Security vulnerabilities and automated fixes for nodejs issues
18 posts found
CVE-2026-40073 is a high-severity vulnerability in `@sveltejs/adapter-node` that allows attackers to bypass the `BODY_SIZE_LIMIT` configuration, potentially enabling denial-of-service attacks and resource exhaustion against SvelteKit applications. The vulnerability was silently present in versions prior to `@sveltejs/kit` 2.57.1, and has now been patched by upgrading the dependency across all affected project examples. If your application relies on body size limits to protect against oversized p
A critical security vulnerability was discovered and patched in the nullclaw-init script, where API keys were hardcoded directly into the source code at multiple locations. This type of exposure means anyone with read access to the repository or installed files can silently extract and abuse credentials without any technical hacking required. The fix eliminates this risk by removing hardcoded secrets in favor of secure credential management practices.
A high-severity vulnerability was discovered and patched in a web radar application that exposed real-time game state data — including player positions and map data — to any unauthenticated user on the local network. Without an authentication mechanism, sensitive memory-derived data was freely accessible to anyone who could reach the server's URL. This fix closes that open door and serves as a critical reminder that internal tools need security just as much as public-facing applications.
A high-severity vulnerability was discovered in a web application's file download pipeline where the `nodejs-file-downloader` dependency was used without any cryptographic verification of downloaded content. Without checksum or signature validation, attackers positioned between the server and client could silently swap legitimate files for malicious ones. This fix closes that window by enforcing integrity verification before any downloaded content is trusted or executed.
A critical Remote Code Execution vulnerability (CVE-2026-33937) was discovered in Handlebars.js that allows attackers to execute arbitrary code by crafting malicious Abstract Syntax Tree objects passed to the `compile()` function. This post breaks down how the vulnerability works, why it's dangerous, and how upgrading to Handlebars 4.7.9 closes the attack vector.
A medium-to-high severity vulnerability was discovered and patched in Slidev's resolver module, where dynamically loaded theme and plugin packages specified in slide frontmatter lacked proper validation, allowing a malicious package name to execute arbitrary code with the developer's full OS privileges. This fix addresses a supply-chain-adjacent attack vector that could allow attackers to exfiltrate credentials or compromise developer machines simply by sharing a crafted markdown presentation fi
A critical vulnerability (CVE-2025-9287) was discovered in the `cipher-base` npm package that allows attackers to manipulate cryptographic hash operations, potentially compromising data integrity and security guarantees in affected applications. The fix, delivered in `cipher-base` version 1.0.5, patches this hash manipulation flaw and should be applied immediately by any project using the affected package. Understanding this vulnerability highlights why cryptographic dependencies deserve the sam
A critical vulnerability (CVE-2025-7783) was discovered in the widely-used `form-data` npm package, where an unsafe random function was used to generate multipart boundary strings, making them predictable and potentially exploitable by attackers. The fix upgrades `form-data` to patched versions (2.5.4, 3.0.4, and 4.0.4) across all supported major releases. Developers using any version of `form-data` prior to these patches should upgrade immediately to protect their applications from boundary pre
A medium-severity vulnerability (CVE-2026-31808) was discovered in the file-type library's ASF parser that could cause infinite loops when processing malformed media files with zero-size sub-headers. This denial-of-service vulnerability could crash applications that rely on file-type for media file validation, affecting availability and user experience.
A medium-severity vulnerability in file import functionality left applications vulnerable to Denial of Service (DoS) attacks through maliciously crafted files. By exploiting missing resource limits and validation checks, attackers could exhaust server memory with deeply nested JSON or oversized files, potentially bringing down entire services.
A critical rate limiting vulnerability in an Express.js application allowed attackers to bypass API throttling through IP rotation and header manipulation. This fix demonstrates how improperly configured rate limiters can be circumvented through proxy networks, VPNs, and forged X-Forwarded-For headers, potentially enabling brute force attacks, credential stuffing, and resource exhaustion.
A medium-severity vulnerability (CVE-2026-24842) in node-tar allowed attackers to bypass hardlink security checks and create arbitrary files through path traversal attacks. This vulnerability, combined with improper configuration management storing JWT secrets in plaintext .env files, created a dangerous attack vector for token forgery and unauthorized access.