Vulnerability-Lookup

WID-SEC-W-2026-0105

Vulnerability from csaf_certbund - Published: 2026-01-13 23:00 - Updated: 2026-05-20 22:00

Summary

Red Hat Developer Hub: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat Developer Hub ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen und Daten zu manipulieren.

Betroffene Betriebssysteme: - Linux

CVE-2025-15284

Affected products

Known affected 6 products

Product	Identifier	Version
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
Red Hat Enterprise Linux Developer Hub <1.8.2 Red Hat / Enterprise Linux		Developer Hub <1.8.2
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
IBM DB2 IBM	`cpe:/a:ibm:db2:-`	—

CVE-2025-64756

Affected products

Known affected 6 products

Product	Identifier	Version
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
Red Hat Enterprise Linux Developer Hub <1.8.2 Red Hat / Enterprise Linux		Developer Hub <1.8.2
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
IBM DB2 IBM	`cpe:/a:ibm:db2:-`	—

CVE-2025-65945

Affected products

Known affected 6 products

Product	Identifier	Version
IBM InfoSphere Information Server IBM	`cpe:/a:ibm:infosphere_information_server:-`	—
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
Red Hat Enterprise Linux Developer Hub <1.8.2 Red Hat / Enterprise Linux		Developer Hub <1.8.2
Fedora Linux Fedora	`cpe:/o:fedoraproject:fedora:-`	—
IBM DB2 IBM	`cpe:/a:ibm:db2:-`	—

References

25 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2026:0531	external
https://access.redhat.com/errata/RHSA-2026:0761	external
https://access.redhat.com/errata/RHSA-2026:1730	external
https://access.redhat.com/errata/RHSA-2026:1942	external
https://bodhi.fedoraproject.org/updates/FEDORA-20…	external
https://access.redhat.com/errata/RHSA-2026:2147	external
https://access.redhat.com/errata/RHSA-2026:2145	external
https://access.redhat.com/errata/RHSA-2026:2078	external
https://access.redhat.com/errata/RHSA-2026:2456	external
https://access.redhat.com/errata/RHSA-2026:2500	external
https://access.redhat.com/errata/RHSA-2026:2568	external
https://access.redhat.com/errata/RHSA-2026:2762	external
https://access.redhat.com/errata/RHSA-2026:2754	external
https://access.redhat.com/errata/RHSA-2026:2672	external
https://access.redhat.com/errata/RHSA-2026:2926	external
https://access.redhat.com/errata/RHSA-2026:3710	external
https://access.redhat.com/errata/RHSA-2026:3825	external
https://www.ibm.com/support/pages/node/7266733	external
https://support.hcl-software.com/csm?id=kb_articl…	external
https://www.ibm.com/support/pages/node/7273312	external
https://access.redhat.com/errata/RHSA-2026:18480	external
https://access.redhat.com/errata/RHSA-2026:18868	external
https://access.redhat.com/errata/RHSA-2026:19712	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Red Hat Developer Hub ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen und Daten zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0105 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0105.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0105 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0105"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory vom 2026-01-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:0531"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:0761 vom 2026-01-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:0761"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:1730 vom 2026-02-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:1730"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:1942 vom 2026-02-04",
        "url": "https://access.redhat.com/errata/RHSA-2026:1942"
      },
      {
        "category": "external",
        "summary": "Fedora Security Advisory FEDORA-2026-A84E0AD039 vom 2026-02-05",
        "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2026-a84e0ad039"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2147 vom 2026-02-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:2147"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2145 vom 2026-02-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:2145"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2078 vom 2026-02-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:2078"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2456 vom 2026-02-10",
        "url": "https://access.redhat.com/errata/RHSA-2026:2456"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2500 vom 2026-02-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:2500"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2568 vom 2026-02-11",
        "url": "https://access.redhat.com/errata/RHSA-2026:2568"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2762 vom 2026-02-16",
        "url": "https://access.redhat.com/errata/RHSA-2026:2762"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2754 vom 2026-02-16",
        "url": "https://access.redhat.com/errata/RHSA-2026:2754"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2672 vom 2026-02-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:2672"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:2926 vom 2026-02-18",
        "url": "https://access.redhat.com/errata/RHSA-2026:2926"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:3710 vom 2026-03-04",
        "url": "https://access.redhat.com/errata/RHSA-2026:3710"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:3825 vom 2026-03-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:3825"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7266733 vom 2026-03-24",
        "url": "https://www.ibm.com/support/pages/node/7266733"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin",
        "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130587"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7273312 vom 2026-05-18",
        "url": "https://www.ibm.com/support/pages/node/7273312"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18480 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:18480"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:18868 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:18868"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19712 vom 2026-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2026:19712"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Developer Hub: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:57:37.843+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-0105",
      "initial_release_date": "2026-01-13T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-01-13T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-01-18T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-01-20T23:00:00.000+00:00",
          "number": "3",
          "summary": "Korrektur Plattformauswahl"
        },
        {
          "date": "2026-02-02T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-02-04T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat und Fedora aufgenommen"
        },
        {
          "date": "2026-02-05T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-02-10T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-02-11T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-02-16T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-02-18T23:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-03-03T23:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-03-04T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-03-24T23:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von HCL aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "17"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fedora Linux",
            "product": {
              "name": "Fedora Linux",
              "product_id": "74185",
              "product_identification_helper": {
                "cpe": "cpe:/o:fedoraproject:fedora:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fedora"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "WebUI",
                "product": {
                  "name": "HCL BigFix WebUI",
                  "product_id": "T036098",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:webui"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "BigFix"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM DB2",
            "product": {
              "name": "IBM DB2",
              "product_id": "T048379",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:db2:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "IBM InfoSphere Information Server",
            "product": {
              "name": "IBM InfoSphere Information Server",
              "product_id": "T019995",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:infosphere_information_server:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Developer Hub \u003c1.8.2",
                "product": {
                  "name": "Red Hat Enterprise Linux Developer Hub \u003c1.8.2",
                  "product_id": "T049943"
                }
              },
              {
                "category": "product_version",
                "name": "Developer Hub 1.8.2",
                "product": {
                  "name": "Red Hat Enterprise Linux Developer Hub 1.8.2",
                  "product_id": "T049943-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:developer_hub__1.8.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-15284",
      "product_status": {
        "known_affected": [
          "T019995",
          "67646",
          "T036098",
          "T049943",
          "74185",
          "T048379"
        ]
      },
      "release_date": "2026-01-13T23:00:00.000+00:00",
      "title": "CVE-2025-15284"
    },
    {
      "cve": "CVE-2025-64756",
      "product_status": {
        "known_affected": [
          "T019995",
          "67646",
          "T036098",
          "T049943",
          "74185",
          "T048379"
        ]
      },
      "release_date": "2026-01-13T23:00:00.000+00:00",
      "title": "CVE-2025-64756"
    },
    {
      "cve": "CVE-2025-65945",
      "product_status": {
        "known_affected": [
          "T019995",
          "67646",
          "T036098",
          "T049943",
          "74185",
          "T048379"
        ]
      },
      "release_date": "2026-01-13T23:00:00.000+00:00",
      "title": "CVE-2025-65945"
    }
  ]
}

CVE-2025-15284 (GCVE-0-2025-15284)

Vulnerability from cvelistv5 – Published: 2025-12-29 22:56 – Updated: 2026-02-10 20:06

Title

arrayLimit bypass in bracket notation allows DoS via memory exhaustion

Summary

Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. Summary The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly. Details The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoC const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000. Impact Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-20 - Improper Input Validation

Assigner

harborist

References

2 references

URL	Tags
https://github.com/ljharb/qs/security/advisories/…	vendor-advisory
https://github.com/ljharb/qs/commit/3086902ecf7f0…	patch

