5 matches found
CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Summary The contents of arbitrary files can be returned to the browser. Details @fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists. PoC sh $ npm create vite@latest $ cd vite-project/ $ npm...
MuteBond is susceptible to DOS
Lines of code Vulnerability details Proof of Concept Observe that if timeToTokens is called with locktime = 1 week, amount 52, it will return 0. function timeToTokensuint256 amount, uint256 locktime internal pure returns uint256 uint256 weektime = 1 weeks; uint256 maxlock = 52 weeks;...
Malicious code in npm-run-lal (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4a01d99608ddf590892902356233f88556d85bedfaf6508f312e9b7d54a69c23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-4939 Malicious code in npm-run-lal (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4a01d99608ddf590892902356233f88556d85bedfaf6508f312e9b7d54a69c23 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...