Security
Headlines
HeadlinesLatestCVEs

Tag

#nodejs

GHSA-96g7-g7g9-jxw8: happy-dom allows for server side code to be executed by a <script> tag

Fixes security vulnerability that allowed for server side code to be executed by a <script> tag ### Impact Consumers of the NPM package `happy-dom` ### Patches The security vulnerability has been patched in v15.10.1 ### Workarounds No easy workarounds to my knowledge ### References [#1585](https://github.com/capricorn86/happy-dom/issues/1585)

ghsa
Open in Source
#vulnerability#web#nodejs#git#auth
Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages

An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few

IBM Security Verify Access 32 Vulnerabilities

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

LottieFiles Issues Warning About Compromised "lottie-player" npm Package

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library. "On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a

Red Hat Security Advisory 2024-8546-03

Red Hat Security Advisory 2024-8546-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.5 General Availability release images, which fix bugs and update container images.

Red Hat Security Advisory 2024-8533-03

Red Hat Security Advisory 2024-8533-03 - Multicluster Engine for Kubernetes 2.4.6 General Availability release images, which fix bugs and update container images.

GHSA-6m59-8fmv-m5f9: @langchain/community SQL Injection vulnerability

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers

Three malicious packages published to the npm registry in September 2024 have been found to contain a known malware called BeaverTail, a JavaScript downloader and information stealer linked to an ongoing North Korean campaign tracked as Contagious Interview. The Datadog Security Research team is monitoring the activity under the name Tenacious Pungsan, which is also known by the monikers

TeamTNT Exploits 16 Million IPs in Malware Attack on Docker Clusters

This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy…

GHSA-mgfv-m47x-4wqp: useragent Regular Expression Denial of Service vulnerability

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).