Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 13:41

Modified

2026-05-06 06:31

Summary

Security fixes for CVE-2022-25881, CVE-2022-33987, CVE-2025-25285, CVE-2025-62718, CVE-2025-69873, CVE-2026-21637, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-33036, CVE-2026-33349, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-41650, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, ghsa-23c5-xmqv-rm74, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-442j-39wm-28r2, ghsa-48c2-rrv3-qjmp, ghsa-72xf-g2v4-qvf3, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-9cx6-37pm-9jff, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-gh4j-gqv2-49f6, ghsa-j3q9-mxjg-w52f, ghsa-pfrx-2q88-qq97, ghsa-r5fr-rjxr-66jc, ghsa-rc47-6667-2j5j, ghsa-rmvr-2pp2-xj38, ghsa-rp42-5vxx-qpwr, ghsa-w5hq-g745-h8pq, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf applied in versions: 2.6.0-r1, 2.6.0-r2, 2.6.0-r3, 2.6.0-r4

Details

Multiple security vulnerabilities affect the mongosh package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2022-25881	WEB
	https://osv.dev/vulnerability/CVE-2022-33987	WEB
	https://osv.dev/vulnerability/CVE-2025-25285	WEB
	https://osv.dev/vulnerability/CVE-2025-62718	WEB
	https://osv.dev/vulnerability/CVE-2025-69873	WEB
	https://osv.dev/vulnerability/CVE-2026-21637	WEB
	https://osv.dev/vulnerability/CVE-2026-23745	WEB
	https://osv.dev/vulnerability/CVE-2026-24842	WEB
	https://osv.dev/vulnerability/CVE-2026-26960	WEB
	https://osv.dev/vulnerability/CVE-2026-2950	WEB
	https://osv.dev/vulnerability/CVE-2026-29786	WEB
	https://osv.dev/vulnerability/CVE-2026-31802	WEB
	https://osv.dev/vulnerability/CVE-2026-33036	WEB
	https://osv.dev/vulnerability/CVE-2026-33349	WEB
	https://osv.dev/vulnerability/CVE-2026-33750	WEB
	https://osv.dev/vulnerability/CVE-2026-33916	WEB
	https://osv.dev/vulnerability/CVE-2026-33937	WEB
	https://osv.dev/vulnerability/CVE-2026-41650	WEB
	https://osv.dev/vulnerability/CVE-2026-4800	WEB
	https://osv.dev/vulnerability/CVE-2026-4923	WEB
	https://osv.dev/vulnerability/CVE-2026-4926	WEB
	https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74	WEB
	https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9	WEB
	https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q	WEB
	https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r	WEB
	https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5	WEB
	https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26	WEB
	https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p	WEB
	https://osv.dev/vulnerability/ghsa-442j-39wm-28r2	WEB
	https://osv.dev/vulnerability/ghsa-48c2-rrv3-qjmp	WEB
	https://osv.dev/vulnerability/ghsa-72xf-g2v4-qvf3	WEB
	https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj	WEB
	https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh	WEB
	https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff	WEB
	https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj	WEB
	https://osv.dev/vulnerability/ghsa-chqc-8p9q-pq6q	WEB
	https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh	WEB
	https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v	WEB
	https://osv.dev/vulnerability/ghsa-gh4j-gqv2-49f6	WEB
	https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f	WEB
	https://osv.dev/vulnerability/ghsa-pfrx-2q88-qq97	WEB
	https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc	WEB
	https://osv.dev/vulnerability/ghsa-rc47-6667-2j5j	WEB
	https://osv.dev/vulnerability/ghsa-rmvr-2pp2-xj38	WEB
	https://osv.dev/vulnerability/ghsa-rp42-5vxx-qpwr	WEB
	https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq	WEB
	https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6	WEB
	https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-25881	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-33987	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-25285	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-62718	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-69873	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-21637	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-23745	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24842	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26960	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2950	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-29786	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-31802	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33036	