{ "version": "1.0", "generated_at": "2026-06-21T16:59:24.161Z", "advisories": [ { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-11525", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-06-07T18:49:35.986Z", "datePublished": "2026-06-17T17:31:03.163Z", "dateUpdated": "2026-06-17T17:54:22.022Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T17:31:03.163Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nWhen undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).\n\nAffected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.\n\nThis was introduced in undici 5.15.0 when the cookies feature was added.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nAfter parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nWhen undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example, SameSite=NoneOfYourBusiness is parsed as None (the most permissive setting), and SameSite=StrictLax is parsed as Lax (a downgrade from Strict).\n\nAffected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.\n\nThis was introduced in undici 5.15.0 when the cookies feature was added.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nAfter parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "6.26.0" }, { "versionType": "semver", "status": "unaffected", "version": "6.26.0" }, { "versionType": "semver", "status": "affected", "version": "7.0.0", "lessThan": "7.28.0" }, { "versionType": "semver", "status": "unaffected", "version": "7.28.0" }, { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.5.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.5.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation reviewer", "value": "KhafraDev" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "reporter", "value": "tndud042713" } ], "title": "undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-183", "lang": "en", "description": "CWE-183: Permissive List of Allowed Inputs", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T17:53:40.763762Z", "id": "CVE-2026-11525", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T17:54:22.022Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6733", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-20T22:44:32.835Z", "datePublished": "2026-06-17T17:14:50.991Z", "dateUpdated": "2026-06-17T18:30:26.429Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T17:14:50.991Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nUndici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.\n\nThis requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nDisable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nUndici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.\n\nThis requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nDisable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "6.26.0" }, { "versionType": "semver", "status": "unaffected", "version": "6.26.0" }, { "versionType": "semver", "status": "affected", "version": "7.0.0", "lessThan": "7.28.0" }, { "versionType": "semver", "status": "unaffected", "version": "7.28.0" }, { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.5.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.5.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52" }, { "url": "https://hackerone.com/reports/3582376" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation verifier", "value": "UlisesGascon" } ], "title": "undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T18:30:07.748616Z", "id": "CVE-2026-6733", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:30:26.429Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9678", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-27T08:05:04.453Z", "datePublished": "2026-06-17T17:04:09.680Z", "dateUpdated": "2026-06-17T18:05:30.162Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T17:04:09.680Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nUndici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nUndici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=\" authorization\" or no-cache=\"\\tauthorization\". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.\n\nIn shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.\n\nAffected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "7.0.0", "lessThan": "7.28.0" }, { "versionType": "semver", "status": "unaffected", "version": "7.28.0" }, { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.5.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.5.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "reporter", "value": "AndrewMohawk" } ], "title": "undici vulnerable to cross-user information disclosure via shared cache whitespace bypass", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-524", "lang": "en", "description": "CWE-524: Use of Cache Containing Sensitive Information", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T18:05:24.378630Z", "id": "CVE-2026-9678", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:05:30.162Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9679", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-27T08:59:17.316Z", "datePublished": "2026-06-17T16:56:18.579Z", "dateUpdated": "2026-06-17T18:32:23.172Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T16:56:18.579Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nundici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via PR #3789.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nundici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via PR #3789.\n\nPatches:\nUpgrade to undici v6.26.0, v7.28.0 or v8.5.0.\n\nWorkarounds:\nIf upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "6.26.0" }, { "versionType": "semver", "status": "unaffected", "version": "6.26.0" }, { "versionType": "semver", "status": "affected", "version": "7.0.0", "lessThan": "7.28.0" }, { "versionType": "semver", "status": "unaffected", "version": "7.28.0" }, { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.5.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.5.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "tndud042713" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "KhafraDev" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "undici vulnerable to HTTP header injection via Set-Cookie percent-decoding", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T18:31:46.100353Z", "id": "CVE-2026-9679", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:32:23.172Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9697", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-27T12:02:46.825Z", "datePublished": "2026-06-17T16:46:42.706Z", "dateUpdated": "2026-06-17T18:34:54.144Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T16:46:42.706Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nundici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.\n\nApplications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.\n\nAffected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nNo workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nundici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI (socks5:// or socks://). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servername settings.\n\nApplications that pin to an internal or corporate CA via requestTls.ca will, when their proxy URI is SOCKS5, get the default Mozilla CA bundle as the trust anchor instead. Any cert signed by any publicly-trusted CA for the target hostname is accepted, breaking the intended pin and enabling MITM read and tamper of the HTTPS exchange.\n\nAffected applications are those that use undici's ProxyAgent (or Socks5ProxyAgent directly) with SOCKS5 AND rely on requestTls for TLS scope restriction. The bug was introduced in undici 7.23.0 when SOCKS5 support was added.\n\nPatches:\nUpgrade to undici v7.28.0 or v8.5.0.\n\nWorkarounds:\nNo workaround is available within the SOCKS5 path. If a SOCKS5 proxy with TLS scope restriction is required and an upgrade is not yet possible, route the traffic through an HTTP-proxy ProxyAgent instead, where requestTls is honored correctly." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "7.23.0", "lessThan": "7.28.0" }, { "versionType": "semver", "status": "unaffected", "version": "7.28.0" }, { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.5.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.5.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "tonghuaroot" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T18:34:18.472294Z", "id": "CVE-2026-9697", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:34:54.144Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6734", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-20T22:57:40.878Z", "datePublished": "2026-06-17T16:36:55.439Z", "dateUpdated": "2026-06-17T18:26:51.736Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T16:36:55.439Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nWhen using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.\n\nThis causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP.\n\nImpacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin.\n\nThis was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0.\n\nPatches:\nUpgrade to undici v7.26.0 or v8.2.0.\n\nWorkarounds:\nUse a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nWhen using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.\n\nThis causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP.\n\nImpacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin.\n\nThis was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0.\n\nPatches:\nUpgrade to undici v7.26.0 or v8.2.0.\n\nWorkarounds:\nUse a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "7.23.0", "lessThan": "7.26.0" }, { "versionType": "semver", "status": "unaffected", "version": "7.26.0" }, { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.2.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.2.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "ChALkeR" }, { "lang": "en", "type": "remediation reviewer", "value": "mcollina" }, { "lang": "en", "type": "remediation verifier", "value": "UlisesGascon" }, { "lang": "en", "type": "finder", "value": "deepview-autofix" } ], "title": "undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T18:26:41.848641Z", "id": "CVE-2026-6734", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:26:51.736Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9675", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-27T07:10:38.904Z", "datePublished": "2026-06-17T16:20:32.548Z", "dateUpdated": "2026-06-17T17:29:42.926Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T16:20:32.548Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\nThe undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nThis is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected.\n\nPatches:\nUpgrade to undici >= 8.5.0.\n\nWorkarounds:\nNo workaround is available. The fix must be applied through an upgrade.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nThe undici WebSocket client enforces maxPayloadSize per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nThis is a regression specific to undici 8.1.0. The 6.25.0 line shipped the equivalent cumulative check from the start and is unaffected. The 7.x line never had the maxPayloadSize feature and is also unaffected.\n\nPatches:\nUpgrade to undici >= 8.5.0.\n\nWorkarounds:\nNo workaround is available. The fix must be applied through an upgrade." } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.5.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.5.0" } ], "packageURL": "pkg:npm/undici" } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "mauriceng98" }, { "lang": "en", "type": "finder", "value": "Str1ckl4nd" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "finder", "value": "lzhou1110" }, { "lang": "en", "type": "finder", "value": "Zyy0530" } ], "title": "undici WebSocket client vulnerable to denial of service via cumulative fragment bypass", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T17:29:24.751635Z", "id": "CVE-2026-9675", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T17:29:42.926Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-12151", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-06-12T18:14:04.454Z", "datePublished": "2026-06-17T16:05:38.785Z", "dateUpdated": "2026-06-17T17:30:13.782Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-17T16:05:38.785Z" }, "title": "undici WebSocket client vulnerable to denial of service via fragment count bypass", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE" } ] }, { "descriptions": [ { "lang": "en", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "versions": [ { "status": "affected", "version": "0", "lessThan": "6.26.0", "versionType": "semver" }, { "status": "unaffected", "version": "6.26.0", "versionType": "semver" }, { "status": "affected", "version": "7.0.0", "lessThan": "7.28.0", "versionType": "semver" }, { "status": "unaffected", "version": "7.28.0", "versionType": "semver" }, { "status": "affected", "version": "8.0.0", "lessThan": "8.5.0", "versionType": "semver" }, { "status": "unaffected", "version": "8.5.0", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/undici" } ], "descriptions": [ { "lang": "en", "value": "Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\nThe undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\nPatches: Upgrade to undici >= 6.26.0, >= 7.28.0, or >= 8.5.0. Workarounds:\nNo workaround is available. The fix must be applied through an upgrade." } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "lpinca", "type": "reporter" }, { "lang": "en", "value": "Nadav0077", "type": "finder" }, { "lang": "en", "value": "UlisesGascon", "type": "remediation reviewer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-17T17:29:57.305732Z", "id": "CVE-2026-12151", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T17:30:13.782Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9595", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-26T14:38:47.772Z", "datePublished": "2026-06-15T15:00:21.488Z", "dateUpdated": "2026-06-15T16:08:35.549Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-15T15:00:21.488Z" }, "descriptions": [ { "lang": "en", "value": "Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\nPatches: Fixed in webpack-dev-server@5.2.5.\n\nWorkarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin validation, and corrupts the HMR socket (both HMR and the proxy end up writing to the same socket).\n\nPatches: Fixed in webpack-dev-server@5.2.5.\n\nWorkarounds: Scope user-defined proxy context to specific paths instead of /, or omit ws: true from the proxy entry when WebSocket forwarding is not required." } ] } ], "affected": [ { "vendor": "webpack-dev-server", "product": "webpack-dev-server", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "5.2.5" }, { "versionType": "semver", "status": "unaffected", "version": "5.2.5" } ], "packageURL": "pkg:npm/webpack-dev-server" } ], "references": [ { "url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79" }, { "url": "https://cna.openjsf.org/security-advisories.html" }, { "url": "https://github.com/webpack/webpack-dev-server/pull/4316" }, { "url": "https://github.com/vuejs/vue-cli/commit/72ba7505aff2a8314e82aa5082379a77504a1fcb" }, { "url": "https://github.com/facebook/create-react-app/pull/7444" } ], "credits": [ { "lang": "en", "type": "coordinator", "value": "bjohansebas" }, { "lang": "en", "type": "analyst", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation developer", "value": "ajhyndman" } ], "title": "webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-441", "lang": "en", "description": "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-15T16:08:24.761216Z", "id": "CVE-2026-9595", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T16:08:35.549Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-5038", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-27T16:26:09.638Z", "datePublished": "2026-06-15T14:23:24.230Z", "dateUpdated": "2026-06-15T16:07:45.114Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-15T14:23:24.230Z" }, "descriptions": [ { "lang": "en", "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None." } ] } ], "affected": [ { "vendor": "multer", "product": "multer", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "2.0.0-alpha.1", "lessThan": "2.2.0" }, { "versionType": "semver", "status": "unaffected", "version": "2.2.0" }, { "versionType": "semver", "status": "affected", "version": "3.0.0-alpha.1", "lessThan": "3.0.0-alpha.2" }, { "versionType": "semver", "status": "unaffected", "version": "3.0.0-alpha.2" } ], "packageURL": "pkg:npm/multer" } ], "references": [ { "url": "https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "remediation reviewer", "value": "yuki-matsuhashi" }, { "lang": "en", "type": "finder", "value": "HamdaanAliQuatil" }, { "lang": "en", "type": "finder", "value": "fasrm" }, { "lang": "en", "type": "remediation developer", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation reviewer", "value": "bjohansebas" }, { "lang": "en", "type": "finder", "value": "0xStraw-Hat" }, { "lang": "en", "type": "finder", "value": "bhaswanthc" }, { "lang": "en", "type": "finder", "value": "ByamB4" }, { "lang": "en", "type": "finder", "value": "sbouabid-sec" }, { "lang": "en", "type": "finder", "value": "DavidCarliez" }, { "lang": "en", "type": "finder", "value": "JebeenLee" } ], "title": "multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-459", "lang": "en", "description": "CWE-459: Incomplete Cleanup", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-15T16:07:25.876003Z", "id": "CVE-2026-5038", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T16:07:45.114Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-5079", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-28T19:04:56.443Z", "datePublished": "2026-06-15T13:56:45.520Z", "dateUpdated": "2026-06-15T16:00:43.955Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-15T13:56:45.520Z" }, "descriptions": [ { "lang": "en", "value": "Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.\n\nWorkarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.\n\nWorkarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact." } ] } ], "affected": [ { "vendor": "multer", "product": "multer", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "1.0.0", "lessThan": "2.2.0" }, { "versionType": "semver", "status": "unaffected", "version": "2.2.0" }, { "versionType": "semver", "status": "affected", "version": "3.0.0-alpha.1", "lessThan": "3.0.0-alpha.2" }, { "versionType": "semver", "status": "unaffected", "version": "3.0.0-alpha.2" } ], "packageURL": "pkg:npm/multer" } ], "references": [ { "url": "https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "tndud042713" }, { "lang": "en", "type": "remediation developer", "value": "UlisesGascon" } ], "title": "multer vulnerable to Denial of Service via deeply nested field names", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-15T16:00:29.855724Z", "id": "CVE-2026-5079", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-15T16:00:43.955Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-10796", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-06-03T21:17:14.118Z", "datePublished": "2026-06-04T17:02:23.805Z", "dateUpdated": "2026-06-04T18:11:18.108Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-04T17:02:23.805Z" }, "title": "nvm executes commands from a malicious Node.js mirror's version strings", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE" } ] } ], "affected": [ { "vendor": "nvm-sh", "product": "nvm", "collectionURL": "https://github.com/nvm-sh/nvm", "repo": "https://github.com/nvm-sh/nvm", "programFiles": [ "nvm.sh" ], "versions": [ { "status": "affected", "version": "0", "lessThanOrEqual": "0.40.4", "versionType": "semver" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used.

