Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,793

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Nuxt Icon affected by a Server-Side Request Forgery (SSRF)
GHSA-cxgv-px37-4mp2 CVE-2024-42352 HIGH over 1 year ago
### Summary `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path i...
npm
No PRs yet
Nuxt vulnerable to remote code execution via the browser when running the test locally
GHSA-v784-fjjh-f8r4 CVE-2024-34344 CRITICAL over 1 year ago
### Summary Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScrip...
npm
No PRs yet
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR
GHSA-vf6r-87q4-2vjf CVE-2024-34343 MODERATE over 1 year ago
### Summary The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This li...
npm
No PRs yet
Nuxt Devtools has a Path Traversal: '../filedir'
GHSA-rcvg-rgf7-pppv CVE-2024-23657 HIGH over 1 year ago
### Summary Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with...
npm
No PRs yet
Rocket.Chat Server-Side Request Forgery (SSRF) vulnerability
GHSA-ffxg-5f8m-h72j CVE-2024-39713 HIGH over 1 year ago
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
npm
No PRs yet
Elliptic allows BER-encoded signatures
GHSA-49q7-c7j4-3p7m CVE-2024-42461 LOW over 1 year ago
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
npm
493
Dependabot PRs
12%
Merged
Elliptic's ECDSA missing check for whether leading bit of r and s is zero
GHSA-977x-g7h5-7qgw CVE-2024-42460 LOW over 1 year ago
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r an...
npm
250
Dependabot PRs
16%
Merged
Elliptic's EDDSA missing signature length check
GHSA-f7q4-pwc6-w24p CVE-2024-42459 LOW over 1 year ago
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-val...
npm
256
Dependabot PRs
16%
Merged
Bostr Improper Authorization vulnerability
GHSA-5cf7-cxrf-mq73 CVE-2024-41962 MODERATE over 1 year ago
Even with `authorized_keys` is filled with allowed pubkeys, If `noscraper` is enabled, It will allow anyone to use bouncer even it's pubkey is not ...
npm
No PRs yet
@75lb/deep-merge Prototype Pollution vulnerability
GHSA-28mc-g557-92m7 CVE-2024-38986 HIGH over 1 year ago
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts ...
npm
No PRs yet
The fuels-ts typescript SDK has no awareness of to-be-spent transactions
GHSA-3jcg-vx7f-j6qf CVE-2024-41945 LOW over 1 year ago
# Brief/Intro The typescript SDK has no awareness of to-be-spent transactions causing some transactions to fail or silently get pruned as they are...
npm
No PRs yet
fast-xml-parser vulnerable to ReDOS at currency parsing
GHSA-mpg4-rc92-vx8v CVE-2024-41818 HIGH over 1 year ago
### Summary A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team. ### Details https://github.com/NaturalIntelligence/...
npm
1
Dependabot PRs
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
GHSA-g3ch-rx76-35fx CVE-2024-6783 MODERATE over 1 year ago
A vulnerability has been discovered in vue-template-compiler, that allows an attacker to perform XSS via prototype pollution. The attacker could ch...
npm
No PRs yet
(ReDoS) Regular Expression Denial of Service in tf2-item-format
GHSA-8h55-q5qq-p685 CVE-2024-41655 HIGH over 1 year ago
## Summary Versions of `tf2-item-format` since at least `4.2.6` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsi...
npm
No PRs yet
Zowe CLI allows storage of previously entered secure credentials in a plaintext file
GHSA-ghgq-x6wc-6jr5 CVE-2024-6833 MODERATE over 1 year ago
A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-i...
npm
No PRs yet
Plate media plugins has a XSS in media embed element when using custom URL parsers
GHSA-h3pq-667x-r789 CVE-2024-40631 HIGH over 1 year ago
### Impact Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parse...
npm
No PRs yet
@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)
GHSA-342q-2mc2-5gmp CVE-2024-39919 MODERATE over 1 year ago
### Summary The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practic...
npm
No PRs yet
@jmondi/url-to-png contains a Path Traversal vulnerability
GHSA-vvmv-wrvp-9gjr CVE-2024-39918 MODERATE over 1 year ago
### Summary When trying to add a `BLOCK_LIST` feature when the maintainer noticed they didn't sanitize the `ImageId` in the code, which leads to pa...
