Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-xx4v-prfh-6cgc CVE-2025-25289 MODERATE 10 months ago
### Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorizat...
npm
1
Dependabot PRs
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-h5c3-5r3r-rr8q CVE-2025-25288 MODERATE 10 months ago
### Summary For the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance...
npm
3
Dependabot PRs
33%
Merged
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-x4c5-c7rf-jjgv CVE-2025-25285 MODERATE 10 months ago
### Summary By crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-...
npm
No PRs yet
Vega allows Cross-site Scripting via the vlSelectionTuples function
GHSA-mp7w-mhcv-673j CVE-2025-25304 MODERATE 10 months ago
### Summary The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. ### Details [`vlSelectionTuples`](https://g...
npm
No PRs yet
DOMPurify allows Cross-site Scripting (XSS)
GHSA-vhxf-7vqr-mrjg CVE-2025-26791 MODERATE 10 months ago
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation c...
npm
465
Dependabot PRs
13%
Merged
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
GHSA-vjh7-7g9h-fjfh CRITICAL 10 months ago
### Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come fr...
npm
8
Dependabot PRs
parse-duration has a Regex Denial of Service that results in event loop delay and out of memory
GHSA-hcrg-fc28-fcg5 CVE-2025-25283 HIGH 10 months ago
### Summary This report finds 2 availability issues due to the regex used in the `parse-duration` npm package: 1. An event loop delay due to the C...
npm
No PRs yet
Inefficient Regular Expression Complexity in koa
GHSA-593f-38f6-jp5m CVE-2025-25200 CRITICAL 10 months ago
### Summary Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denia...
npm
538
Dependabot PRs
11%
Merged
Authentication bypass in @sap/approuter
GHSA-cpfx-964w-4jvp CVE-2025-24876 HIGH 10 months ago
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacke...
npm
No PRs yet
Cross-site Scripting (XSS) in serialize-javascript
GHSA-76p7-773f-r4q5 CVE-2024-11831 MODERATE 10 months ago
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i...
npm
No PRs yet
Unknown vulnerability in Coinbase Wallet SDK
GHSA-8rgj-285w-qcq4 HIGH 10 months ago
### Impact There is a security vulnerability in outdated versions of Coinbase Wallet SDK. This does not directly affect users' keys, smart contract...
npm
1
Dependabot PRs
100%
Merged
esbuild enables any website to send any requests to the development server and read the response
GHSA-67mh-4wv8-2f99 MODERATE 10 months ago
### Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. ### Det...
npm
1673
Dependabot PRs
19%
Merged
Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc
GHSA-j82m-pc2v-2484 CVE-2025-24981 CRITICAL 10 months ago
### Summary An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around th...
npm
No PRs yet
@zag-js/core prototype pollution
GHSA-fg4m-w35q-vfg2 CVE-2024-57079 HIGH 10 months ago
A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a cra...
npm
No PRs yet
@stryker-mutator/util vulnerable to Prototype Pollution
GHSA-9j5q-479x-43g2 CVE-2024-57085 HIGH 10 months ago
A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service (DoS) via supplying a...
npm
No PRs yet
utils-extend Prototype Pollution
GHSA-7qgg-vw88-cc99 CVE-2024-57077 CRITICAL 10 months ago
The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a ...
npm
No PRs yet
vxe-table prototype pollution
GHSA-89fp-f5mx-748x CVE-2024-57080 HIGH 10 months ago
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ...
npm
No PRs yet
node-opcua-alarm-condition prototype pollution vulnerability
GHSA-gvwq-6fmx-28xm CVE-2024-57086 HIGH 10 months ago
A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via s...
npm
No PRs yet
@rpldy/uploader prototype pollution
GHSA-pc47-g7gv-4gpw CVE-2024-57082 HIGH 10 months ago
A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplyin...
npm
No PRs yet
eazy-logger prototype pollution
GHSA-r7jx-5m6m-cpg9 CVE-2024-57075 HIGH 10 months ago
A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ...
npm
431
Dependabot PRs
25%
Merged
@ndhoule/defaults prototype pollution
GHSA-79h2-v6hh-wq23 CVE-2024-57066 HIGH 10 months ago
A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a craf...
npm
No PRs yet
@tanstack/form-core prototype pollution
GHSA-ggv3-vmgw-xv2q CVE-2024-57068 HIGH 10 months ago
A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service (DoS) via su...
npm
2
Dependabot PRs
50%
Merged
module-from-string prototype pollution
GHSA-q5j8-9m9g-x2jh CVE-2024-57072 HIGH 10 months ago
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via su...
npm
No PRs yet
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
GHSA-9x4v-xfq5-m8x5 CRITICAL 10 months ago
### Summary The better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerabil...
npm
No PRs yet
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
GHSA-9crc-q9x8-hgqq CVE-2025-24964 CRITICAL 10 months ago
### Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacki...
