Ulises Gascón

6 exploits Active since Sep 2024
CVE-2024-43796 WRITEUP MEDIUM WRITEUP
Openjsf Express < 4.20.0 - XSS
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
CVSS 5.0
CVE-2024-43799 WRITEUP MEDIUM WRITEUP
Send < 0.19.0 - XSS
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
CVSS 5.0
CVE-2024-43800 WRITEUP MEDIUM WRITEUP
Openjsf Serve-static < 1.16.0 - XSS
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
CVSS 5.0
CVE-2024-47178 WRITEUP MEDIUM WRITEUP
basic-auth-connect <1.1.0 - Info Disclosure
basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
CVSS 5.3
CVE-2025-47935 WRITEUP HIGH WRITEUP
NPM Multer < 2.0.0 - Memory Leak
Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.
CVSS 7.5
CVE-2025-47944 WRITEUP HIGH WRITEUP
NPM Multer < 2.0.0 - Denial of Service
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.
CVSS 7.5