This page collects WhisperX intelligence signals tagged #Node.js. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical severity vulnerability (CVE-2022-29078) has been identified in the ejs (Embedded JavaScript templates) package version 3.1.6 for Node.js. The vulnerability allows for server-side template injection via the `settings[view options][outputFunctionName]` parameter. This input is incorrectly parsed as an internal...
广泛使用的 JavaScript 通配符匹配库 `picomatch` 曝出高危安全漏洞,影响版本 4.0.0 至 4.0.3。该漏洞被评定为 CVSS 7.5 的高危级别,攻击者可利用其发起正则表达式拒绝服务(ReDoS)攻击,导致应用性能急剧下降甚至服务中断。`picomatch` 作为众多流行工具(如 Webpack、Gulp)的传递依赖,其潜在影响范围巨大,任何未及时更新的项目都可能面临服务瘫痪的风险。 漏洞详情指向两个核心问题。第一个是编号为 GHSA-c2c7-rcm5-vvqj 的 ReDoS 漏洞,源于 `extglob` 量词处理不当,攻击者通过构造恶意的通配符模式,可触发正则表达式引擎的灾难性回溯,从而耗尽服务...
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function, which is inherited from the bundled `jsbn` library. When this function is called with a ...
A newly disclosed medium-severity vulnerability, CVE-2026-33750, has been detected in the widely used `brace-expansion-1.1.11.tgz` NPM library. This flaw, which affects a core component for shell-style brace expansion in JavaScript, introduces a tangible security risk into the software supply chain. The vulnerability i...
A high-severity vulnerability, CVE-2026-31802, has been detected in a widely used Node.js library, exposing a critical supply chain risk. The flaw resides in `tar-4.4.8.tgz`, a core library for handling tar archives in Node.js applications. This is not an isolated issue; the vulnerable component is deeply embedded with...
A routine dependency update for the Spotify API documentation repository has exposed a critical security patch. The update addresses a HIGH-severity Denial of Service (DoS) vulnerability discovered in the `node-forge` library, a widely used cryptographic toolkit. The flaw, tracked as CVE-2026-XXXX, resides in the `BigI...
一个严重的安全漏洞已在高人气 HTTP 客户端库 Axios 的 1.13.2 版本中被确认。该漏洞被标记为 CVE-2026-25639,其通用漏洞评分系统(CVSS)分数高达 7.5,属于高危级别。关键点在于,该漏洞被评估为“可被利用”,这意味着攻击者有可能在特定条件下利用此缺陷。对于依赖此版本 Axios 的 Node.js 和浏览器项目而言,这构成了直接的安全风险。 该漏洞的具体细节尚未完全公开,但已知影响 Axios 1.13.2 版本。漏洞报告明确指出,其影响路径位于 `/ui-plugins/muse-runner-ui/package.json` 文件中,表明该漏洞在特定项目配置下是“可触达的”。这意味着,如果应用...
A critical security vulnerability in the widely-used `node-forge` library has been patched, exposing a path for attackers to potentially bypass downstream cryptographic verifications and security decisions. The flaw, rated HIGH severity, is an Interpretation Conflict (CWE-436) that allows remote, unauthenticated attack...
A newly disclosed, high-severity vulnerability (CVE-2026-33894) has been detected in multiple versions of the critical `node-forge` JavaScript library, a foundational component for cryptography, PKI, and network security in countless Node.js applications. The flaw's presence in versions 0.7.5, 0.7.6, and 0.10.0 exposes...
Die JavaScript-Bibliothek `picomatch`, eine zentrale Komponente für Glob-Matching in Node.js-Projekten, weist in den Versionen 4.0.0 bis 4.0.3 zwei kritische Sicherheitslücken auf. Eine davon ist eine ReDoS-Schwachstelle mit einem CVSS-Score von 7.5, die Angreifern ermöglicht, Server durch speziell präparierte Eingaben...
A critical security scan has flagged multiple high-severity Regular Expression Denial of Service (ReDoS) vulnerabilities in the `minimatch` library, a core dependency for millions of JavaScript and TypeScript projects. The affected versions, `<=10.0.2`, are currently installed via the popular `@typescript-eslint/typesc...
Das weit verbreitete Node.js-Paket `minimatch` enthält mehrere hochkritische Sicherheitslücken, die zu Denial-of-Service-Angriffen führen können. Die als HIGH eingestuften ReDoS-Schwachstellen (Regular Expression Denial of Service) in den Versionen ≤3.1.3 und 9.0.0–9.0.6 ermöglichen es Angreifern, durch speziell präpar...
A critical security flaw in the widely-used `yaml` JavaScript library exposes countless applications to denial-of-service attacks. The vulnerability, tracked as CVE-2026-33532, allows an attacker to crash a system by supplying a specially crafted YAML document that triggers a stack overflow during parsing. This is not ...
A critical security vulnerability in the widely-used Nodemailer library has been patched in its latest major version, prompting urgent dependency updates across countless Node.js applications. The flaw, tracked as GHSA-c7w3-x93f-qmm8, is an SMTP command injection vulnerability stemming from an unsanitized `envelope.siz...
A critical security vulnerability, CVE-2026-33891, has been disclosed in the widely-used `node-forge` cryptography library, triggering mandatory dependency updates across countless software projects. The flaw, detailed in a GitHub security advisory, has prompted the library's maintainers at Digital Bazaar to release a ...
A high-severity Regular Expression Denial of Service (ReDoS) vulnerability, tracked as CVE-2026-4867 (CVSS 7.5), has been resolved in the `path-to-regexp` library. The flaw was discovered within the dependency chain of `@itwin/express-server`, which pulls in the vulnerable version via the `express` package. This type o...
A critical security update from Aikido addresses eight vulnerabilities across widely-used dependencies, including a severe path traversal flaw that could allow a malicious FTP server to write files anywhere on a system. The patch resolves one critical and multiple high-severity CVEs, directly mitigating risks of remote...
A high-severity vulnerability, CVE-2026-4867, has been identified in the widely used Express.js framework version 4.22.1. The flaw, with a CVSS score of 7.5, resides in the `path-to-regexp` dependency, a core library for parsing URL paths. This security gap exposes any application built on this specific version of Expr...
A high-severity vulnerability, CVE-2026-4867, has been detected in the widely used `path-to-regexp` npm library, version 0.1.7. This flaw, which generates a bad regular expression under specific conditions, poses a direct risk to the security and stability of any application that depends on it, particularly those built...
开源包 `filesniffer-1.0.3.tgz` 被检测出一个严重安全漏洞,CVSS 评分为 6.5(中等)。该漏洞并非直接存在于 `filesniffer` 本身,而是潜伏在其深层依赖链中——具体路径为 `/node_modules/filehound/node_modules/brace-expansion/package.json`。这意味着任何引入 `filesniffer` 的项目,其安全防线都可能因这个间接依赖而被悄然突破。该漏洞已在 GitHub 仓库 `GarySegal-Mend-DemoCorp/JuiceShop` 的特定提交(55db57ec3f9859e87962c0bf25387e43480847f...