CVEs assigned by the Harborist CNA.
| Date | CVE ID | GHSA | PURL | Description |
|---|---|---|---|---|
| 2026-02-11 | CVE‑2026‑2391 | GHSA‑w7fw‑mjwx‑w883 | pkg:npm/qs | qs's arrayLimit bypass in comma parsing allows denial of service |
| 2025-12-29 | CVE‑2025‑15284 | GHSA‑6rw7‑vpxm‑498p | pkg:npm/qs | arrayLimit bypass in bracket notation allows DoS via memory exhaustion |
| 2025-08-20 | CVE‑2025‑9288 | GHSA‑95m3‑7q98‑8xr5 | pkg:npm/sha.js | Missing Type Checks Leading To Hash Rewind And Passing On Crafted Data |
| 2025-08-20 | CVE‑2025‑9287 | GHSA‑cpq7‑6gpm‑g9rc | pkg:npm/cipher‑base | Missing Type Checks Leading To Hash Rewind And Passing On Crafted Data |
| 2025-07-18 | CVE‑2025‑7783 | GHSA‑fjxv‑7rqg‑78g4 | pkg:npm/form‑data | Usage Of Unsafe Random Function In Form-Data For Choosing Boundary |
| 2025-06-23 | CVE‑2025‑6545 | GHSA‑h7cp‑r72f‑jxh6 | pkg:npm/pbkdf2 | Pbkdf2 Silently Returns Predictable Uninitialized/Zero-Filled Memory For Non-Normalized Or Unimplemented Algos Supported By Node.js |
| 2025‑06‑23 | CVE‑2025‑6547 | GHSA‑v62p‑rq8g‑8h59 | pkg:npm/pbkdf2 | On Node.js < 3, Pbkdf2 Silently Disregards Uint8Array Input, Returning Static Keys |