You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
node.js security
About this tag
The node.js security tag on WindowsForum covers recent vulnerabilities and hardening topics specific to Node.js environments. Discussions include CVE-2026-33671, a ReDoS flaw in Picomatch affecting glob matching, CVE-2026-21637 involving TLS callback denial-of-service via pskCallback and ALPNCallback, and CVE-2026-21715, a permission bypass in Node.js on Windows using realpathSync.native. These threads focus on practical risks, patch guidance, and configuration fixes for production Node.js deployments. The tag is relevant for developers, system administrators, and security professionals managing Node.js applications on Windows or cross-platform infrastructure.
Picomatch’s ReDoS flaw is a reminder that small parsing bugs can become big availability problems
A new CVE-2026-33671 advisory is drawing attention to a familiar but still dangerous class of bug: regular expression denial of service, or ReDoS, in the JavaScript glob matcher Picomatch. The issue...
When Microsoft quietly flags a CVE through its Security Update Guide, the shorthand can hide a lot of practical risk. In the case of CVE-2026-21637, the key issue is not a flashy remote code execution claim but something more mundane and, in many production environments, just as disruptive: a...
Microsoft’s CVE-2026-21715 advisory points to a Node.js Permission Model bypass that matters most for applications relying on --permission and restricted --allow-fs-read settings. In practical terms, the flaw lets fs.realpathSync.native() sidestep the read-permission checks that comparable...