Security vulnerabilities and automated fixes for npm issues
4 posts found
A critical vulnerability (CVE-2025-9287) was discovered in the `cipher-base` npm package that allows attackers to manipulate cryptographic hash operations, potentially compromising data integrity and security guarantees in affected applications. The fix, delivered in `cipher-base` version 1.0.5, patches this hash manipulation flaw and should be applied immediately by any project using the affected package. Understanding this vulnerability highlights why cryptographic dependencies deserve the sam
A critical vulnerability (CVE-2025-7783) was discovered in the widely-used `form-data` npm package, where an unsafe random function was used to generate multipart boundary strings, making them predictable and potentially exploitable by attackers. The fix upgrades `form-data` to patched versions (2.5.4, 3.0.4, and 4.0.4) across all supported major releases. Developers using any version of `form-data` prior to these patches should upgrade immediately to protect their applications from boundary pre
A medium-severity vulnerability (CVE-2026-24842) in node-tar allowed attackers to bypass hardlink security checks through path traversal techniques, enabling arbitrary file creation and overwriting. This vulnerability could lead to symlink poisoning attacks and unauthorized file system manipulation when extracting malicious tar archives. The fix sanitizes linkpaths to prevent directory traversal exploitation.
A medium-severity path traversal vulnerability (CVE-2026-24842) has been patched in the popular `node-tar` library. This fix prevents attackers from creating arbitrary files outside the intended extraction directory by exploiting a bypass in the hardlink security check, safeguarding countless Node.js projects that rely on it.