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33349	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33750	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33916	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33937	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41650	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4800	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4923	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4926	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "mongosh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0-r4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the mongosh package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-AD27625",
  "modified": "2026-05-06T06:31:52Z",
  "published": "2026-05-18T13:41:09.057005Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-AD27625.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-25881"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-33987"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-25285"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-62718"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-21637"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-23745"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24842"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33349"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33916"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33937"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41650"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4923"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4926"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-442j-39wm-28r2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-48c2-rrv3-qjmp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-72xf-g2v4-qvf3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-chqc-8p9q-pq6q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-gh4j-gqv2-49f6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-pfrx-2q88-qq97"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-rc47-6667-2j5j"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-rmvr-2pp2-xj38"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-rp42-5vxx-qpwr"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33349"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41650"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4926"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2022-25881, CVE-2022-33987, CVE-2025-25285, CVE-2025-62718, CVE-2025-69873, CVE-2026-21637, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-33036, CVE-2026-33349, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-41650, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, ghsa-23c5-xmqv-rm74, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-442j-39wm-28r2, ghsa-48c2-rrv3-qjmp, ghsa-72xf-g2v4-qvf3, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-9cx6-37pm-9jff, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-gh4j-gqv2-49f6, ghsa-j3q9-mxjg-w52f, ghsa-pfrx-2q88-qq97, ghsa-r5fr-rjxr-66jc, ghsa-rc47-6667-2j5j, ghsa-rmvr-2pp2-xj38, ghsa-rp42-5vxx-qpwr, ghsa-w5hq-g745-h8pq, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf applied in versions: 2.6.0-r1, 2.6.0-r2, 2.6.0-r3, 2.6.0-r4",
  "upstream": [
    "CVE-2022-25881",
    "CVE-2022-33987",
    "CVE-2025-25285",
    "CVE-2025-62718",
    "CVE-2025-69873",
    "CVE-2026-21637",
    "CVE-2026-23745",
    "CVE-2026-24842",
    "CVE-2026-26960",
    "CVE-2026-2950",
    "CVE-2026-29786",
    "CVE-2026-31802",
    "CVE-2026-33036",
    "CVE-2026-33349",
    "CVE-2026-33750",
    "CVE-2026-33916",
    "CVE-2026-33937",
    "CVE-2026-41650",
    "CVE-2026-4800",
    "CVE-2026-4923",
    "CVE-2026-4926",
    "ghsa-23c5-xmqv-rm74",
    "ghsa-2qvq-rjwj-gvw9",
    "ghsa-2w6w-674q-4c4q",
    "ghsa-3mfm-83xf-c92r",
    "ghsa-3p68-rc4w-qgx5",
    "ghsa-3ppc-4f35-3m26",
    "ghsa-3v7f-55p6-f55p",
    "ghsa-442j-39wm-28r2",
    "ghsa-48c2-rrv3-qjmp",
    "ghsa-72xf-g2v4-qvf3",
    "ghsa-7r86-cg39-jmmj",
    "ghsa-7rx3-28cr-v5wh",
    "ghsa-9cx6-37pm-9jff",
    "ghsa-c2c7-rcm5-vvqj",
    "ghsa-chqc-8p9q-pq6q",
    "ghsa-f23m-r3pf-42rh",
    "ghsa-f886-m6hf-6m8v",
    "ghsa-gh4j-gqv2-49f6",
    "ghsa-j3q9-mxjg-w52f",
    "ghsa-pfrx-2q88-qq97",
    "ghsa-r5fr-rjxr-66jc",
    "ghsa-rc47-6667-2j5j",
    "ghsa-rmvr-2pp2-xj38",
    "ghsa-rp42-5vxx-qpwr",
    "ghsa-w5hq-g745-h8pq",
    "ghsa-xhpv-hc6g-r9c6",
    "ghsa-xjpj-3mr7-gcpf"
  ]
}