" } ] } ], "references": [ { "url": "https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm", "name": "GHSA-3c52-35h2-gfmm", "tags": [ "vendor-advisory" ] }, { "url": "https://github.com/nvm-sh/nvm/commit/6d870d182cd5333647ffa16c0d7dbcd817ec27a8", "tags": [ "patch" ] }, { "url": "https://github.com/nvm-sh/nvm/commit/90bb88748ba6c29c2cec73b18ed7057413aef308", "tags": [ "patch" ] }, { "url": "https://github.com/nvm-sh/nvm/commit/70fb4ede6b9731d75d86451d48caa5faffbec21c", "tags": [ "patch" ] } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } }, { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } } ], "credits": [ { "lang": "en", "value": "DavidCarliez reported the `nvm_download` eval sink", "type": "finder" }, { "lang": "en", "value": "`nvm_get_checksum` `awk` sink was identified during remediation via an internal audit, fixed by ljharb", "type": "analyst" } ] }, "adp": [ { "references": [ { "url": "https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-04T18:10:57.305155Z", "id": "CVE-2026-10796", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-04T18:11:18.108Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-5078", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-28T17:42:51.328Z", "datePublished": "2026-06-03T05:56:49.512Z", "dateUpdated": "2026-06-03T13:19:32.922Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-06-03T05:56:49.512Z" }, "title": "morgan vulnerable to Log Forging via unneutralized control characters in :remote-user", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs", "type": "CWE" } ] } ], "affected": [ { "vendor": "morgan", "product": "morgan", "versions": [ { "status": "affected", "version": "1.2.0", "lessThanOrEqual": "1.10.1", "versionType": "semver" }, { "status": "unaffected", "version": "1.11.0", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/morgan" } ], "descriptions": [ { "lang": "en", "value": "Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user." } ] } ], "references": [ { "url": "https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } } ], "credits": [ { "lang": "en", "value": "Yuki Matsuhashi", "type": "reporter" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation developer" }, { "lang": "en", "value": "Jon Church", "type": "remediation developer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-06-03T13:16:59.663217Z", "id": "CVE-2026-5078", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-03T13:19:32.922Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-8162", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-08T11:05:42.781Z", "datePublished": "2026-05-12T09:05:12.591Z", "dateUpdated": "2026-05-12T12:33:12.647Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-12T09:05:12.591Z" }, "title": "multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions", "type": "CWE" } ] } ], "affected": [ { "vendor": "multiparty", "product": "multiparty", "versions": [ { "status": "affected", "version": "0", "lessThanOrEqual": "4.2.3", "versionType": "semver" }, { "status": "unaffected", "version": "4.3.0", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/multiparty" } ], "descriptions": [ { "lang": "en", "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher." } ] } ], "references": [ { "url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "Byambadalai Sumiya", "type": "reporter" }, { "lang": "en", "value": "Blake Embrey", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation reviewer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-12T12:32:56.127597Z", "id": "CVE-2026-8162", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T12:33:12.647Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-8161", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-08T10:38:20.438Z", "datePublished": "2026-05-12T08:50:37.685Z", "dateUpdated": "2026-05-12T12:32:10.127Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-12T08:50:37.685Z" }, "title": "multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-248", "description": "CWE-248: Uncaught Exception", "type": "CWE" } ] }, { "descriptions": [ { "lang": "en", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE" } ] } ], "affected": [ { "vendor": "multiparty", "product": "multiparty", "versions": [ { "status": "affected", "version": "0", "lessThanOrEqual": "4.2.3", "versionType": "semver" }, { "status": "unaffected", "version": "4.3.0", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/multiparty" } ], "descriptions": [ { "lang": "en", "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher." } ] } ], "references": [ { "url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "Ser0n-ath", "type": "reporter" }, { "lang": "en", "value": "Sebastian Beltran", "type": "remediation developer" }, { "lang": "en", "value": "kq5y", "type": "finder" }, { "lang": "en", "value": "Byambadalai Sumiya", "type": "finder" }, { "lang": "en", "value": "Blake Embrey", "type": "remediation reviewer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation reviewer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-12T12:31:39.867190Z", "id": "CVE-2026-8161", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T12:32:10.127Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-8159", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-08T09:45:28.532Z", "datePublished": "2026-05-12T08:35:39.564Z", "dateUpdated": "2026-05-12T12:33:59.418Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-12T08:35:39.564Z" }, "title": "multiparty vulnerable to ReDoS via filename parsing", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE" } ] } ], "affected": [ { "vendor": "multiparty", "product": "multiparty", "versions": [ { "status": "affected", "version": "0", "lessThanOrEqual": "4.2.3", "versionType": "semver" }, { "status": "unaffected", "version": "4.3.0", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/multiparty" } ], "descriptions": [ { "lang": "en", "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher." } ] } ], "references": [ { "url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94" }, { "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "aszx87410", "type": "finder" }, { "lang": "en", "value": "Blake Embrey", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation reviewer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-12T12:33:48.310208Z", "id": "CVE-2026-8159", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T12:33:59.418Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6402", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-15T20:35:29.271Z", "datePublished": "2026-05-12T07:45:21.253Z", "dateUpdated": "2026-05-12T13:00:06.847Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-12T07:45:21.253Z" }, "descriptions": [ { "lang": "en", "value": "webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustworthy origins, allowing a malicious site to load the bundled source as a script and read it across origins. Impact: an attacker controlling a website visited by a developer running webpack-dev-server can recover the application source code when the dev server runs over HTTP at a guessable host and port. Chromium based browsers from Chrome 142 onward are not affected due to local network access restrictions. Upgrade to webpack-dev-server 5.2.4 or later, which sets Cross-Origin-Resource-Policy: same-origin on responses." } ] } ], "affected": [ { "vendor": "webpack-dev-server", "product": "webpack-dev-server", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "5.2.4" }, { "versionType": "semver", "status": "unaffected", "version": "5.2.4" } ], "packageURL": "pkg:npm/webpack-dev-server" } ], "references": [ { "url": "https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "sapphi-red" }, { "lang": "en", "type": "remediation developer", "value": "Ulises Gascón" }, { "lang": "en", "type": "remediation developer", "value": "Sebastian Beltran" }, { "lang": "en", "type": "remediation reviewer", "value": "Alexander Akait" } ], "title": "webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-749", "lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-12T12:57:17.986993Z", "id": "CVE-2026-6402", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T13:00:06.847Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6322", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-14T20:28:09.160Z", "datePublished": "2026-05-05T10:29:16.378Z", "dateUpdated": "2026-05-05T12:55:43.750Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-05T10:29:16.378Z" }, "descriptions": [ { "lang": "en", "value": "fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later." } ] } ], "affected": [ { "vendor": "fast-uri", "product": "fast-uri", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "3.1.2" }, { "versionType": "semver", "status": "unaffected", "version": "3.1.2" } ], "packageURL": "pkg:npm/fast-uri" } ], "references": [ { "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Jvr" }, { "lang": "en", "type": "remediation developer", "value": "Matteo Collina" }, { "lang": "en", "type": "remediation developer", "value": "Ulises Gascón" }, { "lang": "en", "type": "remediation reviewer", "value": "KaKa" } ], "title": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-05T12:55:25.956279Z", "id": "CVE-2026-6322", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-05T12:55:43.750Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6321", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-14T20:23:01.545Z", "datePublished": "2026-05-04T19:31:57.253Z", "dateUpdated": "2026-05-05T12:44:34.743Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-04T19:31:57.253Z" }, "descriptions": [ { "lang": "en", "value": "fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later." } ] } ], "affected": [ { "vendor": "fast-uri", "product": "fast-uri", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "3.1.1" }, { "versionType": "semver", "status": "unaffected", "version": "3.1.1" } ], "packageURL": "pkg:npm/fast-uri" } ], "references": [ { "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Jvr" }, { "lang": "en", "type": "remediation developer", "value": "Matteo Collina" }, { "lang": "en", "type": "remediation reviewer", "value": "Ulises Gascón" }, { "lang": "en", "type": "remediation reviewer", "value": "KaKa" } ], "title": "fast-uri