Monthly
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but exploitation is trivial given the straightforward attack vector. Vendor-released patch: multiparty@4.3.0.
Remote unauthenticated attackers can crash Node.js applications running the OpenTelemetry Prometheus exporter by sending a single malformed HTTP request to the metrics endpoint (default port 9464). The vulnerability exists in @opentelemetry/exporter-prometheus versions prior to 0.217.0, where missing error handling around URL parsing causes an uncaught TypeError when processing invalid URIs, terminating the entire Node.js process. The metrics endpoint binds to 0.0.0.0 by default and requires no authentication, making exploitation trivial for any network-accessible attacker. Publicly available exploit code exists (one-line netcat command demonstrated in vendor advisory). No active exploitation confirmed at time of analysis, though the attack complexity is minimal (CVSS AC:L) and the impact severe for production observability infrastructure.
Denial of service in Microsoft .NET Framework 3.5 through 4.8.1 allows unauthenticated remote attackers to crash applications via race condition exploitation over a network. The vulnerability stems from improper synchronization when multiple threads access shared resources concurrently (CWE-755). Affected versions span .NET Framework 3.5, 4.6.2, 4.7.x, 4.8, and 4.8.1 across multiple component combinations. Microsoft has released patches addressing the flaw. No public exploit code or active explo
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.
Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 7.3 HIGH]
Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are called and then abandoned by the host before completion, such as when the Future is dropped after a single poll during an async yield. This affects applications using Wasmtime's component model with async support, allowing an attacker to crash the runtime through specially crafted async function invocations. A patch is available to address this stability issue.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Cube.js versions 1.1.17 through 1.5.12 and 1.4.x before 1.4.2 are vulnerable to denial of service attacks where an authenticated attacker can craft a malicious request to completely disable the Cube API. This network-accessible vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated user with API access. No patch is currently available for affected versions.
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but exploitation is trivial given the straightforward attack vector. Vendor-released patch: multiparty@4.3.0.
Remote unauthenticated attackers can crash Node.js applications running the OpenTelemetry Prometheus exporter by sending a single malformed HTTP request to the metrics endpoint (default port 9464). The vulnerability exists in @opentelemetry/exporter-prometheus versions prior to 0.217.0, where missing error handling around URL parsing causes an uncaught TypeError when processing invalid URIs, terminating the entire Node.js process. The metrics endpoint binds to 0.0.0.0 by default and requires no authentication, making exploitation trivial for any network-accessible attacker. Publicly available exploit code exists (one-line netcat command demonstrated in vendor advisory). No active exploitation confirmed at time of analysis, though the attack complexity is minimal (CVSS AC:L) and the impact severe for production observability infrastructure.
Denial of service in Microsoft .NET Framework 3.5 through 4.8.1 allows unauthenticated remote attackers to crash applications via race condition exploitation over a network. The vulnerability stems from improper synchronization when multiple threads access shared resources concurrently (CWE-755). Affected versions span .NET Framework 3.5, 4.6.2, 4.7.x, 4.8, and 4.8.1 across multiple component combinations. Microsoft has released patches addressing the flaw. No public exploit code or active explo
SvelteKit versions prior to 2.57.1 are vulnerable to denial of service when the redirect() function is called from the handle server hook with HTTP header-invalid characters in the location parameter. An unauthenticated remote attacker can trigger an unhandled TypeError by supplying unsanitized user input to the redirect location, potentially causing application crashes on certain platforms. The vulnerability is fixed in version 2.57.1.
Permission bypass vulnerability in the system service framework. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 7.3 HIGH]
Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are called and then abandoned by the host before completion, such as when the Future is dropped after a single poll during an async yield. This affects applications using Wasmtime's component model with async support, allowing an attacker to crash the runtime through specially crafted async function invocations. A patch is available to address this stability issue.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Cube.js versions 1.1.17 through 1.5.12 and 1.4.x before 1.4.2 are vulnerable to denial of service attacks where an authenticated attacker can craft a malicious request to completely disable the Cube API. This network-accessible vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated user with API access. No patch is currently available for affected versions.
VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys).