Tag

Nodejs

All articles tagged with #nodejs

technology1 month ago•2 min saved

Node.js patches mitigate async_hooks stack overflow DoS risk

Node.js released patches for a critical vulnerability where async_hooks can cause a stack-overflow DoS, with the runtime exiting on code 7 instead of a catchable error; it affects many apps and frameworks (including React Server Components and Next.js) and APMs, tracked as CVE-2025-59466 (CVSS 7.5). Updates are available in Node.js 20.20.0+, 22.22.0+, 24.13.0+, and 25.3.0, while older 8.x–18.x remain EOL. Upgrade promptly and apply stronger stack-space protections; other high-severity fixes were released too.

via The Hacker News|

#asynchooks #dos #nodejs

supply-chain-software-security2 years ago•2 min saved

"Node.js Users Vulnerable to Manifest Confusion Attack: Malware Threat Looms"

The npm registry for Node.js is vulnerable to a manifest confusion attack, allowing threat actors to hide malware in project dependencies or execute arbitrary scripts during installation. The issue arises from the decoupling of the manifest and package metadata, leading to unexpected behavior and misuse. This loophole can be exploited to publish modules with hidden dependencies and run install scripts, potentially leading to supply chain attacks. Users are advised to scan packages for anomalies and exploits, as relying solely on metadata is insufficient. GitHub is aware of the problem but has yet to resolve it. Insecure dependencies were also found in a study of GitHub repositories, highlighting the ongoing threat to software supply chains.

via The Hacker News|

#malware #manifest-confusion-attack #nodejs