OpenJS Foundation CVE Numbering Authority

OpenJS Foundation CVE Numbering Authority - Security Advisories The OpenJS Foundation's CVE Numbering Authority (CNA) https://cna.openjsf.org/security-advisories.html en Sun, 21 Jun 2026 16:59:24 +0000 CVE-2026-11525: undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m CVE-2026-11525::undici Wed, 17 Jun 2026 17:31:03 +0000 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching in undici. CVE: CVE-2026-11525. CVE-2026-6733: undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52 CVE-2026-6733::undici Wed, 17 Jun 2026 17:14:50 +0000 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse in undici. CVE: CVE-2026-6733. CVE-2026-9678: undici vulnerable to cross-user information disclosure via shared cache whitespace bypass https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6 CVE-2026-9678::undici Wed, 17 Jun 2026 17:04:09 +0000 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass in undici. CVE: CVE-2026-9678. CVE-2026-9679: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv CVE-2026-9679::undici Wed, 17 Jun 2026 16:56:18 +0000 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding in undici. CVE: CVE-2026-9679. CVE-2026-9697: undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g CVE-2026-9697::undici Wed, 17 Jun 2026 16:46:42 +0000 undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent in undici. CVE: CVE-2026-9697. CVE-2026-6734: undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj CVE-2026-6734::undici Wed, 17 Jun 2026 16:36:55 +0000 undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse in undici. CVE: CVE-2026-6734. CVE-2026-9675: undici WebSocket client vulnerable to denial of service via cumulative fragment bypass https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq CVE-2026-9675::undici Wed, 17 Jun 2026 16:20:32 +0000 undici WebSocket client vulnerable to denial of service via cumulative fragment bypass in undici. CVE: CVE-2026-9675. CVE-2026-12151: undici WebSocket client vulnerable to denial of service via fragment count bypass https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q CVE-2026-12151::undici Wed, 17 Jun 2026 16:05:38 +0000 undici WebSocket client vulnerable to denial of service via fragment count bypass in undici. CVE: CVE-2026-12151. CVE-2026-9595: webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 CVE-2026-9595::webpack-dev-server Mon, 15 Jun 2026 15:00:21 +0000 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies in webpack-dev-server. CVE: CVE-2026-9595. CVE-2026-5038: multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm CVE-2026-5038::multer Mon, 15 Jun 2026 14:23:24 +0000 multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads in multer. CVE: CVE-2026-5038. CVE-2026-5079: multer vulnerable to Denial of Service via deeply nested field names https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j CVE-2026-5079::multer Mon, 15 Jun 2026 13:56:45 +0000 multer vulnerable to Denial of Service via deeply nested field names in multer. CVE: CVE-2026-5079. CVE-2026-10796: nvm executes commands from a malicious Node.js mirror's version strings https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm CVE-2026-10796::nvm Thu, 04 Jun 2026 17:02:23 +0000 nvm executes commands from a malicious Node.js mirror's version strings in nvm. CVE: CVE-2026-10796. CVE-2026-5078: morgan vulnerable to Log Forging via unneutralized control characters in :remote-user https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m CVE-2026-5078::morgan Wed, 03 Jun 2026 05:56:49 +0000 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user in morgan. CVE: CVE-2026-5078. CVE-2026-8162: multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv CVE-2026-8162::multiparty Tue, 12 May 2026 09:05:12 +0000 multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing in multiparty. CVE: CVE-2026-8162. CVE-2026-8161: multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956 CVE-2026-8161::multiparty Tue, 12 May 2026 08:50:37 +0000 multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception in multiparty. CVE: CVE-2026-8161. CVE-2026-8159: multiparty vulnerable to ReDoS via filename parsing https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94 CVE-2026-8159::multiparty Tue, 12 May 2026 08:35:39 +0000 multiparty vulnerable to ReDoS via filename parsing in multiparty. CVE: CVE-2026-8159. CVE-2026-6402: webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w CVE-2026-6402::webpack-dev-server