CVE-2022-25881 (GCVE-0-2022-25881)

Vulnerability from cvelistv5 – Published: 2023-01-31 05:00 – Updated: 2025-03-27 17:16

Summary

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1333 - Regular Expression Denial of Service (ReDoS)

Assigner

snyk

References

4 references

URL	Tags
https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESE…
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJAR…
https://github.com/kornelski/http-cache-semantics…
https://security.netapp.com/advisory/ntap-2023062…

Impacted products

2 products

Vendor	Product	Version
n/a	http-cache-semantics	Affected: 0 , < 4.1.1 (semver)
n/a	org.webjars.npm:http-cache-semantics	Affected: 0 , < 4.1.1 (semver)

Credits

Carter Snook

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:49:44.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230622-0008/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-25881",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T17:16:22.393784Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1333",
                "description": "CWE-1333 Inefficient Regular Expression Complexity",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T17:16:32.835Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "http-cache-semantics",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "4.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "product": "org.webjars.npm:http-cache-semantics",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "4.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Carter Snook"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "Regular Expression Denial of Service (ReDoS)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-22T14:06:15.662Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783"
        },
        {
          "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332"
        },
        {
          "url": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230622-0008/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2022-25881",
    "datePublished": "2023-01-31T05:00:01.220Z",
    "dateReserved": "2022-02-24T11:58:26.944Z",
    "dateUpdated": "2025-03-27T17:16:32.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-33987 (GCVE-0-2022-33987)

Vulnerability from cvelistv5 – Published: 2022-06-18 20:51 – Updated: 2024-08-03 08:16

Summary

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

3 references

URL	Tags
https://github.com/sindresorhus/got/pull/2047	x_refsource_MISC
https://github.com/sindresorhus/got/compare/v12.0…	x_refsource_MISC
https://github.com/sindresorhus/got/releases/tag/…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T08:16:16.308Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sindresorhus/got/pull/2047"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sindresorhus/got/releases/tag/v11.8.5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-22T13:05:16.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sindresorhus/got/pull/2047"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sindresorhus/got/releases/tag/v11.8.5"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-33987",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sindresorhus/got/pull/2047",
              "refsource": "MISC",
              "url": "https://github.com/sindresorhus/got/pull/2047"
            },
            {
              "name": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0",
              "refsource": "MISC",
              "url": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0"
            },
            {
              "name": "https://github.com/sindresorhus/got/releases/tag/v11.8.5",
              "refsource": "MISC",
              "url": "https://github.com/sindresorhus/got/releases/tag/v11.8.5"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-33987",
    "datePublished": "2022-06-18T20:51:12.000Z",
    "dateReserved": "2022-06-18T00:00:00.000Z",
    "dateUpdated": "2024-08-03T08:16:16.308Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25285 (GCVE-0-2025-25285)

Vulnerability from cvelistv5 – Published: 2025-02-14 19:31 – Updated: 2025-02-14 19:44

Title

@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Summary

@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/octokit/endpoint.js/security/a…	x_refsource_CONFIRM
https://github.com/octokit/endpoint.js/commit/6c9…	x_refsource_MISC
https://github.com/octokit/endpoint.js/blob/main/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
octokit	endpoint.js	Affected: >= 4.1.0, < 10.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25285",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T19:42:58.912811Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T19:44:09.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "endpoint.js",
          "vendor": "octokit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.1.0, \u003c 10.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T19:31:44.827Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
        },
        {
          "name": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
        },
        {
          "name": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
        }
      ],
      "source": {
        "advisory": "GHSA-x4c5-c7rf-jjgv",
        "discovery": "UNKNOWN"
      },
      "title": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25285",
    "datePublished": "2025-02-14T19:31:44.827Z",
    "dateReserved": "2025-02-06T17:13:33.121Z",
    "dateUpdated": "2025-02-14T19:44:09.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-62718 (GCVE-0-2025-62718)

Vulnerability from cvelistv5 – Published: 2026-04-09 14:31 – Updated: 2026-04-16 18:44

Title

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CWE

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

9 references

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM
https://github.com/axios/axios/pull/10661	x_refsource_MISC
https://github.com/axios/axios/pull/10688	x_refsource_MISC
https://github.com/axios/axios/commit/03cdfc99e8d…	x_refsource_MISC
https://github.com/axios/axios/commit/fb3befb6daa…	x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc1034#sec…	x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc3986#sec…	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v0.31.0	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v1.15.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.0 Affected: < 0.31.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62718",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T15:02:50.313939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:15:31.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T18:44:20.705Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
        },
        {
          "name": "https://github.com/axios/axios/pull/10661",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10661"
        },
        {
          "name": "https://github.com/axios/axios/pull/10688",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10688"
        },
        {
          "name": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
        },
        {
          "name": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.31.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.15.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3p68-rc4w-qgx5",
        "discovery": "UNKNOWN"
      },
      "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62718",
    "datePublished": "2026-04-09T14:31:46.067Z",
    "dateReserved": "2025-10-20T19:41:22.741Z",
    "dateUpdated": "2026-04-16T18:44:20.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-69873 (GCVE-0-2025-69873)

Vulnerability from cvelistv5 – Published: 2026-02-11 00:00 – Updated: 2026-03-03 17:25

Summary

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

Severity ?