vulnerable to path traversal via percent-encoded dot segments", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-05T12:44:27.336265Z", "id": "CVE-2026-6321", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-05T12:44:34.743Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-7768", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-05-04T11:50:02.918Z", "datePublished": "2026-05-04T19:14:36.828Z", "dateUpdated": "2026-05-04T19:50:16.465Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-05-04T19:14:36.828Z" }, "descriptions": [ { "lang": "en", "value": "@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option." } ] } ], "affected": [ { "vendor": "@fastify/accepts-serializer", "product": "@fastify/accepts-serializer", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "6.0.4" }, { "versionType": "semver", "status": "unaffected", "version": "6.0.4" } ], "packageURL": "pkg:npm/@fastify/accepts-serializer" } ], "references": [ { "url": "https://cna.openjsf.org/security-advisories.html" }, { "url": "https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg" } ], "credits": [ { "lang": "en", "type": "finder", "value": "Yuki Matsuhashi" }, { "lang": "en", "type": "remediation reviewer", "value": "Ulises Gascón" }, { "lang": "en", "type": "remediation developer", "value": "Manuel Spigolon" } ], "title": "@fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-04T19:50:08.458813Z", "id": "CVE-2026-7768", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T19:50:16.465Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-33804", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.714Z", "datePublished": "2026-04-16T13:56:56.176Z", "dateUpdated": "2026-04-16T14:41:48.659Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:56:56.176Z" }, "descriptions": [ { "lang": "en", "value": "@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option." } ] } ], "affected": [ { "vendor": "@fastify/middie", "product": "@fastify/middie", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "9.3.2" }, { "versionType": "semver", "status": "unaffected", "version": "9.3.2" } ], "packageURL": "pkg:npm/@fastify/middie" } ], "references": [ { "url": "https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "FredKSchott" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "climba03003" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-16T14:41:11.302146Z", "id": "CVE-2026-33804", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:41:48.659Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6270", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-14T11:08:51.828Z", "datePublished": "2026-04-16T13:44:46.322Z", "dateUpdated": "2026-04-16T14:24:26.764Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:44:46.322Z" }, "descriptions": [ { "lang": "en", "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the parent middleware. This allows unauthenticated requests to reach routes defined in child plugin scopes, bypassing authentication and authorization checks. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds." } ] } ], "affected": [ { "vendor": "@fastify/middie", "product": "@fastify/middie", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "9.3.2" }, { "versionType": "semver", "status": "unaffected", "version": "9.3.2" } ], "packageURL": "pkg:npm/@fastify/middie" } ], "references": [ { "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c" }, { "url": "https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "FredKSchott" }, { "lang": "en", "type": "remediation developer", "value": "climba03003" }, { "lang": "en", "type": "remediation developer", "value": "UlisesGascon" } ], "title": "@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-436", "lang": "en", "description": "CWE-436: Interpretation Conflict", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-16T14:23:16.690976Z", "id": "CVE-2026-6270", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:24:26.764Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6410", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-15T22:59:38.193Z", "datePublished": "2026-04-16T13:29:08.120Z", "dateUpdated": "2026-04-16T14:19:36.780Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:29:08.120Z" }, "descriptions": [ { "lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static root using path.join() without a containment check. A remote unauthenticated attacker can obtain directory listings for arbitrary directories accessible to the Node.js process, disclosing directory and file names. File contents are not disclosed. Upgrade to @fastify/static 9.1.1 to fix this issue. As a workaround, disable directory listing by removing the list option from the plugin configuration." } ] } ], "affected": [ { "vendor": "@fastify/static", "product": "@fastify/static", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "9.1.1" }, { "versionType": "semver", "status": "unaffected", "version": "9.1.1" } ], "packageURL": "pkg:npm/@fastify/static" } ], "references": [ { "url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "finder", "value": "yuki-matsuhashi" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation reviewer", "value": "climba03003" } ], "title": "@fastify/static vulnerable to path traversal in directory listing", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-16T14:19:22.028552Z", "id": "CVE-2026-6410", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T14:19:36.780Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-6414", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-04-15T23:37:33.949Z", "datePublished": "2026-04-16T13:09:03.526Z", "dateUpdated": "2026-04-16T13:48:52.393Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-16T13:09:03.526Z" }, "descriptions": [ { "lang": "en", "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators (%2F) before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. For example, a route guard on a protected path can be circumvented by encoding the path separator in the URL. Upgrade to @fastify/static 9.1.1 to fix this issue. There are no workarounds." } ] } ], "affected": [ { "vendor": "@fastify/static", "product": "@fastify/static", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "9.1.1" }, { "versionType": "semver", "status": "unaffected", "version": "9.1.1" } ], "packageURL": "pkg:npm/@fastify/static" } ], "references": [ { "url": "https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p" }, { "url": "https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr" }, { "url": "https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "blakeembrey" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation reviewer", "value": "climba03003" } ], "title": "@fastify/static vulnerable to route guard bypass via encoded path separators", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-177", "lang": "en", "description": "CWE-177: Improper Handling of URL Encoding (Hex Encoding)", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-16T13:48:04.954479Z", "id": "CVE-2026-6414", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:48:52.393Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-33805", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.714Z", "datePublished": "2026-04-15T10:13:25.147Z", "dateUpdated": "2026-04-15T13:08:12.612Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T10:13:25.147Z" }, "descriptions": [ { "lang": "en", "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "@fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers from upstream requests by listing them in the Connection header value. Any header added by the proxy for routing, access control, or security purposes can be selectively removed by a client. @fastify/http-proxy is also affected as it delegates to @fastify/reply-from. \n\nUpgrade to @fastify/reply-from v12.6.2 or @fastify/http-proxy v11.4.4 or later." } ] } ], "affected": [ { "vendor": "@fastify/reply-from", "product": "@fastify/reply-from", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "12.6.2" }, { "versionType": "semver", "status": "unaffected", "version": "12.6.2" } ], "packageURL": "pkg:npm/@fastify/reply-from" }, { "vendor": "@fastify/reply-from", "product": "@fastify/http-proxy", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "11.4.4" }, { "versionType": "semver", "status": "unaffected", "version": "11.4.4" } ], "packageURL": "pkg:npm/@fastify/http-proxy" } ], "references": [ { "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "FredKSchott" }, { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation reviewer", "value": "climba03003" } ], "title": "@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers", "metrics": [ { "format": "CVSS", "cvssV4_0": { "version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N", "baseScore": 9, "baseSeverity": "CRITICAL" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-644", "lang": "en", "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "references": [ { "url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-15T13:08:08.503908Z", "id": "CVE-2026-33805", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:08:12.612Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-33807", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T09:52:26.838Z", "dateUpdated": "2026-04-15T13:09:45.259Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T09:55:50.627Z" }, "title": "@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "type": "CWE" } ] } ], "affected": [ { "vendor": "fastify", "product": "@fastify/express", "versions": [ { "status": "affected", "version": "0", "lessThan": "4.0.5", "versionType": "semver" }, { "status": "unaffected", "version": "4.0.5", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/@fastify/express" } ], "descriptions": [ { "lang": "en", "value": "@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.\n\nUpgrade to @fastify/express v4.0.5 or later.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time, causing it to never match incoming requests. This results in complete bypass of Express middleware security controls, including authentication, authorization, and rate limiting, for all routes defined within affected child plugin scopes. No special configuration or request crafting is required.

