Monthly
IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.
Vite development server allows unauthorized file disclosure by bypassing server.fs.deny restrictions when specific query parameters (?raw, ?import&raw, ?import&url&inline) are appended to file requests. The npm package 'vite' is affected when the dev server is explicitly exposed to the network and sensitive files exist within allowed directories but are supposedly blocked by deny patterns. A publicly available exploit code exists demonstrating retrieval of .env files and certificates. Fixed in versions 7.3.2 and 8.0.5 according to vendor release tags.
Rack::Static fails to apply security-relevant response headers to URL-encoded variants of static file paths, allowing attackers to bypass header-based security controls by requesting percent-encoded forms of protected resources. This affects Rack versions prior to 2.2.23, 3.1.21, and 3.2.6, and is particularly dangerous in deployments relying on Rack::Static to enforce Content-Security-Policy, X-Frame-Options, or similar protective headers on static content. No public exploit code or active exploitation has been confirmed at time of analysis.
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value. [CVSS 2.9 LOW]
IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.
Vite development server allows unauthorized file disclosure by bypassing server.fs.deny restrictions when specific query parameters (?raw, ?import&raw, ?import&url&inline) are appended to file requests. The npm package 'vite' is affected when the dev server is explicitly exposed to the network and sensitive files exist within allowed directories but are supposedly blocked by deny patterns. A publicly available exploit code exists demonstrating retrieval of .env files and certificates. Fixed in versions 7.3.2 and 8.0.5 according to vendor release tags.
Rack::Static fails to apply security-relevant response headers to URL-encoded variants of static file paths, allowing attackers to bypass header-based security controls by requesting percent-encoded forms of protected resources. This affects Rack versions prior to 2.2.23, 3.1.21, and 3.2.6, and is particularly dangerous in deployments relying on Rack::Static to enforce Content-Security-Policy, X-Frame-Options, or similar protective headers on static content. No public exploit code or active exploitation has been confirmed at time of analysis.
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12 mishandle HTTP/1.1 URLs with a root path (/) in unchecked req.url scenarios, enabling cache poisoning and authentication bypass attacks. Unauthenticated remote attackers can exploit this with moderate complexity to poison cached content or bypass authentication controls affecting downstream clients. No active exploitation has been confirmed, though the vulnerability carries a 5.4 CVSS score reflecting network accessibility and partial impact to confidentiality and integrity.
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI processing. PoC and patch available.
NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A directory traversal vulnerability exists in Ivanti LANDesk Management Gateway through 4.2-1.9. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value. [CVSS 2.9 LOW]