Tue, 12 May 2026 07:45:21 +0000 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins in webpack-dev-server. CVE: CVE-2026-6402. CVE-2026-6322: fast-uri vulnerable to host confusion via percent-encoded authority delimiters https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc CVE-2026-6322::fast-uri Tue, 05 May 2026 10:29:16 +0000 fast-uri vulnerable to host confusion via percent-encoded authority delimiters in fast-uri. CVE: CVE-2026-6322. CVE-2026-6321: fast-uri vulnerable to path traversal via percent-encoded dot segments https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 CVE-2026-6321::fast-uri Mon, 04 May 2026 19:31:57 +0000 fast-uri vulnerable to path traversal via percent-encoded dot segments in fast-uri. CVE: CVE-2026-6321. CVE-2026-7768: @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg CVE-2026-7768::@fastify/accepts-serializer Mon, 04 May 2026 19:14:36 +0000 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth in @fastify/accepts-serializer. CVE: CVE-2026-7768. CVE-2026-33804: @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 CVE-2026-33804::@fastify/middie Thu, 16 Apr 2026 13:56:56 +0000 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option in @fastify/middie. CVE: CVE-2026-33804. CVE-2026-6270: @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c CVE-2026-6270::@fastify/middie Thu, 16 Apr 2026 13:44:46 +0000 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes in @fastify/middie. CVE: CVE-2026-6270. CVE-2026-6410: @fastify/static vulnerable to path traversal in directory listing https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h CVE-2026-6410::@fastify/static Thu, 16 Apr 2026 13:29:08 +0000 @fastify/static vulnerable to path traversal in directory listing in @fastify/static. CVE: CVE-2026-6410. CVE-2026-6414: @fastify/static vulnerable to route guard bypass via encoded path separators https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p CVE-2026-6414::@fastify/static Thu, 16 Apr 2026 13:09:03 +0000 @fastify/static vulnerable to route guard bypass via encoded path separators in @fastify/static. CVE: CVE-2026-6414. CVE-2026-33805: @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33805::@fastify/reply-from Wed, 15 Apr 2026 10:13:25 +0000 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers in @fastify/reply-from. CVE: CVE-2026-33805. CVE-2026-33807: @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c CVE-2026-33807::@fastify/express Wed, 15 Apr 2026 09:52:26 +0000 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes in @fastify/express. CVE: CVE-2026-33807. CVE-2026-33808: @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 CVE-2026-33808::@fastify/express Wed, 15 Apr 2026 09:29:46 +0000 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) in @fastify/express. CVE: CVE-2026-33808. CVE-2026-33806: fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc CVE-2026-33806::fastify Wed, 15 Apr 2026 00:14:02 +0000 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header in fastify. CVE: CVE-2026-33806. CVE-2026-4800: lodash vulnerable to Code Injection via `_.template` imports key names https://github.com/advisories/GHSA-35jh-r3h4-6jhm CVE-2026-4800::lodash Tue, 31 Mar 2026 19:25:55 +0000 lodash vulnerable to Code Injection via `_.template` imports key names in lodash. CVE: CVE-2026-4800. CVE-2026-2950: lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg CVE-2026-2950::lodash Tue, 31 Mar 2026 19:18:35 +0000 lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` in lodash. CVE: CVE-2026-2950. CVE-2026-4923: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards https://cna.openjsf.org/security-advisories.html CVE-2026-4923::path-to-regexp Thu, 26 Mar 2026 19:02:00 +0000 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards in path-to-regexp. CVE: CVE-2026-4923. CVE-2026-4926: path-to-regexp vulnerable to Denial of Service via sequential optional groups https://cna.openjsf.org/security-advisories.html CVE-2026-4926::path-to-regexp Thu, 26 Mar 2026 18:59:38 +0000 path-to-regexp vulnerable to Denial of Service via sequential optional groups in path-to-regexp. CVE: CVE-2026-4926. CVE-2026-4867: path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters https://github.com/advisories/GHSA-9wv6-86v2-598j CVE-2026-4867::path-to-regexp Thu, 26 Mar 2026 16:16:25 +0000 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters in path-to-regexp. CVE: CVE-2026-4867. CVE-2026-3635: Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf