The OpenJS Foundation's CVE Numbering Authority (CNA)
Security Advisories
Published CVEs for security vulnerabilities in OpenJS hosted projects. Subscribe via RSS to get notified of new advisories.
| Date | CVE ID | Issuer | Advisory | Project | Title |
|---|---|---|---|---|---|
| 2026-06-17 | CVE-2026-11525 | openjs | Advisory | undici | undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching |
| 2026-06-17 | CVE-2026-6733 | openjs | Advisory | undici | undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse |
| 2026-06-17 | CVE-2026-9678 | openjs | Advisory | undici | undici vulnerable to cross-user information disclosure via shared cache whitespace bypass |
| 2026-06-17 | CVE-2026-9679 | openjs | Advisory | undici | undici vulnerable to HTTP header injection via Set-Cookie percent-decoding |
| 2026-06-17 | CVE-2026-9697 | openjs | Advisory | undici | undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent |
| 2026-06-17 | CVE-2026-6734 | openjs | Advisory | undici | undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse |
| 2026-06-17 | CVE-2026-9675 | openjs | Advisory | undici | undici WebSocket client vulnerable to denial of service via cumulative fragment bypass |
| 2026-06-17 | CVE-2026-12151 | openjs | Advisory | undici | undici WebSocket client vulnerable to denial of service via fragment count bypass |
| 2026-06-15 | CVE-2026-9595 | openjs | Advisory | webpack-dev-server | webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies |
| 2026-06-15 | CVE-2026-5038 | openjs | Advisory | multer | multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads |
| 2026-06-15 | CVE-2026-5079 | openjs | Advisory | multer | multer vulnerable to Denial of Service via deeply nested field names |
| 2026-06-04 | CVE-2026-10796 | openjs | Advisory | nvm | nvm executes commands from a malicious Node.js mirror's version strings |
| 2026-06-03 | CVE-2026-5078 | openjs | Advisory | morgan | morgan vulnerable to Log Forging via unneutralized control characters in :remote-user |
| 2026-05-12 | CVE-2026-8162 | openjs | Advisory | multiparty | multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing |
| 2026-05-12 | CVE-2026-8161 | openjs | Advisory | multiparty | multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception |
| 2026-05-12 | CVE-2026-8159 | openjs | Advisory | multiparty | multiparty vulnerable to ReDoS via filename parsing |
| 2026-05-12 | CVE-2026-6402 | openjs | Advisory | webpack-dev-server | webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins |
| 2026-05-05 | CVE-2026-6322 | openjs | Advisory | fast-uri | fast-uri vulnerable to host confusion via percent-encoded authority delimiters |
| 2026-05-04 | CVE-2026-6321 | openjs | Advisory | fast-uri | fast-uri vulnerable to path traversal via percent-encoded dot segments |
| 2026-05-04 | CVE-2026-7768 | openjs | Advisory | @fastify/accepts-serializer | @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth |
| 2026-04-16 | CVE-2026-33804 | openjs | Advisory | @fastify/middie | @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option |
| 2026-04-16 | CVE-2026-6270 | openjs | Advisory | @fastify/middie | @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes |
| 2026-04-16 | CVE-2026-6410 | openjs | Advisory | @fastify/static | @fastify/static vulnerable to path traversal in directory listing |
| 2026-04-16 | CVE-2026-6414 | openjs | Advisory | @fastify/static | @fastify/static vulnerable to route guard bypass via encoded path separators |
| 2026-04-15 | CVE-2026-33805 | openjs | Advisory | @fastify/reply-from | @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers |
| 2026-04-15 | CVE-2026-33807 | openjs | Advisory | @fastify/express | @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes |
| 2026-04-15 | CVE-2026-33808 | openjs | Advisory | @fastify/express | @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) |
| 2026-04-15 | CVE-2026-33806 | openjs | Advisory | fastify | fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header |
| 2026-03-31 | CVE-2026-4800 | openjs | Advisory | lodash | lodash vulnerable to Code Injection via `_.template` imports key names |
| 2026-03-31 | CVE-2026-2950 | openjs | Advisory | lodash | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` |
| 2026-03-26 | CVE-2026-4923 | openjs | Advisory | path-to-regexp | path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards |
| 2026-03-26 | CVE-2026-4926 | openjs | Advisory | path-to-regexp | path-to-regexp vulnerable to Denial of Service via sequential optional groups |
| 2026-03-26 | CVE-2026-4867 | openjs | Advisory | path-to-regexp | path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters |
| 2026-03-23 | CVE-2026-3635 | openjs | Advisory | fastify | Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function |
| 2026-03-12 | CVE-2026-2229 | openjs | Advisory | undici | undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation |
| 2026-03-12 | CVE-2026-1528 | openjs | Advisory | undici | undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client |
| 2026-03-12 | CVE-2026-1527 | openjs | Advisory | undici | undici is vulnerable to CRLF Injection via upgrade option |
| 2026-03-12 | CVE-2026-2581 | openjs | Advisory | undici | undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS |
| 2026-03-12 | CVE-2026-1526 | openjs | Advisory | undici | undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression |
| 2026-03-12 | CVE-2026-1525 | openjs | Advisory | undici | undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
| 2026-03-06 | CVE-2026-3419 | openjs | Advisory | fastify | Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation |
| 2026-03-04 | CVE-2026-3520 | openjs | Advisory | multer | Multer vulnerable to Denial of Service via uncontrolled recursion |
| 2026-02-27 | CVE-2026-2880 | openjs | Advisory | @fastify/middie | @fastify/middie has an improper path normalization vulnerability |
| 2026-02-27 | CVE-2026-3304 | openjs | Advisory | multer | Multer vulnerable to Denial of Service via incomplete cleanup |
| 2026-02-27 | CVE-2026-2359 | openjs | Advisory | multer | Multer vulnerable to Denial of Service via resource exhaustion |
| 2026-01-29 | CVE-2026-1665 | openjs | Advisory | nvm | Command Injection in nvm via NVM_AUTH_HEADER in wget code path |
| 2026-01-21 | CVE-2025-13465 | openjs | Advisory | Lodash | Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions |
| 2025-11-24 | CVE-2025-13466 | openjs | Advisory | body-parser | body-parser vulnerable to denial of service when url encoding is used |
| 2025-09-24 | CVE-2025-57353 | mitre | Advisory | n/a | |
| 2025-07-17 | CVE-2025-7339 | openjs | Advisory | on-headers | on-headers vulnerable to http response header manipulation |
| 2025-07-17 | CVE-2025-7338 | openjs | Advisory | multer | Multer vulnerable to Denial of Service via unhandled exception from malformed request |