node.js
CVE Severity Distribution (All Time)
Timeline Overview
Recent CVEs
View allDue to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary …
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true.…
Related Security News
Posted by Pete Allor on Jan 28Florian, I think you miss what actually is done and how, with whom / what. Pete
Posted by Florian Weimer on Jan 28* Pete Allor: But is this really how it works these days? For example, if we use a component to render the in-program documentation (traditionally called “online hel…
Posted by Pete Allor on Jan 27Florian, The question is about who is scoring and a level of their knowledge and understanding. Assuming that each is using CVSS v3.1 then the question is does the scori…
Posted by Florian Weimer on Jan 26* Pete Allor: The larger problem is that component scoring tends to be higher than whole-system scoring. If a security component fails in its security function, it c…
Posted by Pete Allor on Jan 25Assigning a CVE for EOL is actually outside the normal practice (there is another standard for that underway) and is not in line with Rule 4.1 as part of the CVE program…