Security vulnerabilities and automated fixes for nodejs issues
32 posts found
A high-severity prototype pollution vulnerability (CVE-2026-35209) was discovered in the `defu` package version 6.1.4, which allowed attackers to inject properties into JavaScript's `Object.prototype` via the `__proto__` key in defaults arguments. The fix upgrades `defu` to version 6.1.5 in the frontend's dependency tree, protecting downstream consumers like `c12` and `dotenv` configuration loaders from malicious property injection.
A critical buffer overflow vulnerability was discovered in the GetBufferAsVector() function in examples_nodejs/src/zupt_napi.cpp, where memcpy() copied data from JavaScript Uint8Array buffers without proper bounds validation. This vulnerability could allow attackers to trigger memory corruption by providing maliciously crafted input arrays to the native Node.js module, potentially leading to crashes or arbitrary code execution.
A Regular Expression Denial of Service (ReDoS) vulnerability in picomatch versions prior to 2.3.2, 3.0.2, and 4.0.4 allowed attackers to craft malicious extglob patterns that triggered catastrophic backtracking in the regex engine, potentially freezing Node.js applications. The fix, tracked as CVE-2026-33671, involved upgrading picomatch to patched versions and pinning the dependency explicitly in `package.json` to ensure the safe version is resolved across the dependency tree.
A high-severity argument injection vulnerability was discovered in the Copilot tool bridge (`bridge.ts`) where user-controlled `request.args` were passed directly to `tool.execute()` without any validation or sanitization. The fix introduces Zod schema validation at line 108, ensuring that tool arguments are parsed against a declared `inputSchema` before execution. This prevents malformed or malicious payloads — including prototype pollution attempts — from reaching the underlying tool implement
A high-severity CORS misconfiguration in Hono's middleware (CVE-2026-54290) allowed any origin to be reflected with credentials when the `origin` option defaulted to wildcard. This vulnerability in the studio frontend could enable attackers to steal authenticated user data through cross-origin requests. The fix upgrades Hono from 4.12.21 to 4.12.25, which properly handles CORS origin validation.
A high-severity Denial of Service vulnerability (CVE-2026-22774) was discovered in the `devalue` package used by the exo-dashboard SvelteKit application. Attackers could craft malicious input to trigger excessive resource consumption in the devalue deserialization library, potentially taking down the web service. The fix upgrades `devalue` from version 5.5.0 to 5.6.2 in both `package.json` and `package-lock.json`.
A high-severity vulnerability (CVE-2026-42570) was discovered in the devalue library version 5.7.1, used by the Astro-powered website. This vulnerability allowed attackers to trigger denial-of-service conditions through maliciously crafted sparse arrays during deserialization. The fix involved upgrading devalue from 5.7.1 to 5.8.1, which implements proper safeguards against sparse array exploitation.
CVE-2026-35209 is a high-severity prototype pollution vulnerability in the `defu` JavaScript library (versions prior to 6.1.5) that allows attackers to inject arbitrary properties onto `Object.prototype` by passing a `__proto__` key in the defaults argument. The vulnerability was present in the `blog-site` project's dependency tree and was resolved by upgrading `defu` to 6.1.5 and adding an explicit `overrides` entry to prevent transitive re-introduction of the vulnerable version.
A high-severity Denial of Service vulnerability (CVE-2026-42570) was discovered in the `devalue` library used by the Orbis AppSec blog site, where maliciously crafted sparse arrays during deserialization could exhaust server resources. The fix upgrades `devalue` from version 5.6.4 to 5.8.1 in `blog-site/package-lock.json` and adds an explicit override in `package.json` to ensure the patched version is consistently enforced across the dependency tree. Left unpatched, this vulnerability could have
A medium-severity Denial of Service vulnerability (CVE-2026-42036) was discovered in axios 1.12.2, where using `responseType: 'stream'` could allow an attacker to exhaust server memory through unbounded stream consumption. The fix upgrades axios from version 1.12.2 to 1.15.1 in the project's `pnpm-lock.yaml`, closing the attack surface before it could be exploited in production.
A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer 6.10.1, where an attacker could craft a malicious email address header to crash or hang the mail-sending process. The fix involved a direct major version upgrade from 6.10.1 to 7.0.7 in the project's `package-lock.json`, closing the attack vector entirely. Applications relying on Nodemailer for transactional or user-triggered email are at risk until this upgrade is applied.
A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.