28 matches found
CVE-2026-46102
net: strparser: fix skbhead leak in strpabortstrp...
Query String Parser 安全漏洞
Query String Parser is a JavaScript tool for parsing query strings developed by Victor Teo. Version 1.0.0 of Query String Parser has a security vulnerability. This vulnerability arises from improper cleaning of query parameters provided by users and their merging into newly created objects, which...
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario...
AZL-73359 CVE-2025-15284 affecting package nodejs-nodemon 2.0.3-4
Improper Input Validation vulnerability in qs parse modules allows HTTP DoS.This issue affects qs: 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across a...
ljharb qs 安全漏洞
ljharb qs is a query string parser with nesting support by Jordan Harband, an individual developer in the United States. A security vulnerability exists in ljharb qs versions prior to 6.14.1 that stems from improper input validation and could lead to an HTTP denial of service attack...
[SECURITY] Fedora 43 Update: python-cron-converter-1.2.2-1.fc43
Cron-converter provides a Cron string parser from string/lists to string/lists and iteration for the datetime object with a cron like format...
CVE-2022-50265
CVE-2022-50265 pertains to the Linux kernel and concerns data races in the kernel crypto/messaging flow involving kcm->rx_wait and kcm->rx_psock. The description states that kcm->rx_psock can be read locklessly in kcm_rfree(), and the issue was mitigated by annotating the corresponding r...
MAL-2025-5958 Malicious code in string-parser-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 748b70284192ad043f664c6c220fd7416d86a39d02bee5c30e6181172b814688 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in string-parser-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 748b70284192ad043f664c6c220fd7416d86a39d02bee5c30e6181172b814688 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2025-37756
In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago...
OESA-2024-1403 nodejs-qs security update
This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...
SUSE CVE-2009-0490
Stack-based buffer overflow in the Stringparse::getnonspacequoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service crash and possibly execute arbitrary code via a .gro file containing a long string...
CVE-2023-25166
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability...
PT-2022-17038
Name of the Vulnerable Software and Affected Versions qs versions prior to 6.10.3 Express versions prior to 4.17.3 Description The issue allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated...
querymen 安全漏洞
querymen is an individual developer's query string parser middleware for MongoDB, Express, and Nodejs. A security vulnerability exists in querymen that stems from the middleware's susceptibility to prototype contamination...
Popular NPM Package Hijacked to Publish Crypto-mining Malware
The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining and password-stealing malware embedded in "UAParser.js," a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to get rid of three rogue packages that...
Regular Expression Denial Of Service (ReDoS)
ua-parser-js is vulnerable to regular expression denial of service ReDoS. The vulnerability exists because the string parser does not use proper regular expressions to filter out malicious strings passing to it...
ljharb's qs module input validation vulnerability
A web framework is a framework used to support the development of dynamic websites, web applications, and web services. qs module is a string query parsing module used by developers when building web frameworks. A denial of service vulnerability exists in ljharb's qs module. An attacker could...
openSUSE Security Update : Mozilla Thunderbird (openSUSE-2016-848)
This update contains Mozilla Thunderbird 45.2. boo983549 It fixes security issues mostly affecting the e-mail program when used in a browser context, such as viewing a web page or HTMl formatted e-mail. The following vulnerabilities were fixed : - CVE-2016-2818, CVE-2016-2815: Memory safety bugs...
openSUSE Security Update : MozillaThunderbird (openSUSE-2016-402)
MozillaThunderbird was updated to 38.7.0 to fix the following issues : - Update to Thunderbird 38.7.0 boo969894 - MFSA 2015-81/CVE-2015-4477 bmo1179484 Use-after-free in MediaStream playback - MFSA 2015-136/CVE-2015-7207 bmo1185256 Same-origin policy violation using performance.getEntries and...