This page collects WhisperX intelligence signals tagged #javascript. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical severity vulnerability (CVE-2022-29078) has been identified in the ejs (Embedded JavaScript templates) package version 3.1.6 for Node.js. The vulnerability allows for server-side template injection via the `settings[view options][outputFunctionName]` parameter. This input is incorrectly parsed as an internal...
A critical security flaw has been identified in the `minimatch` library, a core dependency for millions of JavaScript projects. The vulnerability, rated HIGH severity, exposes systems to ReDoS (Regular Expression Denial of Service) attacks, where a maliciously crafted glob pattern can trigger catastrophic backtracking,...
A critical security report reveals two high-severity vulnerabilities in the widely used `flatted` npm package, versions 3.4.1 and below. The flaws expose countless development projects to potential Denial of Service (DoS) attacks and prototype pollution, posing a direct risk to application stability and security. The ...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a single JavaScript file, posing a direct risk of client-side script injection. The flaw is classified under CWE-79 and OWASP A03:2021 - Injection, with an 80% confidence rating. The core issue is a direct, unescaped assignment of user ...
A critical security vulnerability has been identified in a key application file, exposing the system to potential arbitrary code execution by attackers. The flaw is a direct code injection vulnerability, classified as CWE-94 and OWASP A03:2021 - Injection, with a high confidence rating of 80%. The core of the issue lie...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a critical development configuration file. The flaw resides in a `document.write` call that directly incorporates user input without proper sanitization, creating a potential injection point for malicious scripts to execute in users' br...
广泛使用的 JavaScript 通配符匹配库 `picomatch` 曝出高危安全漏洞,影响版本 4.0.0 至 4.0.3。该漏洞被评定为 CVSS 7.5 的高危级别,攻击者可利用其发起正则表达式拒绝服务(ReDoS)攻击,导致应用性能急剧下降甚至服务中断。`picomatch` 作为众多流行工具(如 Webpack、Gulp)的传递依赖,其潜在影响范围巨大,任何未及时更新的项目都可能面临服务瘫痪的风险。 漏洞详情指向两个核心问题。第一个是编号为 GHSA-c2c7-rcm5-vvqj 的 ReDoS 漏洞,源于 `extglob` 量词处理不当,攻击者通过构造恶意的通配符模式,可触发正则表达式引擎的灾难性回溯,从而耗尽服务...
A critical path traversal vulnerability in the widely used Rollup JavaScript module bundler exposes build systems to arbitrary file writes. The flaw, tracked as CVE-2026-27606, stems from insecure filename sanitization within Rollup's core engine, allowing an attacker to control output filenames and potentially overwri...
A critical security vulnerability has been disclosed in the widely-used Rollup module bundler, exposing countless JavaScript build pipelines to arbitrary file write attacks. The flaw, tracked as CVE-2026-27606, stems from insecure file name sanitization within Rollup's core engine, specifically in v4.x versions. This p...
广泛使用的 JavaScript 加密库 `node-forge` 在其 1.3.1 及更早版本中被发现一个高危安全漏洞,攻击者可利用该漏洞构造恶意 ASN.1 数据结构,导致下游加密验证和安全决策失效。该漏洞被标记为“高危”级别,编号为 CVE-2025-12816,由研究员 Hunter Wodzenski 报告。漏洞本质是一种解释冲突,攻击者通过精心设计的 ASN.1 结构使模式验证过程“失步”,从而可能绕过关键的密码学检查。 `node-forge` 是一个在 Node.js 生态中用于实现 TLS 和各种加密工具的核心库,其安全性直接影响大量依赖它的应用程序和服务。此次漏洞的发现促使维护方 Digital Bazaar ...
A critical security update for the widely-used `node-forge` cryptography library patches a high-severity Denial of Service (DoS) vulnerability. The flaw, tracked as CVE-2026-33891, resides in the `BigInteger.modInverse()` function. When this function is called with a zero value as input, the internal Extended Euclidean...
一个被标记为“高危”的安全漏洞正在影响广泛使用的 JavaScript 加密库 node-forge。该漏洞(CVE-2025-12816)允许远程、未经身份验证的攻击者精心构造 ASN.1 数据结构,导致模式验证过程“失步”,从而可能绕过下游的加密验证和安全决策。这种解释冲突漏洞(CWE-436)存在于 1.3.1 及更早版本中,为攻击者打开了一扇潜在的后门。 该漏洞由 Hunter Wodzenski 报告,并已在 node-forge 的 1.3.2 版本中得到修复。然而,修复过程并非一帆风顺。在 1.3.2 版本发布后,开发者发现修复引入了新的问题,导致 PKCS#12/PFX 文件处理出错。这迫使项目方在几天后紧急发布了...
A critical remote code execution (RCE) vulnerability has been patched in the popular `happy-dom` JavaScript testing library. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript expressions inside `export { }` declarations within ...
一个关键的代码注入漏洞在流行的 `serialize-javascript` npm 包中被发现,其先前针对 CVE-2020-7660 的修复被证实是不完整的。该漏洞存在于 7.0.2 及更早版本中,允许攻击者通过精心构造的正则表达式标志(`RegExp.flags`)将恶意代码注入到序列化输出中,而之前的安全补丁仅对 `RegExp.source` 进行了清理。这意味着依赖此库进行数据序列化的数千个 Node.js 和前端项目,在未升级到最新版本(7.0.3+)的情况下,其应用仍面临远程代码执行(RCE)的切实风险。 该漏洞被标记为 GitHub 安全公告 GHSA-5c6j-r48x-rmvq,是 CVE-2020-7660...
A critical security vulnerability in the widely-used `devalue` library, a core component of the Svelte and Nuxt.js ecosystems, has been patched. The flaw, tracked as CVE-2026-30226, resided in the `devalue.parse` and `devalue.unflatten` functions, making them susceptible to prototype pollution attacks. A maliciously cr...
A critical security flaw in the widely-used Handlebars.js templating engine exposes millions of web applications to prototype pollution attacks. The vulnerability, tracked as CVE-2026-33916, resides in the `resolvePartial()` function within the Handlebars runtime. This function performs a plain property lookup on `opti...
A critical security vulnerability has been identified in the widely used `brace-expansion` npm package, forcing immediate dependency upgrades across major software projects. The flaw, present in versions prior to 5.0.5, is a transitive dependency for popular tools like `[email protected]` and `[email protected]`, potentially expo...
A high-severity security vulnerability has been identified within the `getsentry/sentry-javascript` repository, stemming from the `fast-xml-parser` dependency. The flaw, classified as conditionally reachable, poses a significant risk of information disclosure. The exact technical details of the vulnerability are being ...
一个严重的安全漏洞已在高人气 HTTP 客户端库 Axios 的 1.13.2 版本中被确认。该漏洞被标记为 CVE-2026-25639,其通用漏洞评分系统(CVSS)分数高达 7.5,属于高危级别。关键点在于,该漏洞被评估为“可被利用”,这意味着攻击者有可能在特定条件下利用此缺陷。对于依赖此版本 Axios 的 Node.js 和浏览器项目而言,这构成了直接的安全风险。 该漏洞的具体细节尚未完全公开,但已知影响 Axios 1.13.2 版本。漏洞报告明确指出,其影响路径位于 `/ui-plugins/muse-runner-ui/package.json` 文件中,表明该漏洞在特定项目配置下是“可触达的”。这意味着,如果应用...
A high-severity vulnerability, CVE-2026-33894, has been flagged within a widely used JavaScript cryptography library, node-forge version 1.3.3. The flaw is not directly in a primary application but is buried deep within the software supply chain, introduced via a nested dependency. This creates a significant, often ove...