Upgrade to @fastify/express v4.0.5 or later.

" } ] } ], "references": [ { "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } } ], "credits": [ { "lang": "en", "value": "FredKSchott", "type": "reporter" }, { "lang": "en", "value": "mcollina", "type": "remediation developer" }, { "lang": "en", "value": "UlisesGascon", "type": "remediation reviewer" }, { "lang": "en", "value": "climba03003", "type": "remediation reviewer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "references": [ { "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-15T13:09:41.621709Z", "id": "CVE-2026-33807", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:09:45.259Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-33808", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T09:29:46.091Z", "dateUpdated": "2026-04-15T13:10:24.054Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T09:29:46.091Z" }, "title": "@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-436", "description": "CWE-436: Interpretation Conflict", "type": "CWE" } ] } ], "affected": [ { "vendor": "fastify", "product": "@fastify/express", "versions": [ { "status": "affected", "version": "0", "lessThan": "4.0.5", "versionType": "semver" }, { "status": "unaffected", "version": "4.0.5", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/@fastify/express" } ], "descriptions": [ { "lang": "en", "value": "Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.\n\nPatchesUpgrade to @fastify/express v4.0.5 or later.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

Impact

@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or via semicolon delimiters when useSemicolonDelimiter is enabled. In both cases, Fastify router normalizes the URL and matches the route, but @fastify/express passes the original un-normalized URL to Express middleware, which fails to match and is skipped. An unauthenticated attacker can access protected routes by manipulating the URL path.

