https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for nodejs/node en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/127 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/127 Tue, 31 Mar 2026 08:11:46 GMT The yaml library before 2.8.3 was vulnerable to a stack overflow during node composition when parsing deeply nested or recursive YAML structures. An attacker could craft a malicious YAML document that causes the parser to recurse deeply enough to exhaust the call stack, crashing the Node.js process. The fix adds stack overflow detection during node composition. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/124 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/124 Sun, 29 Mar 2026 12:03:25 GMT When an ArrayBufferView backed by a zero-length ArrayBuffer (which has a null backing store data pointer) is passed to crypto functions like cipher.update(), the code unconditionally dereferenced the buffer's data pointer without checking for null. This caused a process crash (SIGSEGV/access violation). The patch adds a null check so that when buf_data is null, stack_storage_ is used as a fallback, preventing the crash. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/121 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/121 Thu, 26 Mar 2026 22:22:17 GMT The Reset() method in Node.js's zlib binding did not check the write_in_progress_ flag before resetting the compression stream. This allowed calling reset() while an async write was being processed by a worker thread, causing the internal zlib/brotli state to be freed while still in use, resulting in a use-after-free condition that could lead to memory corruption or process crash. The fix adds a guard that throws an error if a write is in progress, consistent with how Close() and Write() already behave. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/117 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/117 Tue, 24 Mar 2026 22:57:48 GMT The Node.js Permission Model's `--allow-fs-read` restriction could be bypassed by using `fs.realpath.native()` instead of `fs.realpath()`. Before the patch, `RealPath` in node_file.cc lacked permission checks for both the async and sync code paths, allowing an attacker to read/resolve file paths that should be blocked by the permission model. The patch adds `ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS` and `THROW_IF_INSUFFICIENT_PERMISSIONS` checks to enforce the `kFileSystemRead` permission scope. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/116 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/116 Tue, 24 Mar 2026 22:57:35 GMT The Node.js Permission Model (introduced with --experimental-permission flag) did not enforce filesystem read/write permission checks on several `fs/promises` API functions including `lstat`, `fchmod`, and `fchown`. This allowed an attacker to bypass the permission model by using the promise-based filesystem API instead of the callback/sync APIs, which did have proper permission checks. The patch adds the missing permission checks to `lstat` (read permission) and disables `fchmod`/`fchown` entirely when the Permission Model is enabled. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/115 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/115 Tue, 24 Mar 2026 22:57:15 GMT Before the patch, `url.format()` called `CHECK(out)` after attempting to re-parse a URL string with `ada::parse<ada::url>`. If the URL (originally parsed by `ada::url_aggregator`) could not be re-parsed by `ada::url` (e.g., special scheme URLs with opaque paths like `ws:xn-ȫ`), the CHECK macro would trigger an abort/crash of the Node.js process. The patch replaces the hard crash with a graceful fallback that returns the original href unmodified. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/114 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/114 Tue, 24 Mar 2026 22:57:03 GMT Before the patch, if an SNICallback function threw a synchronous exception during TLS handshake processing in loadSNI(), the exception would propagate as an uncaught exception, crashing the Node.js process. The patch wraps the owner._SNICallback() invocation in a try/catch block, routing any thrown exceptions through owner.destroy() instead. A remote unauthenticated attacker can crash any Node.js TLS server by sending a TLS ClientHello with a crafted server_name value that causes the SNICallback to throw. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/113 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/113 Tue, 24 Mar 2026 22:56:45 GMT Node.js's permission model (--permission flag) failed to enforce network access controls for Unix Domain Socket (UDS) connections and server listeners via pipe_wrap.cc. Before the patch, calling net.createServer().listen('/tmp/sock') or net.connect({path:'/tmp/sock'}) would succeed even when --allow-net was not granted, bypassing the intended permission restrictions. The patch adds THROW_IF_INSUFFICIENT_PERMISSIONS checks to PipeWrap::Bind and PipeWrap::Listen to enforce the kNet permission scope. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/112 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/112 Tue, 24 Mar 2026 22:56:32 GMT When `headersDistinct` or `trailersDistinct` was accessed on an IncomingMessage, the destination object was initialized as a plain `{}` which inherits from `Object.prototype`. If a request included a `__proto__` header, `dst\["__proto__"\]` would resolve to `Object.prototype` (a truthy object rather than undefined), causing `_addHeaderLineDistinct` to call `.push()` on `Object.prototype` instead of an array, throwing an uncaught TypeError that crashes the Node.js process. The fix uses `{ __proto__: null }` to create a null-prototype object, preventing prototype chain lookups. