nodejs security

The open-source Node.js middleware library on-headers was assigned CVE-2025-7339 after a bug was found that can cause unintended modifications to HTTP response headers when an array is passed to response.writeHead(). Microsoft’s public advisory for the CVE calls out the Azure Linux distribution...

The qs library’s quietly dangerous prototype‑pollution bug — tracked as CVE‑2022‑24999 — is a textbook example of how a tiny parser behavior can cascade into a network‑accessible denial‑of‑service for Node.js applications. The flaw allowed an attacker to use a specially crafted query string (for...

The path-to-regexp library can, under very common route patterns, generate regular expressions that trigger catastrophic backtracking — a bug tracked as CVE-2024-45296 that can freeze Node.js servers and create an easy, low‑complexity Denial‑of‑Service (DoS) vector against applications that rely...

Microsoft’s short answer — no: the MSRC note that “Azure Linux includes this open‑source library and is therefore potentially affected” is a product‑scoped attestation, not a technical guarantee that no other Microsoft product or image could carry the same vulnerable component. The CVE in...

The Node.js package ecosystem picked up another ReDoS footnote in January 2023 when a Regular Expression Denial of Service affecting the widely used http-cache-semantics library was disclosed; the flaw, tracked as CVE-2022-25881, affects versions of http-cache-semantics prior to v4.1.1 and can...

Salesforce’s widely used Node.js cookie library tough-cookie was found to contain a prototype pollution vulnerability (CVE‑2023‑26136) that affects every release before 4.1.3 when a CookieJar is created with the option rejectPublicSuffixes=false; the flaw allows specially crafted cookie domains...

The JavaScript package ecosystem hit a familiar but dangerous snag with CVE-2024-4068: a memory‑exhaustion vulnerability in the widely used NPM package braces that can be triggered by imbalanced brace input and lead to sustained denial of service by exhausting the JavaScript heap. Background The...

The HTTP parser in Node.js historically accepted spaces inside the numeric value of the Content-Length header — for example, treating "Content-Length: 1 2" as the decimal value 12 — a behavior that contradicts the HTTP specification and was catalogued as CVE‑2018‑7159; Node.js maintainers...

A critical vulnerability in the widely used npm package sha.js lets attackers supply unexpected input types that rewind or corrupt the internal hash state, produce identical digests for distinct inputs, and trigger denial-of-service conditions — a flaw tracked as CVE‑2025‑9288 and patched in...

Amid growing concerns over open-source software security, a recent campaign targeting the npm ecosystem has underscored the persistent vulnerabilities in modern development pipelines. According to research by Socket’s Threat Research Team, a coordinated attack has seen at least 60 malicious npm...