resolved
SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)
Bug reported by tipsen was disclosed at March 31, 2026, 2:31 am | Server-Side Request Forgery (SSRF)
A vulnerability was discovered in the `ssrf_filter` library version 1.3.0. The library failed to block the NAT64 local-use IPv6 prefix `64:ff9b:1::/48`, allowing such addresses to be treated as public. This enabled SSRF requests through `/fetch` to targets encoded under that prefix when routable in the deployment environment.
resolved
Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes
Bug reported by tipsen was disclosed at March 31, 2026, 2:04 am | Path Traversal
A path traversal vulnerability was discovered in the `protodump` tool. The vulnerability allowed an attacker to influence the output filename construction and bypass the containment check, enabling writes outside the intended output directory. The vulnerability was caused by the use of descriptor-controlled paths in the output filename construction, along with an unsafe lexical prefix check for directory containment. This issue has been identified in the `protodump` tool.
resolved
HashDoS in V8
Bug reported by Mate Marjanović was disclosed at March 30, 2026, 4:44 pm | Cryptographic Issues - Generic
resolved
Permission Model Bypass in realpathSync.native Allows File Existence Disclosure
Bug reported by Huseyin Tintas was disclosed at March 30, 2026, 4:44 pm | Information Disclosure
resolved
Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery
Bug reported by George Gherasim was disclosed at March 30, 2026, 4:42 pm | Cryptographic Issues - Generic
resolved
Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`
Bug reported by XavLimSG was disclosed at March 30, 2026, 4:42 pm | Improper Access Control - Generic
resolved
Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)
Bug reported by 陳昱昇 was disclosed at March 30, 2026, 4:42 pm | Uncontrolled Resource Consumption
resolved
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown
Bug reported by wooseok was disclosed at March 30, 2026, 4:42 pm | Improper Access Control - Generic
resolved
Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion
Bug reported by Gal Bar Nahum was disclosed at March 30, 2026, 4:41 pm | Missing Release of Memory after Effective Lifetime
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
