Category

Dependency Security

Security vulnerabilities and automated fixes for dependency security issues

10 posts found

high8 min

How SSH channel exhaustion happens in Go crypto and how to fix it

CVE-2026-39827 is a high-severity resource exhaustion vulnerability in `golang.org/x/crypto` where an authenticated SSH client can repeatedly open channels to consume server resources without bound. The vulnerability was present in the `cloud/gcp/functions/acmedns` module at version `v0.49.0` and was resolved by upgrading to `v0.52.0`. Left unpatched, this flaw could allow an attacker with valid SSH credentials to degrade or deny service to other users of the affected GCP Cloud Function.

#golang#ssh#cve-2026-39827+4 more
O
orbisai0security
Jul 11, 2026
high9 min

How Regular Expression Denial of Service happens in Node.js picomatch extglob patterns and how to fix it

A Regular Expression Denial of Service (ReDoS) vulnerability in picomatch versions prior to 2.3.2, 3.0.2, and 4.0.4 allowed attackers to craft malicious extglob patterns that triggered catastrophic backtracking in the regex engine, potentially freezing Node.js applications. The fix, tracked as CVE-2026-33671, involved upgrading picomatch to patched versions and pinning the dependency explicitly in `package.json` to ensure the safe version is resolved across the dependency tree.

#nodejs#regex#redos+4 more
O
orbisai0security
Jul 9, 2026
high8 min

How Denial of Service happens in Node.js devalue and how to fix it

A high-severity Denial of Service vulnerability (CVE-2026-22774) was discovered in the `devalue` package used by the exo-dashboard SvelteKit application. Attackers could craft malicious input to trigger excessive resource consumption in the devalue deserialization library, potentially taking down the web service. The fix upgrades `devalue` from version 5.5.0 to 5.6.2 in both `package.json` and `package-lock.json`.

#denial-of-service#nodejs#sveltekit+4 more
O
orbisai0security
Jun 25, 2026
high7 min

How form limit bypass DoS happens in Python Starlette and how to fix it

CVE-2026-54283 is a high-severity denial-of-service vulnerability in Starlette where size limits set on `request.form()` were silently ignored for `application/x-www-form-urlencoded` content, allowing attackers to submit unbounded form data and exhaust server resources. The fix upgrades Starlette from version 1.2.1 to 1.3.1, which correctly enforces form size limits for all content types. Any Python web application using Starlette (including FastAPI-based services) that accepts form submissions

#python#starlette#fastapi+4 more
O
orbisai0security
Jun 22, 2026
high7 min

DoS via Sparse Array Deserialization in devalue: CVE-2026-42570 Fixed

A high-severity Denial of Service vulnerability (CVE-2026-42570) was discovered in the `devalue` library used by the Orbis AppSec blog site, where maliciously crafted sparse arrays during deserialization could exhaust server resources. The fix upgrades `devalue` from version 5.6.4 to 5.8.1 in `blog-site/package-lock.json` and adds an explicit override in `package.json` to ensure the patched version is consistently enforced across the dependency tree. Left unpatched, this vulnerability could have

#cve-2026-42570#denial-of-service#devalue+4 more
O
orbisai0security
Jun 1, 2026
high6 min

Authorization Bypass in gRPC-Go HTTP/2 Path Validation (CVE-2026-33186)

A critical authorization bypass vulnerability (CVE-2026-33186) in `google.golang.org/grpc` v1.79.1 allowed attackers to circumvent gRPC authorization policies through malformed HTTP/2 path values. The fix upgrades the dependency in `src/go/go.mod` from v1.79.1 to v1.79.3, closing a path validation gap in the `grpc-go/authz` middleware that could have exposed protected RPC endpoints to unauthorized callers.

#grpc#golang#authorization-bypass+4 more
O
orbisai0security
May 30, 2026
high8 min

CVE-2026-41676: Fixing a High-Severity rust-openssl Vulnerability by Upgrading to 0.10.78

CVE-2026-41676 is a high-severity vulnerability in the rust-openssl crate, which provides OpenSSL bindings for Rust applications. The fix involves upgrading the dependency from version 0.10.75 to 0.10.78 in the project's Cargo.lock file, closing a security gap that could expose applications to adversarial exploitation. Keeping cryptographic dependencies current is one of the most impactful and straightforward security practices any Rust team can adopt.

#rust#openssl#cve+4 more
O
orbisai0security
May 28, 2026
critical7 min

Go JOSE DoS Vulnerability: Fixing JWE Object Exploitation in Rclone

A high-severity Denial of Service vulnerability (CVE-2026-34986) was discovered in the `github.com/go-jose/go-jose/v4` library, which Rclone depends on for JSON Web Encryption operations. An attacker could craft a malicious JWE object to exhaust server resources and bring down services. The fix is a targeted dependency upgrade from v4.1.3 to v4.1.4 — a minimal change with significant security impact.

#golang#cve#denial-of-service+4 more
O
orbisai0security
May 28, 2026
high7 min

CVE-2026-41676: Fixing a High-Severity OpenSSL Vulnerability in Rust Applications

CVE-2026-41676 is a high-severity vulnerability discovered in the rust-openssl crate, which provides OpenSSL bindings for Rust applications. Left unpatched, this flaw could expose backend services to cryptographic or memory-safety attacks through the underlying OpenSSL layer. The fix involved upgrading the rust-openssl dependency from version 0.10.75 to 0.10.78 in the project's Cargo.toml and Cargo.lock files.

#rust#openssl#cve+4 more
O
orbisai0security
May 26, 2026
high8 min

How Missing Checksum Validation Opens the Door to Supply Chain Attacks

A high-severity vulnerability was discovered in a web application's file download pipeline where the `nodejs-file-downloader` dependency was used without any cryptographic verification of downloaded content. Without checksum or signature validation, attackers positioned between the server and client could silently swap legitimate files for malicious ones. This fix closes that window by enforcing integrity verification before any downloaded content is trusted or executed.

#supply-chain-security#mitm#nodejs+4 more
O
orbisai0security
May 13, 2026