open-flaw

9 exploits Active since Jul 2017
CVE-2026-21710 GITHUB HIGH javascript WORKING POC
Node.js 20.x 22.x 24.x 25.x - Denial of Service via __proto__ Header Handling
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVSS 7.5
CVE-2017-11499 NOMISEC HIGH WORKING POC
Node.js 4.0-4.8.3 5.x 6.0-6.11.0 7.0-7.10.0 8.0-8.1.3 - Denial of Service via Hash Flooding
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
CVSS 7.5
CVE-2020-8158 NOMISEC CRITICAL WORKING POC
TypeORM <0.2.25 - Prototype Pollution
Prototype pollution vulnerability in the TypeORM package < 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks.
CVSS 9.8
CVE-2022-33171 NOMISEC CRITICAL WORKING POC
TypeORM < 0.3.0 - SQL Injection via FindOneOptions Parameter
The findOne function in TypeORM before 0.3.0 can either be supplied with a string or a FindOneOptions object. When input to the function is a user-controlled parsed JSON object, supplying a crafted FindOneOptions instead of an id string leads to SQL injection. NOTE: the vendor's position is that the user's application is responsible for input validation
CVSS 9.8
CVE-2025-55182 NOMISEC CRITICAL WORKING POC
React Server Components <19.2.0 - RCE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVSS 10.0
CVE-2026-21717 NOMISEC MEDIUM WORKING POC
Node.js 20.x 22.x 24.x 25.x - Denial of Service via V8 String Hash Collision
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
CVSS 5.9
CVE-2025-49844 NOMISEC CRITICAL WORKING POC
Redis < 6.2.20, 8.2.1-8.2.2 - Authenticated Use-After-Free via Lua Script Garbage Collector Manipulation
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
CVSS 9.9
CVE-2025-23061 GITHUB CRITICAL javascript WORKING POC
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVSS 9.0
CVE-2025-12758 GITHUB HIGH javascript WORKING POC
Package Validator <13.15.22 - Incomplete Filtering
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.
CVSS 7.5