136 threats tracked across 6 launch stacks — sourced from NVD, GHSA, CISA KEV, and OSV.
Impact body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. Patches this issue is patched in 1.20.3 References
Impact The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template use
Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be
Impact A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Patches Users should upgrade to 2.1.1 Workarounds None Resources https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 https://www.cve.org/CVERecord?id=CVE-2026-3520 https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 https://cna.openjsf.or
Impact A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Patches Users should upgrade to 2.1.0 Workarounds None
Summary SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. Affected: v6.x through 6.37.7. v7 (@sequelize/core) is not affected. Details In src/dialects/abstract/query-generator.js, _traverseJSON() extracts a
Impact A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Patches Users should upgrade to 2.1.0 Workarounds None
Impact A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process. Patches Users should upgrade to 2.0.2 Workarounds None
Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Patches Users should upgrade to 2.0.1 Workarounds None References https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://git
Impact A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Patches Users should upgrade to 2.0.0 Workarounds None References https://github.com/expressjs/multer/issues/1176 https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer han
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
Mongoose versions prior to 8.8.3, 7.8.3, 6.13.5, and 5.13.23 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data.
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.
Impact The SQL injection exploit is related to replacements. Here is such an example: In the following query, some parameters are passed through replacements, and some are passed directly through the where option. ``typescript User.findAll({ where: or( literal('soundex("firstName") = soundex(:firstName)'), { lastName: lastName }, ), replacements: { firstName }, }) `` This is a very legitimate use case, but this query was vulnerable to SQL injection due to how Sequelize
Impact Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error. A finder call like the following did not throw an error: ``ts User.findAll({ where: new Date(), }); ` As this option is typically used with plain javascript objects, be aware that this only happens at the top level of this option. Patches This issue has been patched in sequelize@6.28.1` &
Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ``ts User.findAll({ attributes: [ ['count(id)', 'count'] ] }); ` Produced `sql SELECT count(id) AS "count" FROM "users" ` Patches This feature was deprecated in Sequelize 5, and using it prints a deprecation warning. This issue has been patched in [@sequelize/core@7.0.0.alpha-20`](https://github.com/sequelize
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack. Proof of Concept ```js // poc.js const mongoose = require('mongoose'); const schema =
Overview Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. Am I affected? You are affected if you are using an algorithm and a key type other than the combinations mentioned below | Key type | algorithm | |----------|------------------------------------------| | ec | ES256, ES384, ES512
Showing 1–20 of 21 threats