Все бюллетени/c10f2/ALT-PU-2025-12503-3
ALT-PU-2025-12503-3

Обновление пакета npm в ветке c10f2

Версия8.19.3-alt2
Задание#396139
Опубликовано2025-10-03
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (7)

BDU:2024-02261
CRITICAL9.8

Уязвимость утилиты node-ip программной платформы Node.js, позволяющая нарушителю выполнить произвольный код

Опубликовано: 2024-03-22Изменено: 2024-09-13
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2024-04518
CRITICAL9.8

Уязвимость функции isPublic() утилиты node-ip программной платформы Node.js, позволяющая нарушителю реализовать SSRF-атаку

Опубликовано: 2024-06-14
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0КРИТИЧЕСКАЯ 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
Ссылки
BDU:2024-09418
MEDIUM6.5

Уязвимость модуля node-tar библиотеки Node.js, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2024-11-14
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
CVE-2023-42282
CRITICAL9.8

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Опубликовано: 2024-02-08Изменено: 2025-05-15
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2024-28863
MEDIUM6.5

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Опубликовано: 2024-03-21Изменено: 2025-12-16
CVSS 3.xСРЕДНЯЯ 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ссылки
CVE-2024-29415
HIGH8.1

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

Опубликовано: 2024-05-27Изменено: 2026-04-15
CVSS 3.xВЫСОКАЯ 8.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2025-5889
LOW1.3

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Опубликовано: 2025-06-09Изменено: 2026-04-29
CVSS 2.0НИЗКАЯ 2.1
CVSS:2.0/AV:N/AC:H/Au:S/C:N/I:N/A:P
CVSS 3.xНИЗКАЯ 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS 4.0НИЗКАЯ 1.3
CVSS:4.0/CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки