Security vulnerabilities and automated fixes for dependency security issues
10 posts found
CVE-2026-39827 is a high-severity resource exhaustion vulnerability in `golang.org/x/crypto` where an authenticated SSH client can repeatedly open channels to consume server resources without bound. The vulnerability was present in the `cloud/gcp/functions/acmedns` module at version `v0.49.0` and was resolved by upgrading to `v0.52.0`. Left unpatched, this flaw could allow an attacker with valid SSH credentials to degrade or deny service to other users of the affected GCP Cloud Function.
A Regular Expression Denial of Service (ReDoS) vulnerability in picomatch versions prior to 2.3.2, 3.0.2, and 4.0.4 allowed attackers to craft malicious extglob patterns that triggered catastrophic backtracking in the regex engine, potentially freezing Node.js applications. The fix, tracked as CVE-2026-33671, involved upgrading picomatch to patched versions and pinning the dependency explicitly in `package.json` to ensure the safe version is resolved across the dependency tree.
A high-severity Denial of Service vulnerability (CVE-2026-22774) was discovered in the `devalue` package used by the exo-dashboard SvelteKit application. Attackers could craft malicious input to trigger excessive resource consumption in the devalue deserialization library, potentially taking down the web service. The fix upgrades `devalue` from version 5.5.0 to 5.6.2 in both `package.json` and `package-lock.json`.
CVE-2026-54283 is a high-severity denial-of-service vulnerability in Starlette where size limits set on `request.form()` were silently ignored for `application/x-www-form-urlencoded` content, allowing attackers to submit unbounded form data and exhaust server resources. The fix upgrades Starlette from version 1.2.1 to 1.3.1, which correctly enforces form size limits for all content types. Any Python web application using Starlette (including FastAPI-based services) that accepts form submissions
A high-severity Denial of Service vulnerability (CVE-2026-42570) was discovered in the `devalue` library used by the Orbis AppSec blog site, where maliciously crafted sparse arrays during deserialization could exhaust server resources. The fix upgrades `devalue` from version 5.6.4 to 5.8.1 in `blog-site/package-lock.json` and adds an explicit override in `package.json` to ensure the patched version is consistently enforced across the dependency tree. Left unpatched, this vulnerability could have
A critical authorization bypass vulnerability (CVE-2026-33186) in `google.golang.org/grpc` v1.79.1 allowed attackers to circumvent gRPC authorization policies through malformed HTTP/2 path values. The fix upgrades the dependency in `src/go/go.mod` from v1.79.1 to v1.79.3, closing a path validation gap in the `grpc-go/authz` middleware that could have exposed protected RPC endpoints to unauthorized callers.
CVE-2026-41676 is a high-severity vulnerability in the rust-openssl crate, which provides OpenSSL bindings for Rust applications. The fix involves upgrading the dependency from version 0.10.75 to 0.10.78 in the project's Cargo.lock file, closing a security gap that could expose applications to adversarial exploitation. Keeping cryptographic dependencies current is one of the most impactful and straightforward security practices any Rust team can adopt.
A high-severity Denial of Service vulnerability (CVE-2026-34986) was discovered in the `github.com/go-jose/go-jose/v4` library, which Rclone depends on for JSON Web Encryption operations. An attacker could craft a malicious JWE object to exhaust server resources and bring down services. The fix is a targeted dependency upgrade from v4.1.3 to v4.1.4 — a minimal change with significant security impact.
CVE-2026-41676 is a high-severity vulnerability discovered in the rust-openssl crate, which provides OpenSSL bindings for Rust applications. Left unpatched, this flaw could expose backend services to cryptographic or memory-safety attacks through the underlying OpenSSL layer. The fix involved upgrading the rust-openssl dependency from version 0.10.75 to 0.10.78 in the project's Cargo.toml and Cargo.lock files.
A high-severity vulnerability was discovered in a web application's file download pipeline where the `nodejs-file-downloader` dependency was used without any cryptographic verification of downloaded content. Without checksum or signature validation, attackers positioned between the server and client could silently swap legitimate files for malicious ones. This fix closes that window by enforcing integrity verification before any downloaded content is trusted or executed.