Impacted products

1 product

Vendor	Product	Version
		Affected: < 6.14.1 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15284",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-30T14:55:26.031863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-30T15:57:41.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://npmjs.com/qs",
          "defaultStatus": "affected",
          "modules": [
            "parse"
          ],
          "packageName": "qs",
          "repo": "https://github.com/ljharb/qs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.14.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.\u003cp\u003eThis issue affects qs: \u0026lt; 6.14.1.\u003c/p\u003e\u003ch3\u003e\u003cbr\u003eSummary\u003c/h3\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003earrayLimit\u003c/code\u003e\u0026nbsp;option in qs did not enforce limits for bracket notation (\u003ccode\u003ea[]=1\u0026amp;a[]=2\u003c/code\u003e), only for indexed notation (\u003ccode\u003ea[0]=1\u003c/code\u003e). This is a consistency bug; \u003ccode\u003earrayLimit\u003c/code\u003e\u0026nbsp;should apply uniformly across all array notations.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e\u0026nbsp;The default \u003ccode\u003eparameterLimit\u003c/code\u003e\u0026nbsp;of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than \u003ccode\u003eparameterLimit\u003c/code\u003e\u0026nbsp;regardless of \u003ccode\u003earrayLimit\u003c/code\u003e, because each \u003ccode\u003ea[]=value\u003c/code\u003econsumes one parameter slot. The severity has been reduced accordingly.\u003c/p\u003e\u003ch3\u003eDetails\u003c/h3\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe \u003ccode\u003earrayLimit\u003c/code\u003e\u0026nbsp;option only checked limits for indexed notation (\u003ccode\u003ea[0]=1\u0026amp;a[1]=2\u003c/code\u003e) but did not enforce it for bracket notation (\u003ccode\u003ea[]=1\u0026amp;a[]=2\u003c/code\u003e).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVulnerable code\u003c/strong\u003e\u0026nbsp;(\u003ccode\u003elib/parse.js:159-162\u003c/code\u003e):\u003c/p\u003e\u003cdiv\u003e\u003cpre\u003eif (root === \u0027[]\u0027 \u0026amp;\u0026amp; options.parseArrays) {\n    obj = utils.combine([], leaf);  // No arrayLimit check\n}\u003c/pre\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u003cstrong\u003eWorking code\u003c/strong\u003e\u0026nbsp;(\u003ccode\u003elib/parse.js:175\u003c/code\u003e):\u003c/p\u003e\u003cdiv\u003e\u003cpre\u003eelse if (index \u0026lt;= options.arrayLimit) {  // Limit checked here\n    obj = [];\n    obj[index] = leaf;\n}\u003c/pre\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003eThe bracket notation handler at line 159 uses \u003ccode\u003eutils.combine([], leaf)\u003c/code\u003e\u0026nbsp;without validating against \u003ccode\u003eoptions.arrayLimit\u003c/code\u003e, while indexed notation at line 175 checks \u003ccode\u003eindex \u0026lt;= options.arrayLimit\u003c/code\u003e\u0026nbsp;before creating arrays.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003ch3\u003ePoC\u003c/h3\u003e\u003cp\u003e\u003cstrong\u003e\u003c/strong\u003e\u003c/p\u003e\u003cdiv\u003e\u003cpre\u003econst qs = require(\u0027qs\u0027);\nconst result = qs.parse(\u0027a[]=1\u0026amp;a[]=2\u0026amp;a[]=3\u0026amp;a[]=4\u0026amp;a[]=5\u0026amp;a[]=6\u0027, { arrayLimit: 5 });\nconsole.log(result.a.length);  // Output: 6 (should be max 5)\u003c/pre\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u003cstrong\u003eNote on parameterLimit interaction:\u003c/strong\u003e\u0026nbsp;The original advisory\u0027s \"DoS demonstration\" claimed a length of 10,000, but \u003ccode\u003eparameterLimit\u003c/code\u003e\u0026nbsp;(default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.\u003c/p\u003e\u003ch3\u003eImpact\u003c/h3\u003e\u003cp\u003e\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eConsistency bug in \u003c/span\u003e\u003ccode\u003earrayLimit\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;enforcement. With default \u003c/span\u003e\u003ccode\u003eparameterLimit\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, the practical DoS risk is negligible since \u003c/span\u003e\u003ccode\u003eparameterLimit\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when \u003c/span\u003e\u003ccode\u003eparameterLimit\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is explicitly set to a very high value.\u003c/span\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: \u003c 6.14.1.\n\n\nSummary\n\nThe arrayLimit\u00a0option in qs did not enforce limits for bracket notation (a[]=1\u0026a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit\u00a0should apply uniformly across all array notations.\n\nNote:\u00a0The default parameterLimit\u00a0of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit\u00a0regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly.\n\nDetails\n\nThe arrayLimit\u00a0option only checked limits for indexed notation (a[0]=1\u0026a[1]=2) but did not enforce it for bracket notation (a[]=1\u0026a[]=2).\n\nVulnerable code\u00a0(lib/parse.js:159-162):\n\nif (root === \u0027[]\u0027 \u0026\u0026 options.parseArrays) {\n    obj = utils.combine([], leaf);  // No arrayLimit check\n}\n\n\n\n\n\nWorking code\u00a0(lib/parse.js:175):\n\nelse if (index \u003c= options.arrayLimit) {  // Limit checked here\n    obj = [];\n    obj[index] = leaf;\n}\n\n\n\n\n\nThe bracket notation handler at line 159 uses utils.combine([], leaf)\u00a0without validating against options.arrayLimit, while indexed notation at line 175 checks index \u003c= options.arrayLimit\u00a0before creating arrays.\n\n\n\nPoC\n\nconst qs = require(\u0027qs\u0027);\nconst result = qs.parse(\u0027a[]=1\u0026a[]=2\u0026a[]=3\u0026a[]=4\u0026a[]=5\u0026a[]=6\u0027, { arrayLimit: 5 });\nconsole.log(result.a.length);  // Output: 6 (should be max 5)\n\n\n\n\n\nNote on parameterLimit interaction:\u00a0The original advisory\u0027s \"DoS demonstration\" claimed a length of 10,000, but parameterLimit\u00a0(default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.\n\nImpact\n\nConsistency bug in arrayLimit\u00a0enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit\u00a0already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit\u00a0is explicitly set to a very high value."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-469",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-469 HTTP DoS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-10T20:06:42.111Z",
        "orgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
        "shortName": "harborist"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "arrayLimit bypass in bracket notation allows DoS via memory exhaustion",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
    "assignerShortName": "harborist",
    "cveId": "CVE-2025-15284",
    "datePublished": "2025-12-29T22:56:45.240Z",
    "dateReserved": "2025-12-29T21:36:51.399Z",
    "dateUpdated": "2026-02-10T20:06:42.111Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64756 (GCVE-0-2025-64756)

