Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

23,521

Total Advisories

1,590

With Dependabot PRs

3,384

Critical Severity

8,238

High Severity

Clear All Filters
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
GHSA-x5gv-jw7f-j6xj CVE-2025-55284 HIGH 19 days ago
Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file...
npm
No PRs yet
Template Secret leakage in logs in Scaffolder when using `fetch:template`
GHSA-3x3q-ghcp-whf7 CVE-2025-55285 LOW 22 days ago
### Impact Duplicate logging of the input values in the `fetch:template` action in the Scaffolder meant that some of the secrets were not properly ...
npm
No PRs yet
@astrojs/node's trailing slash handling causes open redirect issue
GHSA-9x9c-ghc5-jhw9 CVE-2025-55207 MODERATE 23 days ago
### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in ...
npm
No PRs yet
Flowise OS command remote code execution
GHSA-2vv2-3x8x-4gv7 CVE-2025-8943 CRITICAL 24 days ago
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's i...
npm
No PRs yet
Flowise JS injection remote code execution
GHSA-q4xx-mc3q-23x8 CVE-2025-55346 CRITICAL 24 days ago
User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed ...
npm
No PRs yet
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
GHSA-w2cq-g8g3-gm83 CVE-2025-55164 HIGH 25 days ago
### Impact A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you ca...
npm
No PRs yet
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
GHSA-r3v7-pc4g-7xp9 CVE-2025-55152 MODERATE 26 days ago
### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak ...
npm
No PRs yet
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
GHSA-xcxh-6cv4-q8p8 LOW 26 days ago
### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener nor...
npm
No PRs yet
The AuthKit Remix Library renders sensitive auth data in HTML
GHSA-v3gr-w9gf-23cx CVE-2025-55009 HIGH 30 days ago
In versions before `0.15.0`, `@workos-inc/authkit-remix` exposed sensitive authentication artifacts — specifically sealedSession and accessToken — ...
npm
No PRs yet
The AuthKit React Router Library rendered sensitive auth data in HTML
GHSA-vqvc-9q8x-vmq6 CVE-2025-55008 HIGH 30 days ago
In versions before `0.7.0`, `@workos-inc/authkit-react-router` exposed sensitive authentication artifacts — specifically `sealedSession` and `acces...
npm
No PRs yet
@fedify/fedify has Improper Authentication and Incorrect Authorization
GHSA-6jcc-xgcr-q3h4 CVE-2025-54888 HIGH 30 days ago
### Summary An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged acti...
npm
2
Dependabot PRs
Astros's duplicate trailing slash feature leads to an open redirection security issue
GHSA-cq8c-xv66-36gw CVE-2025-54793 MODERATE about 1 month ago
## Summary There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows...
npm
No PRs yet
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended
GHSA-8q6v-474h-whgg CVE-2025-54885 MODERATE about 1 month ago
### Impact A protocol compliance bug in thinbus-srp-npm versions prior to 2.0.1 causes the client to generate a fixed 252 bits of entropy instead o...
npm
No PRs yet
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
GHSA-52f5-9888-hmc6 CVE-2025-54798 LOW about 1 month ago
### Summary `tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter. ### Details According...
npm
6221
Dependabot PRs
19%
Merged
mcp-package-docs vulnerable to command injection in several tools
GHSA-vf9j-h32g-2764 CVE-2025-54073 HIGH about 1 month ago
### Summary A command injection vulnerability exists in the `mcp-package-docs` MCP Server. The vulnerability is caused by the unsanitized use of i...
npm
No PRs yet
js-toml Prototype Pollution Vulnerability
GHSA-65fc-cr5f-v7r2 CVE-2025-54803 HIGH about 1 month ago
A prototype pollution vulnerability in `js-toml` allows a remote attacker to add or modify properties of the global `Object.prototype` by parsing a...
npm
No PRs yet
Claude Code echo command allowed bypass of user approval prompt for command execution
GHSA-x56v-x2h6-7j34 CVE-2025-54795 HIGH about 1 month ago
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Rel...
npm
No PRs yet
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
GHSA-pmw4-pwvc-3hx2 CVE-2025-54794 HIGH about 1 month ago
Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and acce...
npm
No PRs yet
IPX Allows Path Traversal via Prefix Matching Bypass
GHSA-mm3p-j368-7jcr CVE-2025-54387 MODERATE about 1 month ago
### Summary The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directori...
npm
No PRs yet
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
GHSA-85cg-cmq5-qjm7 CVE-2025-54782 CRITICAL about 1 month ago
## Summary A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the pac...
npm
No PRs yet
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
GHSA-9qm3-6qrr-c76m CVE-2025-34146 HIGH about 1 month ago
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.p...
npm
No PRs yet
GitProxy Hidden Commits Injection
GHSA-v98g-8rqx-g93g CVE-2025-54586 HIGH about 1 month ago
### Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden...
npm
No PRs yet
GitProxy New Branch Approval Exploit
GHSA-39p2-8hq9-fwj6 CVE-2025-54585 HIGH about 1 month ago
### Summary An attacker can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. Bec...
npm
No PRs yet
GitProxy Backfile Parsing Exploit
GHSA-xxmh-rf63-qwjv CVE-2025-54584 HIGH about 1 month ago
### Summary An attacker can craft a malicious Git packfile to exploit the PACK signature detection in the `parsePush.ts`. By embedding a misleading...
npm
No PRs yet
GitProxy Approval Bypass When Pushing Multiple Branches
GHSA-qr93-8wwf-22g4 CVE-2025-54583 HIGH about 1 month ago