Patches

Upgrade to @fastify/express v4.0.5 or later." } ] } ], "references": [ { "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" } } ], "credits": [ { "lang": "en", "value": "FredKSchott", "type": "reporter" }, { "lang": "en", "value": "mcollina", "type": "remediation developer" }, { "lang": "en", "value": "UlisesGascon", "type": "remediation reviewer" }, { "lang": "en", "value": "climba03003", "type": "remediation reviewer" } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "references": [ { "url": "https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88", "tags": [ "exploit" ] } ], "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-15T13:10:17.328470Z", "id": "CVE-2026-33808", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:10:24.054Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-33806", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-23T19:48:48.715Z", "datePublished": "2026-04-15T00:14:02.376Z", "dateUpdated": "2026-04-15T16:13:42.961Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-04-15T00:14:02.376Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\n\nFastify applications using schema.body.content for per-content-type body validation can have validation bypassed entirely by prepending a space to the Content-Type header. The body is still parsed correctly but schema validation is skipped.\n\nThis is a regression introduced in fastify >= 5.3.2 by the fix for CVE-2025-32442\n\nPatches:\n\nUpgrade to fastify v5.8.5 or later.\n\nWorkarounds:\n\nNone. Upgrade to the patched version." } ] } ], "affected": [ { "vendor": "fastify", "product": "fastify", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "5.3.2", "lessThan": "5.8.5" }, { "versionType": "semver", "status": "unaffected", "version": "5.8.5" } ], "packageURL": "pkg:npm/fastify" } ], "references": [ { "url": "https://github.com/fastify/fastify/security/advisories/GHSA-mg2h-6x62-wpwc" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "remediation developer", "value": "mcollina" }, { "lang": "en", "type": "remediation reviewer", "value": "climba03003" }, { "lang": "en", "type": "remediation reviewer", "value": "jsumners" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" }, { "lang": "en", "type": "reporter", "value": "Vyntral" } ], "title": "fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1287", "lang": "en", "description": "CWE-1287: Improper Validation of Specified Type of Input", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-15T14:02:12.644507Z", "id": "CVE-2026-33806", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:42.961Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-4800", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-25T09:12:38.355Z", "datePublished": "2026-03-31T19:25:55.987Z", "dateUpdated": "2026-03-31T20:37:03.964Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-31T19:25:55.987Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names." } ] } ], "affected": [ { "vendor": "lodash", "product": "lodash", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.0.0", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash" }, { "vendor": "lodash", "product": "lodash-es", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.0.0", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash-es" }, { "vendor": "lodash", "product": "lodash-amd", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.0.0", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash-amd" }, { "vendor": "lodash", "product": "lodash.template", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.0.0", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash.template" } ], "references": [ { "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" }, { "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "dolevmiz1" }, { "lang": "en", "type": "reporter", "value": "bugbunny-research" }, { "lang": "en", "type": "reporter", "value": "M0nd0R" }, { "lang": "en", "type": "remediation developer", "value": "UlisesGascon" }, { "lang": "en", "type": "remediation reviewer", "value": "falsyvalues" }, { "lang": "en", "type": "remediation reviewer", "value": "jonchurch" }, { "lang": "en", "type": "reporter", "value": "threalwinky" }, { "lang": "en", "type": "remediation reviewer", "value": "jdalton" } ], "title": "lodash vulnerable to Code Injection via `_.template` imports key names", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-31T20:36:55.080392Z", "id": "CVE-2026-4800", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:37:03.964Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-2950", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-21T20:04:35.087Z", "datePublished": "2026-03-31T19:18:35.796Z", "dateUpdated": "2026-04-01T13:43:21.491Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-31T19:18:35.796Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version." } ] } ], "affected": [ { "vendor": "lodash", "product": "lodash", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.17.23", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash" }, { "vendor": "lodash", "product": "lodash-es", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.17.23", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash-es" }, { "vendor": "lodash", "product": "lodash-amd", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.17.23", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash-amd" }, { "vendor": "lodash", "product": "lodash.unset", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "4.0.0", "lessThan": "4.18.0" }, { "versionType": "semver", "status": "unaffected", "version": "4.18.0" } ], "packageURL": "pkg:npm/lodash.unset" } ], "references": [ { "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Haruna38" }, { "lang": "en", "type": "finder", "value": "shpik-kr" }, { "lang": "en", "type": "finder", "value": "maru1009" }, { "lang": "en", "type": "finder", "value": "ott3r07" }, { "lang": "en", "type": "finder", "value": "zolbooo" }, { "lang": "en", "type": "finder", "value": "backuardo" }, { "lang": "en", "type": "remediation developer", "value": "falsyvalues" }, { "lang": "en", "type": "remediation developer", "value": "jonchurch" }, { "lang": "en", "type": "analyst", "value": "jdalton" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-01T13:43:14.280375Z", "id": "CVE-2026-2950", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:43:21.491Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-4923", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-26T18:05:44.717Z", "datePublished": "2026-03-26T19:02:00.729Z", "dateUpdated": "2026-03-27T13:58:03.925Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-26T19:02:00.729Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\nUnsafe examples:\n\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n\nSafe examples:\n\n/*foo-:bar\n/*foo-:bar-*baz\n\nPatches:\n\nUpgrade to version 8.4.0.\n\nWorkarounds:\n\nIf you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable." } ] } ], "affected": [ { "vendor": "path-to-regexp", "product": "path-to-regexp", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.4.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.4.0" } ], "packageURL": "pkg:npm/path-to-regexp" } ], "references": [ { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "remediation developer", "value": "blakeembrey" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-27T13:46:47.360477Z", "id": "CVE-2026-4923", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:58:03.925Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-4926", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-26T18:36:49.229Z", "datePublished": "2026-03-26T18:59:38.000Z", "dateUpdated": "2026-03-27T19:44:53.294Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-26T18:59:38.000Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\nPatches:\n\nFixed in version 8.4.0.\n\nWorkarounds:\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns." } ] } ], "affected": [ { "vendor": "path-to-regexp", "product": "path-to-regexp", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "8.0.0", "lessThan": "8.4.0" }, { "versionType": "semver", "status": "unaffected", "version": "8.4.0" } ], "packageURL": "pkg:npm/path-to-regexp" } ], "references": [ { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "uug4na" }, { "lang": "en", "type": "remediation developer", "value": "blakeembrey" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "path-to-regexp vulnerable to Denial of Service via sequential optional groups", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-27T19:44:44.790485Z", "id": "CVE-2026-4926", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:44:53.294Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-4867", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-25T20:11:53.714Z", "datePublished": "2026-03-26T16:16:25.501Z", "dateUpdated": "2026-03-26T16:52:14.893Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-26T16:16:25.501Z" }, "descriptions": [ { "lang": "en", "value": "Impact:\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\nPatches:\n\nUpgrade to path-to-regexp@0.1.13\n\nCustom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.\n\nWorkarounds:\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Impact:\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\nPatches:\n\nUpgrade to path-to-regexp@0.1.13\n\nCustom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.\n\nWorkarounds:\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length." } ] } ], "affected": [ { "vendor": "path-to-regexp", "product": "path-to-regexp", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "0.1.13" } ], "packageURL": "pkg:npm/path-to-regexp" } ], "references": [ { "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j" }, { "url": "https://blakeembrey.com/posts/2024-09-web-redos" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "EthanKim88" }, { "lang": "en", "type": "remediation developer", "value": "blakeembrey" }, { "lang": "en", "type": "remediation reviewer", "value": "UlisesGascon" } ], "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-26T16:52:08.810671Z", "id": "CVE-2026-4867", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:52:14.893Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-3635", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-06T09:16:35.081Z", "datePublished": "2026-03-23T13:53:00.386Z", "dateUpdated": "2026-03-23T15:30:10.526Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-23T13:53:00.386Z" }, "title": "Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-348", "description": "CWE-348 Use of less trusted source", "type": "CWE" } ] } ], "affected": [ { "vendor": "fastify", "product": "fastify", "versions": [ { "status": "affected", "version": "0", "lessThanOrEqual": "5.8.2", "versionType": "semver" }, { "status": "unaffected", "version": "5.8.3", "versionType": "semver" } ], "defaultStatus": "unaffected", "packageURL": "pkg:npm/fastify" } ], "descriptions": [ { "lang": "en", "value": "Summary\nWhen trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\nAffected Versions\nfastify <= 5.8.2\n\nImpact\nApplications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.\n\nWhen trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

Summary
When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

Affected Versions
fastify <= 5.8.2

Impact
Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.

When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.

