Security
Headlines
HeadlinesLatestCVEs

Tag

#js

GHSA-cxrh-j4jr-qwg3: undici Denial of Service attack via bad certificate data

### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. ### Patches This has been patched in https://github.com/nodejs/undici/pull/4088. ### Workarounds If a webhook fails, avoid keep calling it repeatedly. ### References Reported as: https://github.com/nodejs/undici/issues/3895

ghsa
#vulnerability#web#dos#nodejs#js#git
GHSA-qpjv-v59x-3qc4: Next.js Race Condition to Cache Poisoning

**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. [Learn more here](https://vercel.com/changelog/cve-2025-32421) **Credit** Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.

Google to pay $1.38 billion over privacy violations

The state of Texas reached a mammoth financial agreement with Google last week, securing $1.375 billion in payments to settle two lawsuits concerning the use of consumers' data.

North Korean Hackers Stole $88M by Posing as US Tech Workers

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning…

GHSA-h4j7-5rxr-p4wc: Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability

# Microsoft Security Advisory CVE-2025-26646: .NET Spoofing Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0.xxx and .NET 8.0.xxx SDK. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability. A vulnerability exists in .NET SDK or MSBuild applications where external control of file name or path allows an unauthorized attacked to perform spoofing over a network. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/msbuild/issues/11846 ### <a name="mitigation-factors"></a>Mitigation factors Projects which do not utilize the [DownloadFile](https://learn.microsoft.com/visualstudio/msbuild/downloadfile-task) build task are not susceptible to this vulnerability. ## <a name="affected-software"></a>Affected software * Any installation of .NET 9.0.105 SDK, .NET 9.0.203 SDK ...

GHSA-m7gm-v253-56hh: @lumieducation/h5p-server Fails to Sanitize Plain Text Strings

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings.

ICE’s Deportation Airline Hack Reveals Man ‘Disappeared’ to El Salvador

Plus: A DOGE operative’s laptop reportedly gets infected with malware, Grok AI is used to “undress” women on X, a school software company’s ransomware nightmare returns, and more.

Cyber criminals impersonate payroll, HR and benefits platforms to steal information and funds

As per a recent FBI warning, criminals are phishing users of payroll, and similar platforms to not only steal their credentials but also their funds.

Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT

Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system. The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system. "This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an

Trust and authenticity: In the kitchen and the software supply chain

Software supply chain security has become more relevant in the last decade as more and more organizations consume, develop and deploy containerized workloads. Software is inherently complex so an analogy concerning an area of life that we can all relate to should help. Here's a conversation about cooking lasagna!“Do you need any help?”“No, it's fine. I have done this a thousand times, thanks.”“That meat packaging is unusual. It’s just a thin plastic bag. Where did you get that?”“It was a bargain. A young chap knocked the door earlier and said he was selling meat. He had a coole