You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Sep 21, 2025. It is now read-only.
"description": "A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\\r\\n\\rX` instead of the required `\\r\\n\\r\\n`.\nThis inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests.\n\nThe issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination.\n\nImpact:\n* This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade."
5506
+
},
5507
+
"CVE-2025-27209": {
5508
+
"id": "CVE-2025-27209",
5509
+
"baseScore": null,
5510
+
"publishedDate": "2025-07-18T23:15:00.000Z",
5511
+
"lastModifiedDate": "2025-07-18T23:15:00.000Z",
5512
+
"description": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\r\n\r\n* This vulnerability affects Node.js v24.x users."
5513
+
},
5514
+
"CVE-2025-27210": {
5515
+
"id": "CVE-2025-27210",
5516
+
"baseScore": null,
5517
+
"publishedDate": "2025-07-18T23:15:00.000Z",
5518
+
"lastModifiedDate": "2025-07-18T23:15:00.000Z",
5519
+
"description": "An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. \r\n\r\nThis vulnerability affects Windows users of `path.join` API."
0 commit comments