" } ] } ], "references": [ { "url": "https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf" }, { "url": "https://www.cve.org/CVERecord?id=CVE-2026-3635" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" } } ], "credits": [ { "lang": "en", "value": "LetaoZhao (TinkAnet)", "type": "reporter" }, { "lang": "en", "value": "KaKa (climba03003)", "type": "remediation reviewer" }, { "lang": "en", "value": "Matteo Collina", "type": "remediation reviewer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation reviewer" } ], "source": { "discovery": "UNKNOWN" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-23T15:29:15.532885Z", "id": "CVE-2026-3635", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:30:10.526Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-2229", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-08T17:51:16.985Z", "datePublished": "2026-03-12T20:27:05.600Z", "dateUpdated": "2026-03-13T13:06:46.814Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-12T20:27:05.600Z" }, "title": "undici is vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-248", "description": "CWE-248 Uncaught exception", "type": "CWE" } ] }, { "descriptions": [ { "lang": "en", "cweId": "CWE-1284", "description": "CWE-1284 Improper validation of specified quantity in input", "type": "CWE" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "collectionURL": "https://github.com/nodejs/undici/", "packageName": "undici", "repo": "https://github.com/nodejs/undici/", "versions": [ { "status": "affected", "version": "< 6.24.0; 7.0.0 < 7.24.0" }, { "status": "unaffected", "version": "6.24.0: 7.24.0" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n * The createInflateRaw() call is not wrapped in a try-catch block\n * The resulting exception propagates up through the call stack and crashes the Node.js process", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  1. The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  2. The createInflateRaw() call is not wrapped in a try-catch block
  3. The resulting exception propagates up through the call stack and crashes the Node.js process

" } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8" }, { "url": "https://hackerone.com/reports/3487486" }, { "url": "https://cna.openjsf.org/security-advisories.html" }, { "url": "https://datatracker.ietf.org/doc/html/rfc7692" }, { "url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "Matteo Collina", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation reviewer" }, { "lang": "en", "value": "Rafael Gonzaga", "type": "remediation reviewer" }, { "lang": "en", "value": "Ethan Arrowood", "type": "remediation reviewer" }, { "lang": "en", "value": "Aisle Research", "type": "reporter" } ], "source": { "advisory": "GHSA-v9p9-hfj2-hcw8", "discovery": "UNKNOWN" }, "x_generator": { "engine": "Vulnogram 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-13T13:06:30.575811Z", "id": "CVE-2026-2229", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T13:06:46.814Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-1528", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-01-28T12:05:10.024Z", "datePublished": "2026-03-12T20:21:57.775Z", "dateUpdated": "2026-03-13T13:04:57.048Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-12T20:21:57.775Z" }, "title": "undici is vulnerable to Malicious WebSocket 64-bit length overflows undici parser and crashes the client", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-248", "description": "CWE-248 Uncaught exception", "type": "CWE" } ] }, { "descriptions": [ { "lang": "en", "cweId": "CWE-1284", "description": "CWE-1284 Improper validation of specified quantity in input", "type": "CWE" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "collectionURL": "https://github.com/nodejs/undici/", "packageName": "undici", "repo": "https://github.com/nodejs/undici/", "versions": [ { "status": "affected", "version": ">= 6.0.0 < 6.24.0; 7.0.0 < 7.24.0" }, { "status": "unaffected", "version": "6.24.0: 7.24.0" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.\n\nPatches\n\nPatched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.


" } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj" }, { "url": "https://hackerone.com/reports/3537648" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "Matteo Collina", "type": "remediation reviewer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation developer" } ], "source": { "advisory": "GHSA-f269-vfmq-vjvj", "discovery": "UNKNOWN" }, "x_generator": { "engine": "Vulnogram 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-13T13:03:59.738320Z", "id": "CVE-2026-1528", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T13:04:57.048Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-1527", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-01-28T12:05:08.491Z", "datePublished": "2026-03-12T20:17:18.984Z", "dateUpdated": "2026-03-13T18:06:03.794Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-12T20:17:18.984Z" }, "title": "undici is vulnerable to CRLF Injection via upgrade option", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-93", "description": "CWE-93 Improper neutralization of CRLF sequences ('CRLF injection')", "type": "CWE" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "collectionURL": "https://github.com/nodejs/undici/", "packageName": "undici", "repo": "https://github.com/nodejs/undici/", "versions": [ { "status": "affected", "version": "< 6.24.0; 7.0.0 < 7.24.0" }, { "status": "unaffected", "version": "6.24.0: 7.24.0" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\\r\\n) to:\n\n * Inject arbitrary HTTP headers\n * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)\nThe vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:\n\n// lib/dispatcher/client-h1.js:1121\nif (upgrade) {\n header += `connection: upgrade\\r\\nupgrade: ${upgrade}\\r\\n`\n}", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\\r\\n) to:

  1. Inject arbitrary HTTP headers
  2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121\nif (upgrade) {\n  header += `connection: upgrade\\r\\nupgrade: ${upgrade}\\r\\n`\n}
" } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq" }, { "url": "https://hackerone.com/reports/3487198" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" } } ], "credits": [ { "lang": "en", "value": "Matteo Collina", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation developer" }, { "lang": "en", "value": "Raul Vega del Valle", "type": "analyst" } ], "source": { "advisory": "GHSA-4992-7rv2-5pvq", "discovery": "EXTERNAL" }, "x_generator": { "engine": "Vulnogram 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-13T18:05:24.550959Z", "id": "CVE-2026-1527", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:06:03.794Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-2581", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-16T12:07:35.310Z", "datePublished": "2026-03-12T20:13:19.571Z", "dateUpdated": "2026-03-13T18:04:58.799Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-12T20:13:19.571Z" }, "title": "undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-770", "description": "CWE-770 Allocation of resources without limits or throttling", "type": "CWE" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "collectionURL": "https://github.com/nodejs/undici/", "packageName": "undici", "repo": "https://github.com/nodejs/undici/", "versions": [ { "status": "affected", "version": "< 6.24.0; 7.0.0 < 7.24.0" }, { "status": "unaffected", "version": "6.24.0: 7.24.0" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\nPatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).

In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.

Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.

Patches

The issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.

Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.


" } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h" }, { "url": "https://hackerone.com/reports/3513473" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "Matteo Collina", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation reviewer" }, { "lang": "en", "value": "Adnan Jakati", "type": "finder" } ], "source": { "advisory": "GHSA-phc3-fgpg-7m6h", "discovery": "EXTERNAL" }, "x_generator": { "engine": "Vulnogram 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-13T18:04:49.981133Z", "id": "CVE-2026-2581", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:04:58.799Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-1526", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-01-28T12:05:07.017Z", "datePublished": "2026-03-12T20:08:05.950Z", "dateUpdated": "2026-03-13T18:04:20.683Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-12T20:08:05.950Z" }, "title": "undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-409", "description": "CWE-409 Improper handling of highly compressed data (data amplification)", "type": "CWE" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "collectionURL": "https://github.com/nodejs/undici/", "packageName": "undici", "repo": "https://github.com/nodejs/undici/", "versions": [ { "status": "affected", "version": "< 6.24.0; 7.0.0 < 7.24.0" }, { "status": "unaffected", "version": "6.24.0: 7.24.0" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

" } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q" }, { "url": "https://hackerone.com/reports/3481206" }, { "url": "https://cna.openjsf.org/security-advisories.html" }, { "url": "https://datatracker.ietf.org/doc/html/rfc7692" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } } ], "credits": [ { "lang": "en", "value": "Matteo Collina", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation developer" }, { "lang": "en", "value": "HO9", "type": "finder" } ], "source": { "advisory": "GHSA-vrm6-8vpv-qv8q", "discovery": "EXTERNAL" }, "x_generator": { "engine": "Vulnogram 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-13T18:04:06.608247Z", "id": "CVE-2026-1526", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:04:20.683Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-1525", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-01-28T12:04:51.369Z", "datePublished": "2026-03-12T19:56:55.092Z", "dateUpdated": "2026-03-12T20:46:13.379Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-12T19:56:55.092Z" }, "title": "undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-444", "description": "CWE-444 Inconsistent interpretation of HTTP requests ('HTTP Request/Response smuggling')", "type": "CWE" } ] } ], "impacts": [ { "capecId": "CAPEC-33", "descriptions": [ { "lang": "en", "value": "CAPEC-33 HTTP Request Smuggling" } ] }, { "capecId": "CAPEC-273", "descriptions": [ { "lang": "en", "value": "CAPEC-273 HTTP Response Smuggling" } ] } ], "affected": [ { "vendor": "undici", "product": "undici", "collectionURL": "https://github.com/nodejs/undici/", "packageName": "undici", "repo": "https://github.com/nodejs/undici/", "versions": [ { "status": "affected", "version": "< 6.24.0; 7.0.0 < 7.24.0" }, { "status": "unaffected", "version": "6.24.0: 7.24.0" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.\n\nWho is impacted:\n\n * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays\n * Applications that accept user-controlled header names without case-normalization\n\n\nPotential consequences:\n\n * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)\n * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

Potential consequences:

