Node.js
Monthly
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending a malformed permessage-deflate compression parameter that bypasses validation and triggers an uncaught exception. The vulnerability exists because the client fails to properly validate the server_max_window_bits parameter before passing it to zlib, enabling any WebSocket server to terminate connected clients. No patch is currently available.
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote attackers to crash or hang affected processes through unbounded memory consumption. An attacker controlling a malicious WebSocket server can send specially crafted compressed frames that expand to extremely large sizes in memory without triggering any decompression limits. No patch is currently available for this vulnerability.
High severity vulnerability in OpenClaw. In affected versions of `openclaw`, browser-originated WebSocket connections could bypass origin validation when `gateway.auth.mode` was set to `trusted-proxy` and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session.
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37
flatted is a circular JSON parser. versions up to 3.4.0 is affected by uncontrolled recursion (CVSS 7.5).
Denial of service in yauzl 3.2.0 (Node.js zip parsing library) allows remote attackers to crash applications by submitting malformed zip files with specially crafted NTFS timestamp fields that trigger an out-of-bounds buffer read. The vulnerability affects any Node.js application that processes untrusted zip uploads and extracts file modification dates. No patch is currently available.
An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.
Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.
SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.
Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.
Denial of service in file-type library versions prior to 21.3.1 allows remote attackers to hang Node.js event loops by submitting malformed ASF (WMV/WMA) files that trigger infinite loops during file type detection. Applications using file-type to analyze untrusted input are vulnerable, with a minimal 55-byte payload sufficient to stall processing. No patch is currently available for affected Node.js and File Type products.
Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.
Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.
Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.
Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.
Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.
SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.
Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.
Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.
Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.
Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.
Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 versions up to 14.14.0 is affected by path traversal.
Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring configuration.
node-tar is a full-featured Tar for Node.js.
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.
Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.
Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. [CVSS 3.7 LOW]
Path traversal in node-tar versions prior to 7.5.10 allows local attackers to write files outside the intended extraction directory by exploiting drive-relative link targets during archive extraction. An attacker with the ability to create or modify tar archives can overwrite arbitrary files on the system with elevated privileges. Public exploit code exists for this vulnerability affecting Node.js, D-Link, and Tar products.
Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.
express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.
Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.
Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.
Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.
Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.
@hono/node-server versions prior to 1.19.10 contain an authorization bypass in static file serving due to inconsistent URL decoding between routing middleware and file resolution logic. An unauthenticated remote attacker can bypass route-based access controls by crafting requests with encoded slashes (%2F) to access protected static resources that should be restricted by middleware. Organizations running affected versions should upgrade immediately as no workaround is available.
Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.
Prototype pollution in oRPC before 1.13.6. PoC and patch available.
Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.
Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. No patch is currently available for affected versions.
Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]
Multer versions before 2.1.1 are susceptible to denial of service attacks when processing malformed multipart/form-data requests, which can trigger stack overflow conditions and crash Node.js applications. An unauthenticated remote attacker can exploit this vulnerability without user interaction to render affected services unavailable. The vulnerability affects Node.js applications using Multer for file upload handling, and patches are available in version 2.1.1 and later.
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.
A vulnerability in Multer versions up to 2.1.0 is affected by missing release of resource after effective lifetime.
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.
Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.
Improper input validation in TerriaJS-Server versions before 4.0.3 allows unauthenticated remote attackers to bypass domain allowlist restrictions and proxy requests to arbitrary domains. This vulnerability affects Node.js deployments of TerriaJS and could enable attackers to access restricted resources or perform server-side request forgery attacks. A patch is available in version 4.0.3 and later.
Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.
Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. The vulnerability has been patched in node-tar 7.5.8.
Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.
Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. Public exploit code exists for this vulnerability; a patch is available.
farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).
The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. [CVSS 3.7 LOW]
Prototype pollution in set-in npm package allows modification of Object prototype. PoC and patch available.
Arbitrary code execution in vscode-spell-checker prior to v4.5.4 allows attackers to execute malicious Node.js code by placing a crafted .cspell.config.js file in an untrusted workspace, since the extension fails to validate VS Code's workspace-trust state before loading configuration files. An attacker can exploit this by tricking users into opening a malicious workspace, resulting in code execution with the privileges of the extension host process.
Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).
jsonpath library before 1.2.0 has an arbitrary code injection vulnerability via unsafe use of eval-like constructs in JSONPath expressions.
Client-certificate-auth middleware for Node.js versions 0.2.1 and 0.3.0 fails to validate the Host header when redirecting HTTP requests to HTTPS, enabling attackers to craft malicious redirects that direct users to arbitrary domains. Public exploit code exists for this open redirect vulnerability, and no patch is currently available for affected versions.
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the...
n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.
n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.
n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in...
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.
jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. Public exploit code exists for this vulnerability.
Arbitrary code execution in Backstage @backstage/plugin-techdocs-node versions before 1.13.11 and 1.14.1 allows authenticated users with repository access to execute malicious Python code on TechDocs build servers by injecting MkDocs hook configurations into mkdocs.yml files. The vulnerability affects deployments using the `runIn: local` configuration option, where an attacker can leverage the hooks feature to achieve remote code execution during documentation builds. Fixed versions implement an allowlist of permitted MkDocs configuration keys and strip unsupported keys including hooks before processing.
Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending a malformed permessage-deflate compression parameter that bypasses validation and triggers an uncaught exception. The vulnerability exists because the client fails to properly validate the server_max_window_bits parameter before passing it to zlib, enabling any WebSocket server to terminate connected clients. No patch is currently available.
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote attackers to crash or hang affected processes through unbounded memory consumption. An attacker controlling a malicious WebSocket server can send specially crafted compressed frames that expand to extremely large sizes in memory without triggering any decompression limits. No patch is currently available for this vulnerability.
High severity vulnerability in OpenClaw. In affected versions of `openclaw`, browser-originated WebSocket connections could bypass origin validation when `gateway.auth.mode` was set to `trusted-proxy` and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session.
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37
flatted is a circular JSON parser. versions up to 3.4.0 is affected by uncontrolled recursion (CVSS 7.5).
Denial of service in yauzl 3.2.0 (Node.js zip parsing library) allows remote attackers to crash applications by submitting malformed zip files with specially crafted NTFS timestamp fields that trigger an out-of-bounds buffer read. The vulnerability affects any Node.js application that processes untrusted zip uploads and extracts file modification dates. No patch is currently available.
An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.
Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.
SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.
Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.
Denial of service in file-type library versions prior to 21.3.1 allows remote attackers to hang Node.js event loops by submitting malformed ASF (WMV/WMA) files that trigger infinite loops during file type detection. Applications using file-type to analyze untrusted input are vulnerable, with a minimal 55-byte payload sufficient to stall processing. No patch is currently available for affected Node.js and File Type products.
Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.
Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.
Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.
Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.
Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.
SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.
Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.
Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.
Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.
OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.
NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.
Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.
Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.
Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 versions up to 14.14.0 is affected by path traversal.
Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.
OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring configuration.
node-tar is a full-featured Tar for Node.js.
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.
Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.
Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. [CVSS 3.7 LOW]
Path traversal in node-tar versions prior to 7.5.10 allows local attackers to write files outside the intended extraction directory by exploiting drive-relative link targets during archive extraction. An attacker with the ability to create or modify tar archives can overwrite arbitrary files on the system with elevated privileges. Public exploit code exists for this vulnerability affecting Node.js, D-Link, and Tar products.
Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.
express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.
Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.
Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.
Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.
Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.
@hono/node-server versions prior to 1.19.10 contain an authorization bypass in static file serving due to inconsistent URL decoding between routing middleware and file resolution logic. An unauthenticated remote attacker can bypass route-based access controls by crafting requests with encoded slashes (%2F) to access protected static resources that should be restricted by middleware. Organizations running affected versions should upgrade immediately as no workaround is available.
Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.
Prototype pollution in oRPC before 1.13.6. PoC and patch available.
Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.
Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. No patch is currently available for affected versions.
Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]
Multer versions before 2.1.1 are susceptible to denial of service attacks when processing malformed multipart/form-data requests, which can trigger stack overflow conditions and crash Node.js applications. An unauthenticated remote attacker can exploit this vulnerability without user interaction to render affected services unavailable. The vulnerability affects Node.js applications using Multer for file upload handling, and patches are available in version 2.1.1 and later.
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.
A vulnerability in Multer versions up to 2.1.0 is affected by missing release of resource after effective lifetime.
Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.
Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.
Improper input validation in TerriaJS-Server versions before 4.0.3 allows unauthenticated remote attackers to bypass domain allowlist restrictions and proxy requests to arbitrary domains. This vulnerability affects Node.js deployments of TerriaJS and could enable attackers to access restricted resources or perform server-side request forgery attacks. A patch is available in version 4.0.3 and later.
Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.
Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.
Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. The vulnerability has been patched in node-tar 7.5.8.
Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.
Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. Public exploit code exists for this vulnerability; a patch is available.
farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).
The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. [CVSS 3.7 LOW]
Prototype pollution in set-in npm package allows modification of Object prototype. PoC and patch available.
Arbitrary code execution in vscode-spell-checker prior to v4.5.4 allows attackers to execute malicious Node.js code by placing a crafted .cspell.config.js file in an untrusted workspace, since the extension fails to validate VS Code's workspace-trust state before loading configuration files. An attacker can exploit this by tricking users into opening a malicious workspace, resulting in code execution with the privileges of the extension host process.
Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).
jsonpath library before 1.2.0 has an arbitrary code injection vulnerability via unsafe use of eval-like constructs in JSONPath expressions.
Client-certificate-auth middleware for Node.js versions 0.2.1 and 0.3.0 fails to validate the Host header when redirecting HTTP requests to HTTPS, enabling attackers to craft malicious redirects that direct users to arbitrary domains. Public exploit code exists for this open redirect vulnerability, and no patch is currently available for affected versions.
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the...
n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.
n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.
n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in...
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.
jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. Public exploit code exists for this vulnerability.
Arbitrary code execution in Backstage @backstage/plugin-techdocs-node versions before 1.13.11 and 1.14.1 allows authenticated users with repository access to execute malicious Python code on TechDocs build servers by injecting MkDocs hook configurations into mkdocs.yml files. The vulnerability affects deployments using the `runIn: local` configuration option, where an attacker can leverage the hooks feature to achieve remote code execution during documentation builds. Fixed versions implement an allowlist of permitted MkDocs configuration keys and strip unsupported keys including hooks before processing.
Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.