npm
993
Dependabot PRs
13%
Merged
Vitest browser mode serves arbitrary files
GHSA-8gvc-j273-4wm5 CVE-2025-24963 MODERATE 10 months ago
### Summary `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exp...
npm
494
Dependabot PRs
12%
Merged
ZX Allows Environment Variable Injection for dotenv API
GHSA-qwp8-x4ff-5h87 CVE-2025-24959 MODERATE 10 months ago
### Impact This vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx` version **8.3.1**. An a...
npm
No PRs yet
files.photo.gallery command injection
GHSA-5wjw-qjhm-v43h CVE-2024-53615 MODERATE 10 months ago
A command injection vulnerability in the video thumbnail rendering component of files.photo.gallery v0.3.0 through 0.11.0 allows remote attackers t...
npm
No PRs yet
snowflake-sdk may incorrectly validate temporary credential cache file permissions
GHSA-xfhv-wqj6-rx99 CVE-2025-24791 MODERATE 10 months ago
### Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential c...
npm
No PRs yet
Potential DoS when using ContextLines integration
GHSA-r5w7-f542-q2j4 LOW 10 months ago
### Impact The [ContextLines integration](https://docs.sentry.io/platforms/javascript/guides/node/configuration/integrations/contextlines/) uses re...
npm
No PRs yet
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
GHSA-4gf7-ff8x-hq99 CVE-2025-24361 MODERATE 10 months ago
### Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. ### Details Because the re...
npm
14
Dependabot PRs
14%
Merged
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
GHSA-2452-6xj8-jh47 CVE-2025-24360 MODERATE 10 months ago
### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Detail...
npm
17
Dependabot PRs
14%
Merged
NodeBB Cross-site scripting (XSS) vulnerability
GHSA-vqr3-vrrg-f3jh CVE-2024-57041 MODERATE 11 months ago
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section o...
npm
No PRs yet
Cross Site Scripting vulnerability in store2
GHSA-w5hq-hm5m-4548 CVE-2024-57556 MODERATE 11 months ago
Cross Site Scripting vulnerability in nbubna store v.2.14.2 and before allows a remote attacker to execute arbitrary code via the store.deep.js com...
npm
No PRs yet
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
GHSA-9qrm-48qf-r2rw LOW 11 months ago
### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application in...
npm
No PRs yet
Directus allows privilege escalation using Share feature
GHSA-pmf4-v838-29hg CVE-2025-24353 MODERATE 11 months ago
### Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise t...
npm
No PRs yet
Unlimited consumption of resources in @fastify/multipart
GHSA-27c6-mcxv-x3fh CVE-2025-24033 HIGH 11 months ago
### Impact The `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. ### Patches Fixed in vers...
npm
No PRs yet
MathLive's Lack of Escaping of HTML allows for XSS
GHSA-qwj6-q94f-8425 CVE-2025-29049 MODERATE 11 months ago
### Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML...
npm
3
Dependabot PRs
33%
Merged
Use of Insufficiently Random Values in undici
GHSA-c76h-2ccp-4975 CVE-2025-22150 MODERATE 11 months ago
### Impact [Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body...
npm
3148
Dependabot PRs
14%
Merged
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
GHSA-wv8v-rmw2-25wc CVE-2025-24012 MODERATE 11 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. ### Patches Will be ...
npm nuget
2
Dependabot PRs
Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
GHSA-c59p-wq67-24wx CVE-2025-23221 MODERATE 11 months ago
### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Por...
npm
No PRs yet
Websites were able to send any requests to the development server and read the response in vite
GHSA-vg6x-rcgg-rjx6 CVE-2025-24010 MODERATE 11 months ago
### Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of...
npm
8321
Dependabot PRs
10%
Merged
KaTeX \htmlData does not validate attribute names
GHSA-cg87-wmx4-v546 CVE-2025-23207 MODERATE 11 months ago
### Impact KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that r...
npm
502
Dependabot PRs
10%
Merged
AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider
GHSA-v4mq-x674-ff73 CVE-2025-23206 LOW 11 months ago
### Impact Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://gi...
npm
No PRs yet
Eugeny Tabby Sends Password Despite Host Key Verification Failure
GHSA-8vq4-8hfp-29xh CVE-2024-48460 HIGH 11 months ago
An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password ev...
npm
No PRs yet
parse-uri Regular expression Denial of Service (ReDoS)
GHSA-6fx8-h7jm-663j CVE-2024-36751 MODERATE 11 months ago
An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC ```js async functi...
npm
No PRs yet
Mongoose search injection vulnerability
GHSA-vg7j-7cwx-8wgw CVE-2025-23061 CRITICAL 11 months ago
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the abi...
npm
858
Dependabot PRs
25%
Merged
Lodestar snappy checksum issue
GHSA-m9c9-mc2h-9wjw LOW 11 months ago
### Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork (network partition requiring...
npm
No PRs yet
Lodestar snappy decompression issue
GHSA-53rv-hcvm-rpp9 LOW 11 months ago
### Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork (network partition requiring...
npm
No PRs yet
Next.js Allows a Denial of Service (DoS) with Server Actions
GHSA-7m27-7ghc-44w9 CVE-2024-56332 MODERATE 11 months ago
### Impact A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting...
npm
2
Dependabot PRs