" } ] } ], "references": [ { "url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm" }, { "url": "https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6" }, { "url": "https://cwe.mitre.org/data/definitions/444.html" }, { "url": "https://hackerone.com/reports/3556037" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } } ], "workarounds": [ { "lang": "en", "value": "If upgrading is not immediately possible:\n\n * Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici\n * Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key\n * Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "

If upgrading is not immediately possible:

  1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
  2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
  3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates
" } ] } ], "credits": [ { "lang": "en", "value": "Matteo Collina", "type": "remediation developer" }, { "lang": "en", "value": "Ulises Gascón", "type": "remediation developer" } ], "source": { "advisory": "GHSA-2mjp-6q6p-2qxm", "discovery": "INTERNAL" }, "x_generator": { "engine": "Vulnogram 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-12T20:44:24.555703Z", "id": "CVE-2026-1525", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:46:13.379Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-3419", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-01T18:56:49.613Z", "datePublished": "2026-03-06T17:50:58.714Z", "dateUpdated": "2026-03-09T14:55:21.011Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-06T17:54:33.542Z" }, "descriptions": [ { "lang": "en", "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\nImpact:\nAn attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\nWorkarounds:\nDeploy a WAF rule to protect against this\n\nFix:\n\nThe fix is available starting with v5.8.1." } ] } ], "affected": [ { "vendor": "fastify", "product": "fastify", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "5.7.2", "lessThan": "5.8.1" }, { "versionType": "semver", "status": "unaffected", "version": "5.8.1" } ], "packageURL": "pkg:npm/fastify" } ], "references": [ { "url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9" }, { "url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7" }, { "url": "https://httpwg.org/specs/rfc9110.html#field.content-type" }, { "url": "https://github.com/advisories/GHSA-573f-x89g-hqp9" }, { "url": "https://cna.openjsf.org/security-advisories.html" }, { "url": "https://www.cve.org/CVERecord?id=CVE-2026-3419" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Saad FELLAHI" }, { "lang": "en", "type": "remediation developer", "value": "James Sumners" }, { "lang": "en", "type": "coordinator", "value": "Matteo Collina" }, { "lang": "en", "type": "remediation reviewer", "value": "Ulises Gascón" } ], "title": "Fastify's Missing End Anchor in \"subtypeNameReg\" Allows Malformed Content-Types to Pass Validation", "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-185", "lang": "en", "description": "CWE-185: Incorrect Regular Expression", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-09T14:55:13.971640Z", "id": "CVE-2026-3419", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:55:21.011Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-3520", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-04T15:27:42.237Z", "datePublished": "2026-03-04T16:17:18.962Z", "dateUpdated": "2026-03-04T17:12:25.815Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-04T16:17:18.962Z" }, "descriptions": [ { "lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available." } ] } ], "affected": [ { "vendor": "expressjs", "product": "multer", "defaultStatus": "unaffected", "versions": [ { "versionType": "semver", "status": "affected", "version": "0", "lessThan": "2.1.1" } ], "packageURL": "pkg:npm/multer" } ], "references": [ { "url": "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2" }, { "url": "https://www.cve.org/CVERecord?id=CVE-2026-3520" }, { "url": "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Yuki Matsuhashi" }, { "lang": "en", "type": "remediation developer", "value": "Chris de Almeida" }, { "lang": "en", "type": "remediation reviewer", "value": "Ulises Gascón" } ], "title": "Multer vulnerable to Denial of Service via uncontrolled recursion", "metrics": [ { "format": "CVSS", "cvssV4_0": { "version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "baseScore": 8.7, "baseSeverity": "HIGH" }, "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE" } ] } ], "x_generator": { "engine": "cve-kit 1.0.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-03-04T17:12:05.396070Z", "id": "CVE-2026-3520", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T17:12:25.815Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-2880", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-20T16:50:56.850Z", "datePublished": "2026-02-27T18:25:37.428Z", "dateUpdated": "2026-02-27T18:56:02.979Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "packageURL": "pkg:npm/@fastify/middie", "product": "@fastify/middie", "vendor": "@fastify/middie", "versions": [ { "lessThan": "9.2.0", "status": "affected", "version": "0.0.0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers." } ], "value": "A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).\n\nWhen Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers." } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-02-27T18:25:37.428Z" }, "references": [ { "url": "https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw" } ], "title": "@fastify/middie has an improper path normalization vulnerability", "x_generator": { "engine": "cve-kit 0.1.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-02-27T18:55:36.300396Z", "id": "CVE-2026-2880", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T18:56:02.979Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-3304", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-26T20:42:41.095Z", "datePublished": "2026-02-27T15:44:37.187Z", "dateUpdated": "2026-02-27T17:12:45.375Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "packageURL": "pkg:npm/multer", "product": "multer", "vendor": "expressjs", "versions": [ { "lessThan": "2.1.0", "status": "affected", "version": "0.0.0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available." } ], "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-459", "description": "CWE-459", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-02-27T15:44:37.187Z" }, "references": [ { "url": "https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p" }, { "url": "https://www.cve.org/CVERecord?id=CVE-2026-3304" }, { "url": "https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "title": "Multer vulnerable to Denial of Service via incomplete cleanup", "x_generator": { "engine": "cve-kit 0.1.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-02-27T17:12:20.998590Z", "id": "CVE-2026-3304", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:12:45.375Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-2359", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-11T17:10:23.973Z", "datePublished": "2026-02-27T15:42:08.088Z", "dateUpdated": "2026-02-27T17:13:17.930Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "packageURL": "pkg:npm/multer", "product": "multer", "vendor": "expressjs", "versions": [ { "lessThan": "2.1.0", "status": "affected", "version": "0.0.0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available." } ], "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-772", "description": "CWE-772", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-02-27T15:42:08.088Z" }, "references": [ { "url": "https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc" }, { "url": "https://www.cve.org/CVERecord?id=CVE-2026-2359" }, { "url": "https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "title": "Multer vulnerable to Denial of Service via resource exhaustion", "x_generator": { "engine": "cve-kit 0.1.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-02-27T17:13:07.689391Z", "id": "CVE-2026-2359", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:13:17.930Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-1665", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-01-29T21:25:18.405Z", "datePublished": "2026-01-29T23:04:05.741Z", "dateUpdated": "2026-01-30T18:27:52.134Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "nvm", "vendor": "nvm-sh", "versions": [ { "lessThanOrEqual": "0.40.3", "status": "affected", "version": "0.40.0", "versionType": "semver" }, { "status": "unaffected", "version": "0.40.4", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Jiyong Yang (sy2n0@naver.com)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'.

" } ], "value": "A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim's shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as 'nvm install' or 'nvm ls-remote'." } ], "impacts": [ { "capecId": "CAPEC-88", "descriptions": [ { "lang": "en", "value": "CAPEC-88 OS Command Injection" } ] }, { "capecId": "CAPEC-6", "descriptions": [ { "lang": "en", "value": "CAPEC-6 Argument Injection" } ] } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.4, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-95", "description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-01-29T23:06:47.873Z" }, "references": [ { "name": "Fix commit", "tags": [ "patch" ], "url": "https://github.com/nvm-sh/nvm/commit/44e2590cdf257faf7d885e4470be8dc66cec9506" }, { "name": "Release v0.40.4", "tags": [ "release-notes" ], "url": "https://github.com/nvm-sh/nvm/releases/tag/v0.40.4" }, { "name": "nvm GitHub repository", "tags": [ "product" ], "url": "https://github.com/nvm-sh/nvm" }, { "tags": [ "x_introduced" ], "url": "https://github.com/nvm-sh/nvm/pull/3380" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header().

