Node
Monthly
Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).
Node.js Permission Model bypass in FileHandle.chmod() and FileHandle.chown() promise-based methods allows local authenticated users with restricted --allow-fs-write to modify file permissions and ownership on already-open file descriptors, circumventing intended write restrictions. The vulnerability affects Node.js 20.x, 22.x, 24.x, and 25.x when running under the --permission flag; the callback-based equivalents (fs.fchmod, fs.fchown) were correctly patched in CVE-2024-36137, but the promises API was incompletely fixed. CVSS 3.3 with low real-world impact due to local-only attack vector and requirement for pre-existing file access.
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).
Node.js Permission Model bypass in FileHandle.chmod() and FileHandle.chown() promise-based methods allows local authenticated users with restricted --allow-fs-write to modify file permissions and ownership on already-open file descriptors, circumventing intended write restrictions. The vulnerability affects Node.js 20.x, 22.x, 24.x, and 25.x when running under the --permission flag; the callback-based equivalents (fs.fchmod, fs.fchown) were correctly patched in CVE-2024-36137, but the promises API was incompletely fixed. CVSS 3.3 with low real-world impact due to local-only attack vector and requirement for pre-existing file access.
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.