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/111 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/111 Tue, 24 Mar 2026 22:56:15 GMT The Web Cryptography API's HMAC and KMAC `verify` operations used the non-constant-time `memcmp` function to compare the computed MAC against the provided signature. This allowed timing-based side-channel attacks where an attacker could measure response times to infer byte-by-byte information about the expected MAC value. The patch replaces `memcmp` with `CRYPTO_memcmp`, which executes in constant time regardless of where the comparison fails. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/110 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/110 Tue, 24 Mar 2026 22:55:57 GMT A malicious HTTP/2 client could send a WINDOW_UPDATE frame on stream 0 (connection level) with an increment that pushes the flow-control window past 2^31-1. nghttp2 internally responds with GOAWAY(FLOW_CONTROL_ERROR) but Node.js's OnInvalidFrame callback did not handle NGHTTP2_ERR_FLOW_CONTROL, so the Http2Session was never destroyed, causing a memory leak. An attacker can exploit this to exhaust server memory by repeatedly opening connections and sending the malicious frame, enabling denial of service. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/109 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/109 Tue, 24 Mar 2026 22:55:39 GMT V8's array index hash values for numeric strings were predictable because they directly encoded the integer value and string length without randomization. Consecutive numeric string keys (e.g., '0', '1', '2', ...) would have consecutive hash values, allowing an attacker to craft inputs that cause O(n^2) hash table probe collisions. This patch adds seeded scrambling of the 24-bit array-index value in Name's raw_hash_field using a 3-round xorshift-multiply scheme with random secrets derived from rapidhash, preventing an attacker from predicting hash distributions. This is tracked as CVE-2026-21717. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/108 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/108 Tue, 24 Mar 2026 20:47:40 GMT This commit patches multiple security vulnerabilities in Node.js 20.x LTS including: (1) CVE-2026-21713: timing-unsafe HMAC comparison in Web Crypto allowing key extraction via timing oracle; (2) CVE-2026-21710: missing null prototype for HTTP headers objects enabling prototype pollution; (3) CVE-2026-21716/21715: missing permission checks in fs.promises and realpath.native bypassing Node.js permission model; (4) CVE-2026-21714: unhandled NGHTTP2_ERR_FLOW_CONTROL causing HTTP/2 DoS; (5) CVE-2026-21637: uncaught SNICallback exception crashing TLS server. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/107 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/107 Tue, 24 Mar 2026 20:28:54 GMT This commit patches multiple CVEs in Node.js 22 LTS. The highest severity issues include CVE-2026-21710 (prototype pollution via HTTP headers using null prototype for headersDistinct/trailersDistinct) and CVE-2026-21637 (uncaught exception DoS via SNICallback). The patch also fixes a timing side-channel in HMAC comparison (CVE-2026-21713), permission bypass in fs.promises and realpath.native (CVE-2026-21715/16), HTTP/2 flow control error handling (CVE-2026-21714), and a V8 array index hash collision (CVE-2026-21717). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/106 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/106 Tue, 24 Mar 2026 20:28:37 GMT The HTTP module used regular objects for headersDistinct and trailersDistinct, which are populated with header names as keys. An attacker could send HTTP headers with names like '__proto__', 'constructor', or 'toString' to pollute the Object prototype, potentially affecting all objects in the Node.js process. The fix uses null-prototype objects (Object.create(null)) to prevent prototype chain pollution. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/105 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/105 Tue, 24 Mar 2026 20:28:21 GMT The HTTP module used regular objects (with Object.prototype) for headersDistinct and trailersDistinct, which could allow an attacker to pollute the prototype chain by sending HTTP headers with names like '__proto__' or 'constructor'. The fix uses null-prototype objects (Object.create(null)) to prevent prototype pollution attacks. This could lead to security bypasses or unexpected behavior in applications that rely on HTTP header processing. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/88 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/88 Fri, 20 Mar 2026 17:43:15 GMT The patch fixes ICU-23109 in nfrule.cpp where `util64_pow(rule1->radix, rule1->exponent)` could overflow to zero, causing a subsequent modulo-by-zero operation (`rule1->baseValue % util64_pow(rule1->radix, rule1->exponent)`). While there was already a comment about preventing `% 0`, the existing check `rule1->radix != 0` did not guard against the case where the power computation itself overflows to zero. The patch introduces a pre-computed `mod` variable with an explicit overflow check, returning an error status if mod is zero. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/69 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/69 Fri, 06 Mar 2026 06:01:47 GMT When pipelined HTTP requests arrive in a single TCP segment, llhttp_execute() processes all of them in one call. If a synchronous 'close' event handler calls freeParser() mid-execution, cleanParser() nulls out parser state while llhttp_execute() is still on the call stack, causing use-after-free/null-pointer dereference crashes on subsequent callbacks. The patch adds an is_being_freed_ flag that causes the Proxy::Raw callback to return early (HPE_USER) when set, aborting llhttp_execute() before it accesses freed/nulled parser state. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/68 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/68 Tue, 03 Mar 2026 23:22:09 GMT The minimatch library versions before 3.1.5 contained a ReDoS vulnerability where specially crafted glob patterns could cause catastrophic backtracking in regular expression matching, leading to excessive CPU consumption and denial of service. The fix in 3.1.5 includes limiting recursion in pattern matching to prevent exponential backtracking. However, this affects only developer tooling (clang-format), not the Node.js runtime itself, limiting real-world impact. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/64 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/64 Mon, 02 Mar 2026 19:13:15 GMT The `path` property on `ClientRequest` was only validated against `INVALID_PATH_REGEX` at construction time. After construction, an attacker (or vulnerable application code) could reassign `req.path` to include CRLF sequences (`\\r\\n`), which would then be flushed verbatim to the socket in `_implicitHeader()`, allowing injection of arbitrary HTTP headers or request smuggling. The patch adds a getter/setter using a symbol-backed property so validation runs on every assignment. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/63 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/63 Mon, 02 Mar 2026 13:23:35 GMT The `writeEarlyHints()` function in Node.js HTTP server directly concatenated user-supplied header names and values into the raw HTTP/1.1 response without any validation. Unlike `setHeader()` and `writeHead()`, no calls to `validateHeaderName()`, `validateHeaderValue()`, or `checkInvalidHeaderChar()` were made, allowing CRLF sequences to pass through unchecked and inject arbitrary HTTP headers or entire responses. The patch adds proper validation for header names, values, and Link header URLs. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/62 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/62 Mon, 02 Mar 2026 00:50:37 GMT The cache interceptor was spreading `result.vary` headers directly into revalidation requests without filtering out `null` values. When a request header specified in the `Vary` header was absent from the original request, it was stored as `null` in the cache entry's `vary` map. Spreading this `null` value into the revalidation headers could corrupt the header object and potentially send unintended null-valued headers to the server. The patch adds a null-check guard so only present header values are forwarded during revalidation. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/61 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/61 Sun, 01 Mar 2026 14:38:38 GMT This update to minimatch 10.2.4 adds mitigations for ReDoS vulnerabilities by introducing `maxGlobstarRecursion` and `maxExtglobRecursion` limits to prevent catastrophic backtracking when processing untrusted glob patterns. The README explicitly acknowledges that user-controlled glob patterns can be weaponized for DoS attacks. The patch adds depth tracking and recursion limits for extglob and globstar patterns to cap the complexity of the generated regular expressions. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/60 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/60 Fri, 27 Feb 2026 18:45:58 GMT Before the patch, Buffer.concat() computed the total allocation size using the user-controllable `.length` property of each element, then allocated with `Buffer.allocUnsafe(length)`. For typed arrays, an attacker could spoof a larger `.length` via a getter, causing an oversized uninitialized Buffer to be returned, leaking process memory contents. The patch fixes this by using the typed array’s intrinsic byte length (`TypedArrayPrototypeGetByteLength`) and by allocating via `allocate` plus explicit zero-filling of any slack. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/53 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/53 Tue, 24 Feb 2026 19:55:06 GMT The code failed to check if BIO_meth_new() returns NULL before passing the result to BIO_meth_set_* functions, causing a null pointer dereference. This could lead to application crashes and potential denial of service when SSL/TLS operations are initiated under memory pressure conditions. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/52 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/52 Tue, 24 Feb 2026 18:15:02 GMT The minimatch library had a vulnerability where multiple consecutive asterisks (*) in glob patterns could cause exponential backtracking in the generated regular expression, leading to CPU exhaustion. The patch fixes this by coalescing multiple stars into a single star pattern, preventing the ReDoS condition. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/25 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/25 Mon, 16 Feb 2026 14:59:50 GMT The code used eval() to parse configuration data, which allows arbitrary Python code execution if an attacker can control the node_builtin_shareable_builtins configuration value. The patch replaces eval() with json.loads() to safely parse JSON data. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/15 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/15 Fri, 13 Feb 2026 17:31:31 GMT A race condition in HTTP keep-alive socket reuse allowed responseKeepAlive() to be called twice, corrupting socket state and causing the agent to hand an already-assigned socket to multiple requests. This could cause requests to hang, timeout, or potentially leak data between requests sharing the same corrupted socket. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/14 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/14 Fri, 13 Feb 2026 16:47:01 GMT A Time-of-Check Time-of-Use race condition in worker thread process.cwd() caching allowed workers to cache stale directory values. The counter was incremented before the directory change completed, creating a race window where workers could read the old directory but cache it with the new counter value. low unverified