" } ], "value": "Upgrade to nvm version 0.40.4 or later, which sanitizes NVM_AUTH_HEADER in the wget code path using nvm_sanitize_auth_header()." } ], "source": { "discovery": "EXTERNAL" }, "timeline": [ { "lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Fix committed" }, { "lang": "en", "time": "2026-01-29T00:00:00.000Z", "value": "v0.40.4 released" } ], "title": "Command Injection in nvm via NVM_AUTH_HEADER in wget code path" }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-01-30T18:27:21.196460Z", "id": "CVE-2026-1665", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T18:27:52.134Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-13465", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2025-11-20T02:16:12.128Z", "datePublished": "2026-01-21T19:05:28.846Z", "dateUpdated": "2026-06-02T12:59:53.016Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "modules": [ "https://github.com/lodash/lodash" ], "packageName": "lodash", "product": "Lodash", "repo": "https://github.com/lodash/lodash", "vendor": "Lodash", "versions": [ { "lessThanOrEqual": "4.17.22", "status": "affected", "version": "4.0.0", "versionType": "semver" } ] }, { "defaultStatus": "unaffected", "modules": [ "https://github.com/lodash/lodash" ], "product": "Lodash-amd", "repo": "https://github.com/lodash/lodash", "vendor": "Lodash-amd", "versions": [ { "lessThanOrEqual": "4.17.22", "status": "affected", "version": "4.0.0", "versionType": "semver" } ] }, { "defaultStatus": "unaffected", "modules": [ "https://github.com/lodash/lodash" ], "product": "lodash-es", "repo": "https://github.com/lodash/lodash", "vendor": "lodash-es", "versions": [ { "lessThanOrEqual": "4.17.22", "status": "affected", "version": "4.0.0", "versionType": "semver" } ] }, { "defaultStatus": "unaffected", "modules": [ "https://github.com/lodash/lodash" ], "product": "lodash.unset", "repo": "https://github.com/lodash/lodash", "vendor": "lodash.unset", "versions": [ { "status": "affected", "version": "4.0.0" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Lukas Euler" }, { "lang": "en", "type": "analyst", "value": "Jordan Harband" }, { "lang": "en", "type": "remediation reviewer", "value": "Michał Lipiński" }, { "lang": "en", "type": "remediation developer", "value": "Ulises Gascón" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

This issue is patched on 4.17.23


" } ], "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23" } ], "impacts": [ { "capecId": "CAPEC-77", "descriptions": [ { "lang": "en", "value": "CAPEC-77 Manipulating User-Controlled Variables" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-01-21T19:05:28.846Z" }, "references": [ { "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" } ], "source": { "advisory": "GHSA-xxjr-mmjv-4gpg", "discovery": "EXTERNAL" }, "title": "Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions", "x_generator": { "engine": "Vulnogram 0.5.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-01-21T19:43:10.513400Z", "id": "CVE-2025-13465", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T19:43:38.268Z" } }, { "x_adpType": "supplier", "providerMetadata": { "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e", "shortName": "siemens-SADP", "dateUpdated": "2026-06-02T12:59:53.016Z" }, "affected": [ { "vendor": "Siemens", "product": "RUGGEDCOM RST2428P", "versions": [ { "status": "affected", "version": "0", "lessThan": "V4.0", "versionType": "custom" } ], "defaultStatus": "unknown" } ], "references": [ { "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" } ] } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-13466", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2025-11-20T02:16:16.283Z", "datePublished": "2025-11-24T18:29:36.725Z", "dateUpdated": "2025-11-24T18:57:00.939Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "packageName": "body-parser", "product": "body-parser", "repo": "https://github.com/expressjs/body-parser", "vendor": "body-parser", "versions": [ { "status": "affected", "version": "2.2.0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Phillip Barta" }, { "lang": "en", "type": "remediation reviewer", "value": "Sebastian Beltran" }, { "lang": "en", "type": "remediation reviewer", "value": "Ulises Gascón" }, { "lang": "en", "type": "remediation reviewer", "value": "Chris de Almeida" }, { "lang": "en", "type": "remediation reviewer", "value": "Jean Burellier" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.

This issue is addressed in version 2.2.1.

" } ], "value": "body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.\nThis issue is addressed in version 2.2.1." } ], "impacts": [ { "capecId": "CAPEC-469", "descriptions": [ { "lang": "en", "value": "CAPEC-469 HTTP DoS" } ] } ], "metrics": [ { "cvssV4_0": { "Automatable": "YES", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.5, "baseSeverity": "MEDIUM", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2025-11-24T18:29:36.725Z" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4" } ], "source": { "advisory": "GHSA-wqch-xfxh-vrr4", "discovery": "INTERNAL" }, "title": "body-parser vulnerable to denial of service when url encoding is used", "x_generator": { "engine": "Vulnogram 0.5.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2025-11-24T18:56:18.998047Z", "id": "CVE-2025-13466", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:57:00.939Z" } } ] } }, { "dataType": "CVE_RECORD", "cveMetadata": { "state": "PUBLISHED", "cveId": "CVE-2025-57353", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-05T18:32:07.743Z", "dateReserved": "2025-08-17T00:00:00.000Z", "datePublished": "2025-09-24T00:00:00.000Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-11-05T18:32:07.743Z" }, "descriptions": [ { "lang": "en", "value": "The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Due to insufficient validation of nested message keys during the processing of message data, an attacker can manipulate the prototype chain of JavaScript objects by providing specially crafted input. This can result in the injection of arbitrary properties into the Object.prototype, potentially leading to denial of service conditions or unexpected application behavior. The vulnerability allows attackers to alter the prototype of base objects, impacting all subsequent object instances throughout the application's lifecycle." } ], "affected": [ { "vendor": "n/a", "product": "n/a", "versions": [ { "version": "n/a", "status": "affected" } ] } ], "references": [ { "url": "https://github.com/messageformat/messageformat/issues/453" }, { "url": "https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57353" }, { "url": "https://github.com/messageformat/messageformat/pull/464" }, { "url": "https://github.com/messageformat/messageformat/commit/82cd10b40e3f922f990bbcf88a6d14b70c0a3ce0" }, { "url": "https://github.com/messageformat/messageformat/issues/453#issuecomment-3466959449" } ], "problemTypes": [ { "descriptions": [ { "type": "text", "lang": "en", "description": "n/a" } ] } ] }, "adp": [ { "problemTypes": [ { "descriptions": [ { "type": "CWE", "cweId": "CWE-1321", "lang": "en", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" } ] } ], "metrics": [ { "cvssV3_1": { "scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW" } }, { "other": { "type": "ssvc", "content": { "timestamp": "2025-09-25T18:25:47.554162Z", "id": "CVE-2025-57353", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-25T18:26:17.258Z" } } ] }, "dataVersion": "5.2" }, { "dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": { "cveId": "CVE-2025-7339", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2025-07-07T20:01:14.812Z", "datePublished": "2025-07-17T15:47:39.680Z", "dateUpdated": "2025-07-17T20:24:47.447Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "on-headers", "vendor": "jshttp", "versions": [ { "lessThan": "1.1.0", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array.
" } ], "value": "on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.4, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-241", "description": "CWE-241", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2025-07-17T15:47:39.680Z" }, "references": [ { "url": "https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q" }, { "url": "https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867" }, { "url": "https://cna.openjsf.org/security-advisories.html" }, { "url": "https://github.com/expressjs/morgan/issues/315" }, { "url": "https://github.com/jshttp/on-headers/issues/15" } ], "source": { "discovery": "UNKNOWN" }, "title": "on-headers vulnerable to http response header manipulation", "x_generator": { "engine": "Vulnogram 0.2.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2025-07-17T20:24:38.580125Z", "id": "CVE-2025-7339", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T20:24:47.447Z" } } ] } }, { "dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": { "cveId": "CVE-2025-7338", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2025-07-07T20:01:12.534Z", "datePublished": "2025-07-17T15:26:45.427Z", "dateUpdated": "2025-07-17T16:48:43.154Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "multer", "vendor": "expressjs", "versions": [ { "lessThan": "2.0.2", "status": "affected", "version": "1.4.4-lts.1", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available." } ], "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-248", "description": "CWE-248", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2025-07-17T15:26:45.427Z" }, "references": [ { "url": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p" }, { "url": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b" }, { "url": "https://cna.openjsf.org/security-advisories.html" } ], "source": { "discovery": "UNKNOWN" }, "title": "Multer vulnerable to Denial of Service via unhandled exception from malformed request", "x_generator": { "engine": "Vulnogram 0.2.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2025-07-17T16:48:34.245218Z", "id": "CVE-2025-7338", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T16:48:43.154Z" } } ] } } ] }