2.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

mitre

References

6 references

URL	Tags
https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
https://github.com/EthanKim88/ethan-cve-disclosur…
https://github.com/github/advisory-database/pull/6991
https://github.com/ajv-validator/ajv/pull/2588
https://github.com/ajv-validator/ajv/releases/tag…
https://github.com/ajv-validator/ajv/pull/2590

Impacted products

1 product

Vendor	Product	Version
ajv.js	ajv	Affected: 0 , < 6.14.0 (semver) Affected: 7.0.0 , < 8.17.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-69873",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T15:13:03.482882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T17:25:31.651Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ajv",
          "vendor": "ajv.js",
          "versions": [
            {
              "lessThan": "6.14.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.17.2",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.17.2",
                  "versionStartIncluding": "7.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-02T20:22:25.698Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6"
        },
        {
          "url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md"
        },
        {
          "url": "https://github.com/github/advisory-database/pull/6991"
        },
        {
          "url": "https://github.com/ajv-validator/ajv/pull/2588"
        },
        {
          "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0"
        },
        {
          "url": "https://github.com/ajv-validator/ajv/pull/2590"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-69873",
    "datePublished": "2026-02-11T00:00:00.000Z",
    "dateReserved": "2026-01-09T00:00:00.000Z",
    "dateUpdated": "2026-03-03T17:25:31.651Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21637 (GCVE-0-2026-21637)

Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-21 20:22

Summary

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

hackerone

References

1 reference

URL	Tags
https://nodejs.org/en/blog/vulnerability/december…

Impacted products

1 product

Vendor	Product	Version
nodejs	node	Affected: 20.19.6 , ≤ 20.19.6 (semver) Affected: 22.21.1 , ≤ 22.21.1 (semver) Affected: 24.12.0 , ≤ 24.12.0 (semver) Affected: 25.2.1 , ≤ 25.2.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21637",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-21T20:22:28.525038Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-21T20:22:51.033Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.19.6",
              "status": "affected",
              "version": "20.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.21.1",
              "status": "affected",
              "version": "22.21.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.12.0",
              "status": "affected",
              "version": "24.12.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.2.1",
              "status": "affected",
              "version": "25.2.1",
              "versionType": "semver"
            },
            {
              "lessThan": "4.*",
              "status": "affected",
              "version": "4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.*",
              "status": "affected",
              "version": "5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.*",
              "status": "affected",
              "version": "6.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.*",
              "status": "affected",
              "version": "7.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.*",
              "status": "affected",
              "version": "8.0",
              "versionType": "semver"
            },
            {
              "lessThan": "9.*",
              "status": "affected",
              "version": "9.0",
              "versionType": "semver"
            },
            {
              "lessThan": "10.*",
              "status": "affected",
              "version": "10.0",
              "versionType": "semver"
            },
            {
              "lessThan": "11.*",
              "status": "affected",
              "version": "11.0",
              "versionType": "semver"
            },
            {
              "lessThan": "12.*",
              "status": "affected",
              "version": "12.0",
              "versionType": "semver"
            },
            {
              "lessThan": "13.*",
              "status": "affected",
              "version": "13.0",
              "versionType": "semver"
            },
            {
              "lessThan": "14.*",
              "status": "affected",
              "version": "14.0",
              "versionType": "semver"
            },
            {
              "lessThan": "15.*",
              "status": "affected",
              "version": "15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.*",
              "status": "affected",
              "version": "16.0",
              "versionType": "semver"
            },
            {
              "lessThan": "17.*",
              "status": "affected",
              "version": "17.0",
              "versionType": "semver"
            },
            {
              "lessThan": "18.*",
              "status": "affected",
              "version": "18.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-20T20:41:55.352Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2026-21637",
    "datePublished": "2026-01-20T20:41:55.352Z",
    "dateReserved": "2026-01-01T15:00:02.339Z",
    "dateUpdated": "2026-01-21T20:22:51.033Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23745 (GCVE-0-2026-23745)

Vulnerability from cvelistv5 – Published: 2026-01-16 22:00 – Updated: 2026-01-20 14:53

Title

node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Summary

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Severity ?