CVE-2026-3635::fastify Mon, 23 Mar 2026 13:53:00 +0000 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function in fastify. CVE: CVE-2026-3635. CVE-2026-2229: undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 CVE-2026-2229::undici Thu, 12 Mar 2026 20:27:05 +0000 undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation in undici. CVE: CVE-2026-2229. CVE-2026-1528: undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj CVE-2026-1528::undici Thu, 12 Mar 2026 20:21:57 +0000 undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client in undici. CVE: CVE-2026-1528. CVE-2026-1527: undici is vulnerable to CRLF Injection via upgrade option https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq CVE-2026-1527::undici Thu, 12 Mar 2026 20:17:18 +0000 undici is vulnerable to CRLF Injection via upgrade option in undici. CVE: CVE-2026-1527. CVE-2026-2581: undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h CVE-2026-2581::undici Thu, 12 Mar 2026 20:13:19 +0000 undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS in undici. CVE: CVE-2026-2581. CVE-2026-1526: undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q CVE-2026-1526::undici Thu, 12 Mar 2026 20:08:05 +0000 undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression in undici. CVE: CVE-2026-1526. CVE-2026-1525: undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm CVE-2026-1525::undici Thu, 12 Mar 2026 19:56:55 +0000 undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in undici. CVE: CVE-2026-1525. CVE-2026-3419: Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9 CVE-2026-3419::fastify Fri, 06 Mar 2026 17:50:58 +0000 Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation in fastify. CVE: CVE-2026-3419. CVE-2026-3520: Multer vulnerable to Denial of Service via uncontrolled recursion https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 CVE-2026-3520::multer Wed, 04 Mar 2026 16:17:18 +0000 Multer vulnerable to Denial of Service via uncontrolled recursion in multer. CVE: CVE-2026-3520. CVE-2026-2880: @fastify/middie has an improper path normalization vulnerability https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw CVE-2026-2880::@fastify/middie Fri, 27 Feb 2026 18:25:37 +0000 @fastify/middie has an improper path normalization vulnerability in @fastify/middie. CVE: CVE-2026-2880. CVE-2026-3304: Multer vulnerable to Denial of Service via incomplete cleanup https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p CVE-2026-3304::multer Fri, 27 Feb 2026 15:44:37 +0000 Multer vulnerable to Denial of Service via incomplete cleanup in multer. CVE: CVE-2026-3304. CVE-2026-2359: Multer vulnerable to Denial of Service via resource exhaustion https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc CVE-2026-2359::multer Fri, 27 Feb 2026 15:42:08 +0000 Multer vulnerable to Denial of Service via resource exhaustion in multer. CVE: CVE-2026-2359. CVE-2026-1665: Command Injection in nvm via NVM_AUTH_HEADER in wget code path https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506 CVE-2026-1665::nvm Thu, 29 Jan 2026 23:04:05 +0000 Command Injection in nvm via NVM_AUTH_HEADER in wget code path in nvm. CVE: CVE-2026-1665. CVE-2025-13465: Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg CVE-2025-13465::Lodash Wed, 21 Jan 2026 19:05:28 +0000 Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions in Lodash. CVE: CVE-2025-13465. CVE-2025-13466: body-parser vulnerable to denial of service when url encoding is used https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 CVE-2025-13466::body-parser Mon, 24 Nov 2025 18:29:36 +0000 body-parser vulnerable to denial of service when url encoding is used in body-parser. CVE: CVE-2025-13466. CVE-2025-57353: https://github.com/messageformat/messageformat/issues/453 CVE-2025-57353::n/a Wed, 24 Sep 2025 00:00:00 +0000 in n/a. CVE: CVE-2025-57353. CVE-2025-7339: on-headers vulnerable to http response header manipulation https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q CVE-2025-7339::on-headers Thu, 17 Jul 2025 15:47:39 +0000 on-headers vulnerable to http response header manipulation in on-headers. CVE: CVE-2025-7339. CVE-2025-7338: Multer vulnerable to Denial of Service via unhandled exception from malformed request https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p CVE-2025-7338::multer Thu, 17 Jul 2025 15:26:45 +0000 Multer vulnerable to Denial of Service via unhandled exception from malformed request in multer. CVE: CVE-2025-7338.