136 threats tracked across 6 launch stacks — sourced from NVD, GHSA, CISA KEV, and OSV.
Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed. Patches This issue was patched in Next.js 14.2.15 and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. Workarounds There are no official workarounds for this vulnerability. Credits We'd like to thank tyage (GMO
Impact By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: Next.js between 13.5.1 and 14
Impact A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. Prerequisites Next.js (<14.1.1) is running in a self-hosted manner. The Next.js application makes use of Server Actions. The Server Action performs a redire
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
Overview Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. Am I affected? You are affected if you are using an algorithm and a key type other than the combinations mentioned below | Key type | algorithm | |----------|------------------------------------------| | ec | ES256, ES384, ES512
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.
FastAPI <0.65.2 accepted JSON from text/plain requests enabling CSRF attacks without preflight.
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Showing 61–70 of 70 threats