8.2 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/isaacs/node-tar/security/advis…	x_refsource_CONFIRM
https://github.com/isaacs/node-tar/commit/340eb28…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
isaacs	node-tar	Affected: < 7.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23745",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-20T14:52:52.988465Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-20T14:53:24.513Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-tar",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "node-tar is a Tar for Node.js. The node-tar library (\u003c= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-16T22:00:08.769Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97"
        },
        {
          "name": "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e"
        }
      ],
      "source": {
        "advisory": "GHSA-8qq5-rm4j-mr97",
        "discovery": "UNKNOWN"
      },
      "title": "node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23745",
    "datePublished": "2026-01-16T22:00:08.769Z",
    "dateReserved": "2026-01-15T15:45:01.958Z",
    "dateUpdated": "2026-01-20T14:53:24.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24842 (GCVE-0-2026-24842)

Vulnerability from cvelistv5 – Published: 2026-01-28 00:20 – Updated: 2026-01-28 14:56

Title

node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

Summary

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/isaacs/node-tar/security/advis…	x_refsource_CONFIRM
https://github.com/isaacs/node-tar/commit/f4a7aa9…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
isaacs	node-tar	Affected: < 7.5.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24842",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-28T14:55:08.552380Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-28T14:56:10.317Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-tar",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.5.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-28T00:20:13.261Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v"
        },
        {
          "name": "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46"
        }
      ],
      "source": {
        "advisory": "GHSA-34x7-hfp2-rc4v",
        "discovery": "UNKNOWN"
      },
      "title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24842",
    "datePublished": "2026-01-28T00:20:13.261Z",
    "dateReserved": "2026-01-27T14:51:03.059Z",
    "dateUpdated": "2026-01-28T14:56:10.317Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26960 (GCVE-0-2026-26960)

Vulnerability from cvelistv5 – Published: 2026-02-20 01:07 – Updated: 2026-02-20 15:35

Title

node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction

Summary

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/isaacs/node-tar/security/advis…	x_refsource_CONFIRM
https://github.com/isaacs/node-tar/commit/2cb1120…	x_refsource_MISC
https://github.com/isaacs/node-tar/commit/d18e4e1…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
isaacs	node-tar	Affected: < 7.5.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26960",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T15:29:17.653825Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T15:35:27.586Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-tar",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.5.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T01:07:52.979Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx"
        },
        {
          "name": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384"
        },
        {
          "name": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f"
        }
      ],
      "source": {
        "advisory": "GHSA-83g3-92jg-28cx",
        "discovery": "UNKNOWN"
      },
      "title": "node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26960",
    "datePublished": "2026-02-20T01:07:52.979Z",
    "dateReserved": "2026-02-16T22:20:28.611Z",
    "dateUpdated": "2026-02-20T15:35:27.586Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2950 (GCVE-0-2026-2950)

Vulnerability from cvelistv5 – Published: 2026-03-31 19:18 – Updated: 2026-04-01 13:43

Title

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Summary

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

openjs

References

1 reference

URL	Tags
https://github.com/lodash/lodash/security/advisor…

Impacted products

4 products

Vendor	Product	Version
lodash	lodash	Affected: 4.17.23 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash-es	Affected: 4.17.23 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash-amd	Affected: 4.17.23 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash.unset	Affected: 4.0.0 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)

Credits

Haruna38 shpik-kr maru1009 ott3r07 zolbooo backuardo falsyvalues jonchurch jdalton UlisesGascon

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2950",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T13:43:14.280375Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T13:43:21.491Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash",
          "product": "lodash",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.17.23",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash-es",
          "product": "lodash-es",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.17.23",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash-amd",
          "product": "lodash-amd",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.17.23",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash.unset",
          "product": "lodash.unset",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Haruna38"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "shpik-kr"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "maru1009"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "ott3r07"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "zolbooo"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "backuardo"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "falsyvalues"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "jonchurch"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "jdalton"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "UlisesGascon"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
            }
          ],
          "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T19:18:35.796Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
        }
      ],
      "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-2950",
    "datePublished": "2026-03-31T19:18:35.796Z",
    "dateReserved": "2026-02-21T20:04:35.087Z",
    "dateUpdated": "2026-04-01T13:43:21.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2022-25881 (GCVE-0-2022-25881)

CVE-2022-33987 (GCVE-0-2022-33987)

CVE-2025-25285 (GCVE-0-2025-25285)

CVE-2025-62718 (GCVE-0-2025-62718)

CVE-2025-69873 (GCVE-0-2025-69873)

CVE-2026-21637 (GCVE-0-2026-21637)

CVE-2026-23745 (GCVE-0-2026-23745)

CVE-2026-24842 (GCVE-0-2026-24842)

CVE-2026-26960 (GCVE-0-2026-26960)

CVE-2026-2950 (GCVE-0-2026-2950)

Tags

Sightings

Nomenclature