Monthly
Wasmtime's Cranelift compiler generates inefficient code for the f64x2.splat WebAssembly instruction on x86-64 platforms with SSE3 disabled, causing it to load 8 excess bytes beyond the intended operand. On systems with signals-based traps disabled, this overflow access can trigger segmentation faults from unmapped guard pages; with guard pages also disabled, out-of-sandbox memory is accessible to the runtime (though not to WebAssembly guests themselves). The vulnerability affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, and is fixed in those releases. No public exploit code or active exploitation (KEV) is documented.
Wasmtime runtime before versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 panics when lifting component model flags-typed values with out-of-specification bit patterns, enabling guest-controlled denial-of-service in the host environment. The vulnerability requires high privilege and user interaction but affects a critical WebAssembly runtime used in production systems. No public exploit code is confirmed at time of analysis.
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.00045 (0.045%) indicates low predicted exploitation probability. Applications limiting accepted key algorithms to non-KW types or using GCM-based key wrapping (A128GCMKW, A192GCMKW, A256GCMKW) are unaffected.
Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.
The SiYuan kernel, a Go-based note-taking application, contains an authentication bypass vulnerability in its WebSocket server that allows unauthenticated attackers to crash the kernel process through malformed JSON messages. SiYuan kernel versions exposed via Docker or network-accessible deployments are affected, with the issue stemming from unsafe type assertions on attacker-controlled input after bypassing authentication via a specific query parameter pattern. A proof-of-concept demonstrating the attack exists in the GitHub advisory, and while CVSS rates this as 7.5 High severity for availability impact, real-world exploitation risk depends heavily on network exposure beyond localhost.
Parse Server contains a denial-of-service vulnerability in its LiveQuery feature where remote attackers can crash the server by subscribing with an invalid regular expression pattern. The vulnerability affects npm package parse-server across versions and allows unauthenticated network-based attacks with high attack complexity, resulting in complete service disruption for all connected clients. A patch is available from the vendor, and the attack does not require user interaction or special privileges.
Rust Yamux prior to version 0.13.10 is vulnerable to denial of service when processing specially crafted inbound stream frames that combine the SYN flag with oversized body lengths, causing the connection handler to panic due to improper state cleanup. An unauthenticated remote attacker can trigger this panic over any normal Yamux session without special privileges, crashing affected applications. No patch is currently available for this high-severity vulnerability.
LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending a malformed permessage-deflate compression parameter that bypasses validation and triggers an uncaught exception. The vulnerability exists because the client fails to properly validate the server_max_window_bits parameter before passing it to zlib, enabling any WebSocket server to terminate connected clients. No patch is currently available.
Wasmtime's Cranelift compiler generates inefficient code for the f64x2.splat WebAssembly instruction on x86-64 platforms with SSE3 disabled, causing it to load 8 excess bytes beyond the intended operand. On systems with signals-based traps disabled, this overflow access can trigger segmentation faults from unmapped guard pages; with guard pages also disabled, out-of-sandbox memory is accessible to the runtime (though not to WebAssembly guests themselves). The vulnerability affects Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, and is fixed in those releases. No public exploit code or active exploitation (KEV) is documented.
Wasmtime runtime before versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 panics when lifting component model flags-typed values with out-of-specification bit patterns, enabling guest-controlled denial-of-service in the host environment. The vulnerability requires high privilege and user interaction but affects a critical WebAssembly runtime used in production systems. No public exploit code is confirmed at time of analysis.
Remote denial of service in NVIDIA Triton Inference Server versions prior to r26.02 allows unauthenticated attackers to crash the server by sending malformed HTTP request headers over the network. The vulnerability scores 7.5 (High) with maximum availability impact, requires no authentication or user interaction, and has low attack complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis.
Denial of service via panic in go-jose library (versions prior to v4.1.4 and v3.0.5) occurs when decrypting malformed JSON Web Encryption (JWE) objects that specify a key wrapping algorithm (e.g., RSA-OAEP-KW, ECDH-ES+A128KW) but contain an empty encrypted_key field. The panic is triggered during slice allocation in cipher.KeyUnwrap() when processing ciphertext under 16 bytes, causing immediate application termination. No public exploit identified at time of analysis, though EPSS score of 0.00045 (0.045%) indicates low predicted exploitation probability. Applications limiting accepted key algorithms to non-KW types or using GCM-based key wrapping (A128GCMKW, A192GCMKW, A256GCMKW) are unaffected.
Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.
The SiYuan kernel, a Go-based note-taking application, contains an authentication bypass vulnerability in its WebSocket server that allows unauthenticated attackers to crash the kernel process through malformed JSON messages. SiYuan kernel versions exposed via Docker or network-accessible deployments are affected, with the issue stemming from unsafe type assertions on attacker-controlled input after bypassing authentication via a specific query parameter pattern. A proof-of-concept demonstrating the attack exists in the GitHub advisory, and while CVSS rates this as 7.5 High severity for availability impact, real-world exploitation risk depends heavily on network exposure beyond localhost.
Parse Server contains a denial-of-service vulnerability in its LiveQuery feature where remote attackers can crash the server by subscribing with an invalid regular expression pattern. The vulnerability affects npm package parse-server across versions and allows unauthenticated network-based attacks with high attack complexity, resulting in complete service disruption for all connected clients. A patch is available from the vendor, and the attack does not require user interaction or special privileges.
Rust Yamux prior to version 0.13.10 is vulnerable to denial of service when processing specially crafted inbound stream frames that combine the SYN flag with oversized body lengths, causing the connection handler to panic due to improper state cleanup. An unauthenticated remote attacker can trigger this panic over any normal Yamux session without special privileges, crashing affected applications. No patch is currently available for this high-severity vulnerability.
LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending a malformed permessage-deflate compression parameter that bypasses validation and triggers an uncaught exception. The vulnerability exists because the client fails to properly validate the server_max_window_bits parameter before passing it to zlib, enabling any WebSocket server to terminate connected clients. No patch is currently available.