CVE-2025-53642 haxcms-nodejs and haxcms-php Improperly Terminate Sessions

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6...

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

...

Azure Linux 3.0 Security Update: nodejs / nodejs18 (CVE-2025-47279)

The version of nodejs / nodejs18 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-47279 advisory. - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applicatio...

HAXcms with nodejs backend 代码问题漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A code issue vulnerability exists in HAXcms with nodejs backend that stems from improper session termination, which could lead to unauthorized access...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 (CVE-2025-47279)

The version of nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-47279 advisory. - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applicatio...

CVE-2025-23165 affecting package nodejs for versions less than 20.14.0-9

CVE-2025-23165 affecting package nodejs for versions less than 20.14.0-9. A patched version of the package is available...

CVE-2025-23166 affecting package nodejs for versions less than 20.14.0-9

CVE-2025-23166 affecting package nodejs for versions less than 20.14.0-9. A patched version of the package is available...

CVE-2025-47279 affecting package nodejs for versions less than 20.14.0-8

CVE-2025-47279 affecting package nodejs for versions less than 20.14.0-8. A patched version of the package is available...

Node.js Sandbox MCP Server 安全漏洞

Node.js Sandbox MCP Server is a context protocol server based on the Node.js model by the individual developer Alfonso Graziano. A security vulnerability exists in Node.js Sandbox MCP Server versions prior to 1.3.0 that stems from command injection and could lead to remote code execution...

Fedora 42 : nodejs-bash-language-server / nodejs-pnpm (2025-69a1acbbc0)

The remote Fedora 42 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2025-69a1acbbc0 advisory. Update pnpm to version 10.9.0 to fix CVE-2024-47829 and nodejs-bash-language-server to version 5.6.0 Tenable has extracted the preceding description block...

nodejs-electron-35.6.0-1.2 on GA media (moderate)

nodejs-electron-35.6.0-1.2 on GA media Announcement ID: openSUSE-SU-2025:15249-1 Rating: moderate Cross-References: CVE-2025-5419 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

OPENSUSE-SU-2025:15249-1 nodejs-electron-35.6.0-1.2 on GA media

These are all security issues fixed in the nodejs-electron-35.6.0-1.2 package on the GA media of openSUSE Tumbleweed...

Malicious code in pyroscope-nodejs (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f63660c0844969995da8de5a83535772031d00f3247e8cbb5a40addbc21a234 Any computer that has this package installed or running should be considered...

MAL-2025-5535 Malicious code in pyroscope-nodejs (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f63660c0844969995da8de5a83535772031d00f3247e8cbb5a40addbc21a234 Any computer that has this package installed or running should be considered...

AZL-76320 CVE-2025-6554 affecting package nodejs24 24.13.0-3

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. Chromium security severity: High...

Malicious code in es6modules-nodejs (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 218c17a75c3af9325e1d26ff2b2feec20f788118052f29452038579a57a4bb40 Any computer that has this package installed or running should be considered...

MGASA-2025-0194 Updated yarnpkg packages fix security vulnerabilities

CVE-2024-37890 yarnpkg: denial of service when handling a request with many HTTP headers. CVE-2024-48949 yarnpkg: Missing Validation in Elliptic's EDDSA Signature Verification. CVE-2024-12905 yarnpkg: link following and path traversal via maliciously crafted tar file And other vulnerabilities in...

Photon OS 4.0: Nodejs PHSA-2025-4.0-0820

An update of the nodejs package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-4.0-0820. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

Important Photon OS Security Update - PHSA-2025-4.0-0820

Updates of 'rubygem-webrick', 'nodejs' packages of Photon OS have been released...

GHSA-V62P-RQ8G-8H59 pbkdf2 silently disregards Uint8Array input, returning static keys

Summary On historic but declared as supported Node.js versions 0.12-2.x, pbkdf2 silently disregards Uint8Array input This only affects Node.js = 0.12 and there seems to be ongoing effort in this repo to maintain that Support Uint8Array input input is typechecked against Uint8Array, and the error...