#dos

### Summary A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page More details: [CVE-2025-49826](https://vercel.com/changelog/cve-2025-49826) ## Credits - Allam Rachid [zhero;](https://zhero-web-sec.github.io/research-and-things/) - Allam Yasser (inzo)

## Summary An authorization vulnerability was discovered in the `/rest/executions/:id/stop` endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. ### Impact This is an **improper authorization** vulnerability. While most API methods enforce user-scoped access to workflow execution IDs, the `/stop` endpoint fails to do so. An attacker can guess or enumerate execution IDs (which are sequential and partially exposed via verbose error messages) and terminate active workflows initiated by other users. **Who is impacted:** - Environments where multiple users with varying trust levels share access to the same n8n instance. - All users running long-running or time-sensitive workflows (e.g., using the `wait` node). An attacker with authenticated access can exploit this flaw to: - Disrupt other users’ workflow executions. - Cause denial of service for business-critical automa...

## Summary Denial of Service vulnerability in `/rest/binary-data` endpoint when processing empty filesystem URIs (`filesystem://` or `filesystem-v2://`). ### Impact This is a Denial of Service (DoS) vulnerability that allows authenticated attackers to cause service unavailability through malformed filesystem URI requests. The vulnerability affects: - The `/rest/binary-data` endpoint - n8n.cloud instances (confirmed HTTP/2 524 timeout responses) Attackers can exploit this by sending GET requests with empty filesystem URIs (`filesystem://` or `filesystem-v2://`) to the `/rest/binary-data` endpoint, causing resource exhaustion and service disruption. ### Patches The issue has been patched in [1.99.0](https://github.com/n8n-io/n8n/releases/tag/n8n%401.99.0). All users should upgrade to this version or later. The fix introduces strict checking of URI patterns. Patch commit: https://github.com/n8n-io/n8n/pull/16229

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: MicroSCADA X SYS600 Vulnerabilities: Incorrect Default Permissions, External Control of File Name or Path, Improper Validation of Integrity Check Value, Exposure of Sensitive Information Through Data Queries, Improper Certificate Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Hitachi Energy MicroSCADA Pro/X SYS600: version 10.0 up to 10.6 (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204, CVE-2025-39205) Hitachi Energy MicroSCADA Pro/X SYS600: version 10.5 up to 10.6 (CVE-2025-39203) Hitachi Energy MicroSCADA Pro/X SYS600: version 10.3 up to 10.6 (CVE-2025-39205) 3.2 VULNERABILITY OVERVIEW 3...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC iQ-F Series Vulnerability: Overly Restrictive Account Lockout Mechanism 2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of MELSEC iQ-F Series is affected: FX5U-32MT/ES: All versions FX5U-32MT/DS: All versions FX5U-32MT/ESS: All versions FX5U-32MT/DSS: All versions FX5U-32MR/ES: All versions FX5U-32MR/DS: All versions FX5U-64MT/ES: All versions FX5U-64MT/DS: All versions FX5U-64MT/ESS: All versions FX5...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: MELSOFT Update Manager Vulnerabilities: Integer Underflow (Wrap or Wraparound), Protection Mechanism Failure 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSOFT Update Manager are affected: MELSOFT Update Manager SW1DND-UDM-M: Versions 1.000A to 1.012N 3.2 VULNERABILITY OVERVIEW 3.2.1 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191 Mitsubishi Electric MELSOFT Update Manager is vulnerable to an Integer Underflow vulnerability in 7-zip, included in MELSOFT Update Manager, that could allow a remote attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacke...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Relion 670/650 and SAM600-IO Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to cause a denial-of-service that disrupts critical functions in the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Hitachi Energy Relion 650: All versions from 2.2.4.0 to 2.2.4.4 Hitachi Energy Relion 650: All versions from 2.2.5.0 to 2.2.5.6 Hitachi Energy Relion 650: All versions from 2.2.6.0 to 2.2.6.2 Hitachi Energy Relion 670: 2.2.2.6 Hitachi Energy Relion 670: 2.2.3.7 Hitachi Energy Relion 670: All versions from 2.2.4.0 to 2.2.4.4 Hitachi Energy Relion 670: All versions from 2.2.5.0 to 2.2.5.6 Hitachi Energy Relion 670: All versions from 2.2.6.0 to 2.2.6.2 Hitachi Energy SAM600-IO: All versions from 2....

string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.

### Summary Sending transactions with fees different than native Babylon genesis denom (`ubbn`) leads to chain halt. ### Impact Denial of Service - Due to panic in the `x/distribution` module `BeginBlocker` triggered by a error when sending fees from `feeCollector` to `x/distribution` module - https://github.com/cosmos/cosmos-sdk/blob/main/x/distribution/keeper/allocation.go#L28 Babylon Genesis will halt

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.