The OpenJS Foundation's CVE Numbering Authority (CNA) https://cna.openjsf.org/security-advisories.html en Wed, 17 Jun 2026 17:32:27 +0000 https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m CVE-2026-11525::undici Wed, 17 Jun 2026 00:00:00 +0000 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching in undici. CVE: CVE-2026-11525. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52 CVE-2026-6733::undici Wed, 17 Jun 2026 00:00:00 +0000 undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse in undici. CVE: CVE-2026-6733. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52 https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6 CVE-2026-9678::undici Wed, 17 Jun 2026 00:00:00 +0000 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass in undici. CVE: CVE-2026-9678. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6 https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv CVE-2026-9679::undici Wed, 17 Jun 2026 00:00:00 +0000 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding in undici. CVE: CVE-2026-9679. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g CVE-2026-9697::undici Wed, 17 Jun 2026 00:00:00 +0000 undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent in undici. CVE: CVE-2026-9697. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj CVE-2026-6734::undici Wed, 17 Jun 2026 00:00:00 +0000 undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse in undici. CVE: CVE-2026-6734. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq CVE-2026-9675::undici Wed, 17 Jun 2026 00:00:00 +0000 undici WebSocket client vulnerable to denial of service via cumulative fragment bypass in undici. CVE: CVE-2026-9675. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q CVE-2026-12151::undici Wed, 17 Jun 2026 00:00:00 +0000 undici WebSocket client vulnerable to denial of service via fragment count bypass in undici. CVE: CVE-2026-12151. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 CVE-2026-9595::webpack-dev-server Mon, 15 Jun 2026 00:00:00 +0000 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies in webpack-dev-server. CVE: CVE-2026-9595. Advisory: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-mx8g-39q3-5c79 https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm CVE-2026-5038::multer Mon, 15 Jun 2026 00:00:00 +0000 multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads in multer. CVE: CVE-2026-5038. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j CVE-2026-5079::multer Mon, 15 Jun 2026 00:00:00 +0000 multer vulnerable to Denial of Service via deeply nested field names in multer. CVE: CVE-2026-5079. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm CVE-2026-10796::nvm Thu, 04 Jun 2026 00:00:00 +0000 nvm vulnerable to OS command injection via crafted version strings from a malicious Node.js mirror in nvm. CVE: CVE-2026-10796. Advisory: https://github.com/nvm-sh/nvm/security/advisories/GHSA-3c52-35h2-gfmm https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m CVE-2026-5078::morgan Wed, 03 Jun 2026 00:00:00 +0000 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user in morgan. CVE: CVE-2026-5078. Advisory: https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv CVE-2026-8162::multiparty Tue, 12 May 2026 00:00:00 +0000 multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing in multiparty. CVE: CVE-2026-8162. Advisory: https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956 CVE-2026-8161::multiparty Tue, 12 May 2026 00:00:00 +0000 multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception in multiparty. CVE: CVE-2026-8161. Advisory: https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956 https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94 CVE-2026-8159::multiparty Tue, 12 May 2026 00:00:00 +0000 multiparty vulnerable to ReDoS via filename parsing in multiparty. CVE: CVE-2026-8159. Advisory: https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94 https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w CVE-2026-6402::webpack-dev-server Tue, 12 May 2026 00:00:00 +0000 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins in webpack-dev-server. CVE: CVE-2026-6402. Advisory: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc CVE-2026-6322::fast-uri Tue, 05 May 2026 00:00:00 +0000 fast-uri vulnerable to host confusion via percent-encoded authority delimiters in fast-uri. CVE: CVE-2026-6322. Advisory: https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 CVE-2026-6321::fast-uri Mon, 04 May 2026 00:00:00 +0000 fast-uri vulnerable to path traversal via percent-encoded dot segments in fast-uri. CVE: CVE-2026-6321. Advisory: https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg CVE-2026-7768::@fastify/accepts-serializer Mon, 04 May 2026 00:00:00 +0000 @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth in @fastify/accepts-serializer. CVE: CVE-2026-7768. Advisory: https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 CVE-2026-33804::@fastify/middie Thu, 16 Apr 2026 00:00:00 +0000 @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option in @fastify/middie. CVE: CVE-2026-33804. Advisory: https://github.com/fastify/middie/security/advisories/GHSA-v9ww-2j6r-98q6 https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w CVE-2026-6270::@fastify/middie Thu, 16 Apr 2026 00:00:00 +0000 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes in @fastify/middie. CVE: CVE-2026-6270. Advisory: https://github.com/fastify/middie/security/advisories/GHSA-72c6-fx6q-fr5w https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h CVE-2026-6410::@fastify/static Thu, 16 Apr 2026 00:00:00 +0000 @fastify/static vulnerable to path traversal in directory listing in @fastify/static. CVE: CVE-2026-6410. Advisory: https://github.com/fastify/fastify-static/security/advisories/GHSA-pr96-94w5-mx2h https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92 CVE-2026-6414::@fastify/static Thu, 16 Apr 2026 00:00:00 +0000 @fastify/static vulnerable to route guard bypass via encoded path separators in @fastify/static. CVE: CVE-2026-6414. Advisory: https://github.com/fastify/fastify-static/security/advisories/GHSA-x428-ghpx-8j92 https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33805::@fastify/reply-from Wed, 15 Apr 2026 00:00:00 +0000 