Security Advisories (original) (raw)
2026-06-15
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
2026-06-15
multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
2026-06-15
multer vulnerable to Denial of Service via deeply nested field names
2026-06-04
nvm vulnerable to OS command injection via crafted version strings from a malicious Node.js mirror
2026-06-03
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
2026-05-12
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
2026-05-12
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
2026-05-12
multiparty vulnerable to ReDoS via filename parsing
2026-05-12
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
2026-05-05
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
2026-05-04
fast-uri vulnerable to path traversal via percent-encoded dot segments
2026-05-04
@fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
2026-04-16
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option
2026-04-16
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
2026-04-16
@fastify/static vulnerable to path traversal in directory listing
2026-04-16
@fastify/static vulnerable to route guard bypass via encoded path separators
2026-04-15
@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
2026-04-15
@fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers
2026-04-15
@fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes
2026-04-15
@fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
2026-04-14
fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
2026-03-31
Incomplete fix for CVE-2021-23337 allows code injection via _.template imports key names
2026-03-31
lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit
2026-03-26
path-to-regexp vulnerable to Denial of Service via sequential optional groups
2026-03-26
ReDoS possible with multiple wildcards
2026-03-26
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
2026-03-23
Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
2026-03-12
Unbounded Memory Consumption in Undici's DeduplicationHandler via Response Buffering leads to DoS
2026-03-12
CRLF Injection in undici via upgrade option
2026-03-12
Malicious WebSocket 64-bit length overflows undici parser and crashes the client
2026-03-12
Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation
2026-03-12
Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression
2026-03-12
Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) in undici
2026-03-05
Fastify vulnerable to missing end anchor in subtypeNameReg Allows Malformed Content-Types to Pass Validation
2026-03-04
Multer vulnerable to Denial of Service via uncontrolled recursion
2026-02-27
@fastify/middie has an improper path normalization vulnerability
2026-02-27
Multer vulnerable to Denial of Service via incomplete cleanup
2026-02-27
multer vulnerable to Denial of Service via resource exhaustion
2026-01-21
Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions
2025-11-24
body-parser vulnerable to denial of service when url encoding is used
2025-07-17
on-headers vulnerable to http response header manipulation
2025-07-17
Multer vulnerable to Denial of Service via unhandled exception from malformed request