### Summary This vulnerability allows a user to push to the remote repository while bypassing policies and explicit approval. Since checks and plug...
npm
No PRs yet
Koa Open Redirect via Referrer Header (User-Controlled)
GHSA-jgmv-j7ww-jx2x CVE-2025-8129 LOW about 1 month ago
## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-contro...
npm
32
Dependabot PRs
3%
Merged
Node-SAML SAML Signature Verification Vulnerability
GHSA-4mxg-3p6v-xgq3 CVE-2025-54419 CRITICAL about 1 month ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
webfinger.js Blind SSRF Vulnerability
GHSA-8xq3-w9fx-74rv CVE-2025-54590 MODERATE about 1 month ago
### Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.o...
npm
No PRs yet
ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
GHSA-c2fv-2fmj-9xrx CVE-2025-8267 HIGH about 1 month ago
Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ran...
npm
No PRs yet
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
GHSA-95jq-xph2-cx9h CVE-2025-8101 HIGH about 1 month ago
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting...
npm
No PRs yet
HAX CMS API Lacks Authorization Checks
GHSA-9jr9-8ff3-m894 CVE-2025-54378 HIGH about 1 month ago
### Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CM...
npm packagist
No PRs yet
Node-SAML SAML Authentication Bypass
GHSA-m837-g268-mmv7 CVE-2025-54369 CRITICAL about 1 month ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
private-ip vulnerable to Server-Side Request Forgery
GHSA-9h3q-32c7-r533 CVE-2025-8020 HIGH about 2 months ago
All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that re...
npm
No PRs yet
files-bucket-server vulnerable to Directory Traversal
GHSA-3r3j-4vrw-884j CVE-2025-8021 HIGH about 2 months ago
All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access fil...
npm
No PRs yet
HAX CMS application pages vulnerable to clickjacking
GHSA-54vw-f4xf-f92j CVE-2025-54139 MODERATE about 2 months ago
### Summary All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This ap...
npm packagist
No PRs yet
NodeJS version of the HAX CMS application is distributed with Default Secrets
GHSA-5fpv-5qvh-7cf3 CVE-2025-54137 HIGH about 2 months ago
### Summary The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. A...
npm
No PRs yet
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
GHSA-pjj3-j5j6-qj27 CVE-2025-54134 HIGH about 2 months ago
### Summary The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vul...
npm
No PRs yet
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
GHSA-59g8-h59f-8hjp CVE-2025-54128 HIGH about 2 months ago
### Summary The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application...
npm
No PRs yet
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
GHSA-f38f-jvqj-mfg6 CVE-2025-54127 CRITICAL about 2 months ago
### Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not...
npm
No PRs yet
form-data uses unsafe random function in form-data for choosing boundary
GHSA-fjxv-7rqg-78g4 CVE-2025-7783 CRITICAL about 2 months ago
### Summary form-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an att...
npm
172
Dependabot PRs
25%
Merged
Alchemy Non-SMA and Webauthn Account Security Advisory
GHSA-56r6-ccm5-8hg3 HIGH about 2 months ago
### Impact A potential security issue has been mitigated on old account deployment functions from the factory. Smart wallets in use on all existing...
npm
No PRs yet
@translated/lara-mcp vulnerable to command injection in import_tmx tool
GHSA-xj5p-8h7g-76m7 CVE-2025-53832 HIGH about 2 months ago
### Summary A command injection vulnerability exists in the `@translated/lara-mcp` MCP Server. The vulnerability is caused by the unsanitized use ...
npm
No PRs yet
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
GHSA-cj6r-rrr9-fg82 CVE-2025-54075 HIGH about 2 months ago
### Summary A **remote script-inclusion / stored XSS** vulnerability in **@nuxtjs/mdc** lets a Markdown author inject a `<base href="https://attack...
npm
20
Dependabot PRs
15%
Merged
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
GHSA-f29h-pxvx-f335 CVE-2025-54313 HIGH about 2 months ago
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package ...
npm
No PRs yet
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
GHSA-xffm-g5w8-qvg7 LOW about 2 months ago
### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only a...
npm
No PRs yet
OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers
GHSA-9rcw-c2f9-2j55 CVE-2025-54070 MODERATE about 2 months ago
### Impact The `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two condit...
npm
No PRs yet
on-headers is vulnerable to http response header manipulation
GHSA-76c9-3jph-rj3q CVE-2025-7339 LOW about 2 months ago
### Impact A bug in on-headers versions `< 1.1.0` may result in response headers being inadvertently modified when an array is passed to `response...
npm
48930
Dependabot PRs
5%
Merged
Multer vulnerable to Denial of Service via unhandled exception from malformed request
GHSA-fjgf-rc76-4x9p CVE-2025-7338 HIGH about 2 months ago
### Impact A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malform...
npm
1536
Dependabot PRs
27%
Merged
DiracX-Web is vulnerable to attack through an Open Redirect on its login page
GHSA-hfj7-542q-8fvv CVE-2025-54066 MODERATE about 2 months ago
### Summary An attacker can forge a request to redirect an authenticated user to any arbitrary website. ### Details On the login page, we have a...
npm
No PRs yet
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes
GHSA-x8qp-wqqm-57ph CVE-2025-53892 MODERATE about 2 months ago
### Summary The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated paramete...
npm
531
Dependabot PRs
9%
Merged