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers in @fastify/reply-from. CVE: CVE-2026-33805. Advisory: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 CVE-2026-33805::@fastify/http-proxy Wed, 15 Apr 2026 00:00:00 +0000 @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers in @fastify/http-proxy. CVE: CVE-2026-33805. Advisory: https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37 https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c CVE-2026-33807::@fastify/express Wed, 15 Apr 2026 00:00:00 +0000 @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes in @fastify/express. CVE: CVE-2026-33807. Advisory: https://github.com/fastify/fastify-express/security/advisories/GHSA-hrwm-hgmj-7p9c https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 CVE-2026-33808::@fastify/express Wed, 15 Apr 2026 00:00:00 +0000 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) in @fastify/express. CVE: CVE-2026-33808. Advisory: https://github.com/fastify/fastify-express/security/advisories/GHSA-6hw5-45gm-fj88 https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963 CVE-2026-33806::fastify Tue, 14 Apr 2026 00:00:00 +0000 fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header in fastify. CVE: CVE-2026-33806. Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-247c-9743-5963 https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc CVE-2026-4800::lodash Tue, 31 Mar 2026 00:00:00 +0000 Incomplete fix for CVE-2021-23337 allows code injection via _.template imports key names in lodash. CVE: CVE-2026-4800. Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh CVE-2026-2950::lodash Tue, 31 Mar 2026 00:00:00 +0000 lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit in lodash. CVE: CVE-2026-2950. Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f CVE-2026-4926::path-to-regexp Thu, 26 Mar 2026 00:00:00 +0000 path-to-regexp vulnerable to Denial of Service via sequential optional groups in path-to-regexp. CVE: CVE-2026-4926. Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-j3q9-mxjg-w52f https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7 CVE-2026-4923::path-to-regexp Thu, 26 Mar 2026 00:00:00 +0000 ReDoS possible with multiple wildcards in path-to-regexp. CVE: CVE-2026-4923. Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7 https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2 CVE-2026-4867::path-to-regexp Thu, 26 Mar 2026 00:00:00 +0000 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters in path-to-regexp. CVE: CVE-2026-4867. Advisory: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2 https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf CVE-2026-3635::fastify Mon, 23 Mar 2026 00:00:00 +0000 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function in fastify. CVE: CVE-2026-3635. Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h CVE-2026-2581::undici Thu, 12 Mar 2026 00:00:00 +0000 Unbounded Memory Consumption in Undici's DeduplicationHandler via Response Buffering leads to DoS in undici. CVE: CVE-2026-2581. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq CVE-2026-1527::undici Thu, 12 Mar 2026 00:00:00 +0000 CRLF Injection in undici via upgrade option in undici. CVE: CVE-2026-1527. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj CVE-2026-1528::undici Thu, 12 Mar 2026 00:00:00 +0000 Malicious WebSocket 64-bit length overflows undici parser and crashes the client in undici. CVE: CVE-2026-1528. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 CVE-2026-2229::undici Thu, 12 Mar 2026 00:00:00 +0000 Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation in undici. CVE: CVE-2026-2229. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8 https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q CVE-2026-1526::undici Thu, 12 Mar 2026 00:00:00 +0000 Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression in undici. CVE: CVE-2026-1526. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm CVE-2026-1525::undici Thu, 12 Mar 2026 00:00:00 +0000 Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) in undici in undici. CVE: CVE-2026-1525. Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9 CVE-2026-3419::fastify Thu, 05 Mar 2026 00:00:00 +0000 Fastify vulnerable to missing end anchor in subtypeNameReg Allows Malformed Content-Types to Pass Validation in fastify. CVE: CVE-2026-3419. Advisory: https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9 https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 CVE-2026-3520::multer Wed, 04 Mar 2026 00:00:00 +0000 Multer vulnerable to Denial of Service via uncontrolled recursion in multer. CVE: CVE-2026-3520. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw CVE-2026-2880::@fastify/middie Fri, 27 Feb 2026 00:00:00 +0000 @fastify/middie has an improper path normalization vulnerability in @fastify/middie. CVE: CVE-2026-2880. Advisory: https://github.com/fastify/middie/security/advisories/GHSA-8p85-9qpw-fwgw https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p CVE-2026-3304::multer Fri, 27 Feb 2026 00:00:00 +0000 Multer vulnerable to Denial of Service via incomplete cleanup in multer. CVE: CVE-2026-3304. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc CVE-2026-2359::multer Fri, 27 Feb 2026 00:00:00 +0000 multer vulnerable to Denial of Service via resource exhaustion in multer. CVE: CVE-2026-2359. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg CVE-2025-13465::lodash Wed, 21 Jan 2026 00:00:00 +0000 Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions in lodash. CVE: CVE-2025-13465. Advisory: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 CVE-2025-13466::body-parser Mon, 24 Nov 2025 00:00:00 +0000 body-parser vulnerable to denial of service when url encoding is used in body-parser. CVE: CVE-2025-13466. Advisory: https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q CVE-2025-7339::on-headers Thu, 17 Jul 2025 00:00:00 +0000 on-headers vulnerable to http response header manipulation in on-headers. CVE: CVE-2025-7339. Advisory: https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p CVE-2025-7338::multer Thu, 17 Jul 2025 00:00:00 +0000 Multer vulnerable to Denial of Service via unhandled exception from malformed request in multer. CVE: CVE-2025-7338. Advisory: https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p