fix of CVE-2024-27982
CVE-2024-27982: prevent HTTP request smuggling by properly interpreting content-length header...
CLSA-2025-1758102713 nodejs: Fix of CVE-2025-22150
CVE-2025-22150: fix issue where undici used Math.random to choose boundary for multipart/form-data request, now uses secure random number generator...
-tompan-reacttemplate (>=1.0.1 <=1.1.0), 007-nodejs (>=2.5.0 <=2.5.3) +46459 more potentially affected by CVE-2024-29415 +1 more via ip (>=0.0.1 <=2.0.1)
ip NPM version =0.0.1, =1.0.1, =2.5.0, =2.5.3 - 0726react =0.1.1 - 0me.sh =0.1.15 - 0x0.icu.anima =0.1.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 -...
-tompan-reacttemplate (>=1.0.1 <=1.1.0), 007-nodejs (>=2.5.0 <=2.5.3) +46459 more potentially affected by CVE-2024-29415 +1 more via ip (>=0.0.1 <=2.0.1)
ip NPM version =0.0.1, =1.0.1, =2.5.0, =2.5.3 - 0726react =0.1.1 - 0me.sh =0.1.15 - 0x0.icu.anima =0.1.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 -...
docker-security-course
This is a vulnerable nodejs app for demos, as stated in the README.md file. The app is designed to demonstrate the use of Docker to clean up after a breach and prevent them from happening again in the future. The app is built using the Dockerfile, which creates an image with the name "node-hack"...
OESA-2025-2276 nodejs-form-data security update
A module to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications. Security Fixes: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution HPP. This vulnerability is associated with program file...
CVE-2025-58754 Axios is vulnerable to DoS attack through lack of data size check
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory...
CLSA-2025-1757609292 nodejs: Fix of CVE-2024-22025
CVE-2024-22025: fix resource exhaustion DoS vulnerability in fetch function...