Category

Npm

Security vulnerabilities and automated fixes for npm issues

9 posts found

high6 min

How missing Dependabot cooldown happens in GitHub Actions CI/CD and how to fix it

A high-severity configuration gap was discovered in a Node.js library's `.github/dependabot.yml` file where no cooldown period was set for dependency updates. This meant Dependabot could immediately propose updates to newly published (and potentially malicious) package versions, exposing the project and all downstream consumers to supply chain attacks. The fix adds a `cooldown` block with `default-days: 7` to both the `npm` and `github-actions` package ecosystem entries.

#supply-chain-security#dependabot#github-actions+4 more
O
orbisai0security
Jul 8, 2026
high6 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Headers

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer 6.10.1, where an attacker could craft a malicious email address header to crash or hang the mail-sending process. The fix involved a direct major version upgrade from 6.10.1 to 7.0.7 in the project's `package-lock.json`, closing the attack vector entirely. Applications relying on Nodemailer for transactional or user-triggered email are at risk until this upgrade is applied.

#nodemailer#denial-of-service#CVE-2025-14874+4 more
O
orbisai0security
May 31, 2026
high7 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.

#nodemailer#denial-of-service#cve-2025-14874+4 more
O
orbisai0security
May 31, 2026
high7 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header Parsing

A high-severity Denial of Service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.11, where a specially crafted email address header could cause the application to hang or crash. The fix involved a major version bump from Nodemailer 6.10.1 to 7.0.11 in the `Dise-ador-experto-master/package-lock.json` dependency file. Left unpatched, this vulnerability could allow any unauthenticated attacker to disrupt email-sending functionality and potentially take down the en

#nodemailer#denial-of-service#cve-2025-14874+4 more
O
orbisai0security
May 31, 2026
high7 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

CVE-2025-14874 is a high-severity Denial of Service vulnerability in Nodemailer that allows an attacker to crash an application by sending a specially crafted email address header. The vulnerability existed in Nodemailer versions prior to 7.0.11 and was present in the `Dise-ador-experto-master` project's `package-lock.json` dependency on version 6.10.1. Upgrading to Nodemailer 7.0.11 resolves the issue by fixing the underlying header parsing logic that could be exploited to cause unbounded resou

#cve-2025-14874#nodemailer#denial-of-service+4 more
O
orbisai0security
May 31, 2026
critical9 min

Critical CVE-2025-9287: How Cipher-Base Hash Manipulation Puts Your App at Risk

A critical vulnerability (CVE-2025-9287) was discovered in the `cipher-base` npm package that allows attackers to manipulate cryptographic hash operations, potentially compromising data integrity and security guarantees in affected applications. The fix, delivered in `cipher-base` version 1.0.5, patches this hash manipulation flaw and should be applied immediately by any project using the affected package. Understanding this vulnerability highlights why cryptographic dependencies deserve the sam

#security#cryptography#nodejs+4 more
O
orbisai0security
May 6, 2026
critical10 min

CVE-2025-7783: Critical form-data Unsafe Randomness Vulnerability Fixed

A critical vulnerability (CVE-2025-7783) was discovered in the widely-used `form-data` npm package, where an unsafe random function was used to generate multipart boundary strings, making them predictable and potentially exploitable by attackers. The fix upgrades `form-data` to patched versions (2.5.4, 3.0.4, and 4.0.4) across all supported major releases. Developers using any version of `form-data` prior to these patches should upgrade immediately to protect their applications from boundary pre

#security#cve-2025-7783#nodejs+4 more
O
orbisai0security
Apr 15, 2026
critical6 min

Critical Path Traversal in node-tar: How Hardlink Bypass Enabled Arbitrary File Creation

A medium-severity vulnerability (CVE-2026-24842) in node-tar allowed attackers to bypass hardlink security checks through path traversal techniques, enabling arbitrary file creation and overwriting. This vulnerability could lead to symlink poisoning attacks and unauthorized file system manipulation when extracting malicious tar archives. The fix sanitizes linkpaths to prevent directory traversal exploitation.

#security#node-tar#path-traversal+4 more
O
orbisai0security
Mar 6, 2026
critical5 min

Unpacking the Danger: Fixing node-tar's Path Traversal Vulnerability

A medium-severity path traversal vulnerability (CVE-2026-24842) has been patched in the popular `node-tar` library. This fix prevents attackers from creating arbitrary files outside the intended extraction directory by exploiting a bypass in the hardlink security check, safeguarding countless Node.js projects that rely on it.

#security#vulnerability#nodejs+4 more
O
orbis0security
Feb 13, 2026