Vulnerability from cvelistv5 – Published: 2025-11-17 17:29 – Updated: 2025-11-19 02:30

Title

glob CLI: Command injection via -c/--cmd executes matches with shell:true

Summary

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/isaacs/node-glob/security/advi…	x_refsource_CONFIRM
https://github.com/isaacs/node-glob/commit/1e4e29…	x_refsource_MISC
https://github.com/isaacs/node-glob/commit/47473c…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
isaacs	node-glob	Affected: >= 10.2.0, < 10.5.0 Affected: >= 11.0.0, < 11.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64756",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-17T18:24:55.363466Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-18T16:37:11.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-glob",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.2.0, \u003c 10.5.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 11.0.0, \u003c 11.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c \u003ccommand\u003e \u003cpatterns\u003e are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-19T02:30:44.520Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2"
        },
        {
          "name": "https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f"
        },
        {
          "name": "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146"
        }
      ],
      "source": {
        "advisory": "GHSA-5j98-mcp5-4vw2",
        "discovery": "UNKNOWN"
      },
      "title": "glob CLI: Command injection via -c/--cmd executes matches with shell:true"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64756",
    "datePublished": "2025-11-17T17:29:08.029Z",
    "dateReserved": "2025-11-10T22:29:34.874Z",
    "dateUpdated": "2025-11-19T02:30:44.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-65945 (GCVE-0-2025-65945)

Vulnerability from cvelistv5 – Published: 2025-12-04 18:45 – Updated: 2025-12-05 18:31

Title

auth0/node-jws improper HMAC signature verification vulnerability

Summary

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/auth0/node-jws/security/adviso…	x_refsource_CONFIRM
https://github.com/auth0/node-jws/commit/34c45b2c…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
auth0	node-jws	Affected: < 3.2.3 Affected: >= 4.0.0, <= 4.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-65945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T18:31:41.971989Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T18:31:52.043Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-jws",
          "vendor": "auth0",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c= 4.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T18:45:37.517Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x"
        },
        {
          "name": "https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e"
        }
      ],
      "source": {
        "advisory": "GHSA-869p-cjfg-cm3x",
        "discovery": "UNKNOWN"
      },
      "title": "auth0/node-jws improper HMAC signature verification vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-65945",
    "datePublished": "2025-12-04T18:45:37.517Z",
    "dateReserved": "2025-11-18T16:14:56.691Z",
    "dateUpdated": "2025-12-05T18:31:52.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0105

CVE-2025-15284 (GCVE-0-2025-15284)

CVE-2025-64756 (GCVE-0-2025-64756)

CVE-2025-65945 (GCVE-0-2025-65945)

Tags

Sightings

Nomenclature