npm
No PRs yet
Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes
GHSA-vxmc-5x29-h64v CVE-2024-6485 MODERATE over 1 year ago
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated wit...
npm
No PRs yet
Next.js Denial of Service (DoS) condition
GHSA-fq54-2j52-jc42 CVE-2024-39693 HIGH over 1 year ago
### Impact A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability o...
npm
No PRs yet
node-twain vulnerable to Improper Check or Handling of Exceptional Conditions
GHSA-wxr3-2hgv-qm8f CVE-2024-21525 HIGH over 1 year ago
All versions of the package node-twain are vulnerable to Improper Check or Handling of Exceptional Conditions due to the length of the source data ...
npm
No PRs yet
speaker vulnerable to Denial of Service
GHSA-w5fc-gj3h-26rx CVE-2024-21526 HIGH over 1 year ago
All versions of the package speaker are vulnerable to Denial of Service (DoS) when providing unexpected input types to the channels property of the...
npm
No PRs yet
node-stringbuilder vulnerable to Out-of-bounds Read
GHSA-g533-xq5w-jmf3 CVE-2024-21524 HIGH over 1 year ago
All versions of the package node-stringbuilder are vulnerable to Out-of-bounds Read due to incorrect memory length calculation, by calling ToBuffer...
npm
No PRs yet
images vulnerable to Denial of Service
GHSA-vjpv-x8p9-7p85 CVE-2024-21523 HIGH over 1 year ago
All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions...
npm
No PRs yet
audify vulnerable to Improper Validation of Array Index
GHSA-7vhm-fmph-7wxw CVE-2024-21522 HIGH over 1 year ago
All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode ...
npm
No PRs yet
@discordjs/opus vulnerable to Denial of Service
GHSA-43wq-xrcm-3vgr CVE-2024-21521 HIGH over 1 year ago
All versions of the package @discordjs/opus are vulnerable to Denial of Service (DoS) due to providing an input object with a property toString to ...
npm
9
Dependabot PRs
electron-updater Code Signing Bypass on Windows
GHSA-9jxc-qjr9-vjxq CVE-2024-39698 HIGH over 1 year ago
### Observations The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for...
npm
No PRs yet
Undici vulnerable to data leak when using response.arrayBuffer()
GHSA-3g92-w8c5-73pq CVE-2024-38372 LOW over 1 year ago
### Impact Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the N...
npm
No PRs yet
Directus Allows Single Sign-On User Enumeration
GHSA-jgf4-vwc3-r46v CVE-2024-39896 HIGH over 1 year ago
### Impact When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instanc...
npm
No PRs yet
Directus GraphQL Field Duplication Denial of Service (DoS)
GHSA-7hmh-pfrp-vcx4 CVE-2024-39895 HIGH over 1 year ago
### Summary A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of Grap...
npm
No PRs yet
Directus incorrectly handles `_in` filter
GHSA-hxgm-ghmv-xjjm CVE-2024-39701 HIGH over 1 year ago
### Summary Directus >=9.23.0, <=v10.5.3 improperly handles _in, _nin operators. It evaluates empty arrays as valid so expressions like {"role": {"...
npm
No PRs yet
Directus Blind SSRF On File Import
GHSA-8p72-rcq4-h6pw CVE-2024-39699 MODERATE over 1 year ago
### Summary There was already a reported SSRF vulnerability via file import. [https://github.com/directus/directus/security/advisories/GHSA-j3rg-3r...
npm
No PRs yet
Server Side Request Forgery (SSRF) attack in Fedify
GHSA-p9cg-vqcc-grcx CVE-2024-39687 MODERATE over 1 year ago
### Summary At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id...
npm
No PRs yet
Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to
GHSA-w9mh-5x8j-9754 CVE-2024-39691 MODERATE over 1 year ago
### Impact The fix for GHSA-wm4w-7h2q-3pf7 / [CVE-2024-32000](https://www.cve.org/CVERecord?id=CVE-2024-32000) included in matrix-appservice-irc 2...
npm
No PRs yet
rejetto HFS vulnerable to OS Command Execution by remote authenticated users
GHSA-5f4x-hwv2-w9w2 CVE-2024-39943 HIGH over 1 year ago
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they ha...
npm
No PRs yet
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
GHSA-c2hr-cqg6-8j6r CVE-2024-39309 CRITICAL over 1 year ago
### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to ...
npm
No PRs yet
ejson shell parser in MongoDB Compass maybe bypassed
GHSA-jxr4-4prv-mh83 CVE-2024-6376 HIGH over 1 year ago
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compas...
npm
No PRs yet
@cat5th/key-serializer Prototype Pollution vulnerability
GHSA-whpx-g542-7c7v CVE-2024-39018 MODERATE over 1 year ago
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attacke...
npm
No PRs yet
robinweser fast-loops vulnerable to prototype pollution
GHSA-3q56-9cc2-46j4 CVE-2024-39008 HIGH over 1 year ago
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function `objectMergeDeep`. This vulnerability allows attacker...
npm
No PRs yet
ag-grid packages vulnerable to Prototype Pollution
GHSA-328p-362g-r48j CVE-2024-39001 MODERATE over 1 year ago
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows at...
npm
No PRs yet
jrburke requirejs vulnerable to prototype pollution
GHSA-x3m3-4wpv-5vgc CVE-2024-38999 HIGH over 1 year ago
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function `s.contexts._.configure`. This vulnerability allows attac...
npm
No PRs yet
adolph_dudu ratio-swiper was discovered to contain a prototype pollution via the function extendDefaults
GHSA-88vr-hjqx-57qh CVE-2024-38997 MODERATE over 1 year ago
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attacker...
npm
No PRs yet
Prototype pollution in ag-grid-community via the _.mergeDeep function
GHSA-876p-c77m-x2hc CVE-2024-38996 HIGH over 1 year ago
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulner...
npm
No PRs yet
@amoy/common v was discovered to contain a prototype pollution via the function extend
GHSA-w58v-r3cp-qr93 CVE-2024-38994 HIGH over 1 year ago
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute ...
npm
No PRs yet
akbr patch-into was discovered to contain a prototype pollution via the function patchInto
GHSA-gh4x-qv3p-m9pm CVE-2024-38991 HIGH over 1 year ago
akbr patch-into version 1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to ex...
npm
No PRs yet
frappejs was discovered to contain a prototype pollution via the function registerView
GHSA-gc7m-596h-x57r CVE-2024-38992 HIGH over 1 year ago
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to ex...
npm
No PRs yet
@aofl/cli-lib Prototype Pollution vulnerability
GHSA-vg6v-jcg3-5mp7 CVE-2024-38987 MODERATE over 1 year ago
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute...
npm
No PRs yet
@fastly/js-compute has a use-after-free in some host call implementations
GHSA-mp3g-vpm9-9vqv CVE-2024-38375 MODERATE over 1 year ago
### Impact The implementation of the following functions were determined to include a use-after-free bug: * `FetchEvent.client.tlsCipherOpensslNam...
npm
No PRs yet
Cross-site Scripting in ZenUML
GHSA-q6xv-jm4v-349h CVE-2024-38527 MODERATE over 1 year ago
### Summary Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS). ### Details The comment feature ...
npm
No PRs yet
Strapi Server-Side Request Forgery (SSRF)
GHSA-p9ff-j98v-p435 CVE-2024-37818 HIGH over 1 year ago
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows a...
npm
No PRs yet