CVE library
Plain-English walk-throughs of the CVEs that matter most for AI-built apps on Next.js, Supabase, and Node.js. Each page covers what the bug is, what an attacker gets, how to fix it, and how Securie catches it automatically.
CVE-2025-29927 — Next.js middleware authentication bypass
An unauthenticated attacker can bypass any Next.js middleware — including authentication — by sending a single HTTP header. Affects all self-hosted Next.js applications below the patched versions.
CVE-2025-48757 — Lovable project-enumeration exposure
Lovable's project API exposed project metadata (name, slug, collaborator emails, GitHub repo ID, Firebase token scope) without verifying ownership. Affected 170+ apps at disclosure time and — per Cyber Kendra's April 2026 report — re-broke after the initial patch.
CVE-2024-39338 — Axios SSRF via absolute URL
A Server-Side Request Forgery vulnerability in the axios HTTP client allowed path-relative URLs to be silently converted into absolute URLs targeting attacker-controlled infrastructure.
CVE-2024-28849 — Follow-Redirects credential forwarding
follow-redirects forwarded the Authorization header to cross-origin redirects, leaking credentials to attacker-controlled hosts during ordinary HTTP client use (including via Axios).
CVE-2024-52798 — path-to-regexp ReDoS
A regular-expression denial-of-service (ReDoS) in path-to-regexp allowed attacker-supplied route patterns to trigger catastrophic backtracking, hanging the Node.js event loop.
CVE-2025-27210 — Node.js HTTP request-smuggling
Node's HTTP parser accepted whitespace between Content-Length and its value, enabling request-smuggling attacks through intermediaries that parse the header strictly.
CVE-2024-46982 — Next.js cache poisoning via path confusion
A cache-poisoning vulnerability in Next.js App Router let an attacker cause a pageProps JSON response to be cached against an HTML route, returning raw JSON to every subsequent visitor of that URL.
CVE-2024-34351 — Next.js Server Actions SSRF
Next.js Server Actions with `redirect()` could be manipulated to issue server-side requests to attacker-controlled hosts, enabling SSRF against internal infrastructure from the Next.js server.
CVE-2024-47831 — Next.js image optimization DoS
An unauthenticated attacker could exhaust CPU by requesting the image-optimization endpoint with crafted remote URLs that forced expensive decode + re-encode cycles on the Next.js server.
CVE-2024-51479 — Next.js authorization bypass via static path rewrite
A path-rewrite issue in Next.js allowed requests to bypass authorization middleware on routes that used `pages/api` + specific rewrite patterns.
CVE-2024-4067 — micromatch ReDoS
A regular-expression denial-of-service in `micromatch` — used by many build tools including webpack, Jest, and framework CLIs — allowed attacker-supplied glob patterns to hang the process.
CVE-2024-4068 — braces ReDoS (build-time DoS)
A ReDoS in the `braces` package — pulled transitively by virtually every Node project via micromatch — allowed malicious brace patterns to hang parser processes.
CVE-2024-45590 — body-parser DoS via deeply nested URL-encoded input
A DoS vulnerability in `body-parser` allowed an attacker to exhaust event-loop time by sending a request with deeply nested `application/x-www-form-urlencoded` input.
CVE-2024-43796 — Express open redirect
An open-redirect issue in Express's `res.location()` + `res.redirect()` let attacker-supplied input control the target of a redirect, enabling phishing campaigns that appear to originate from the trusted app.
CVE-2024-43799 — send directory traversal
A path-traversal bug in the `send` module — used by Express's static file server — could allow reading files outside the configured root under specific path configurations.
CVE-2024-43800 — serve-static path confusion
A path-handling issue in serve-static could allow serving unintended files to clients that crafted specific URL encodings, especially when used behind a reverse proxy that preserved encoded slashes.
CVE-2024-37890 — ws WebSocket DoS
The `ws` WebSocket library allocated a large buffer for handshake headers without bounds-checking, allowing an attacker to exhaust memory by sending crafted request headers.
CVE-2024-28176 — jose (JWT library) compressed-payload DoS
The `jose` JWT library (used by next-auth and Clerk and others) decompressed JWE tokens without size limits, allowing a compressed-payload DoS.
CVE-2024-29415 — ip SSRF allowlist bypass
The `ip` npm package — often used to determine whether an IP is 'private' for SSRF defense — could be bypassed by octal / hexadecimal / zero-padded encodings, rendering SSRF allowlists incomplete.
CVE-2023-26136 — tough-cookie prototype pollution
A prototype-pollution vulnerability in tough-cookie — used inside every major HTTP client (axios, got, request) — could let malicious cookies pollute `Object.prototype`, changing application behavior downstream.
CVE-2024-21538 — cross-spawn ReDoS
A ReDoS in cross-spawn — used inside most CLI tooling in the Node ecosystem — allowed crafted command-line arguments to hang the parser.
CVE-2024-47068 — Rollup dev-mode XSS
A development-mode XSS in Rollup's sourcemap handling could execute attacker-controlled JavaScript in the browser of a developer serving a poisoned sourcemap.
CVE-2023-49090 — Vite arbitrary file read
Vite's dev server could be tricked into returning arbitrary local files to a crafted URL request, exposing secrets, SSH keys, or other filesystem content.
CVE-2024-47875 — DOMPurify bypass on sandboxed iframes
A DOMPurify bypass let an attacker smuggle executable JavaScript through the sanitizer under specific parser conditions, re-enabling XSS in apps that relied on DOMPurify as the only defense.
CVE-2024-28863 — node-tar DoS via malformed header
node-tar could be forced to allocate arbitrary memory on malformed tar headers, enabling a DoS on any server that accepted uploaded tarballs (npm registry, Docker-adjacent tooling, generic file import).
CVE-2024-22195 — Jinja2 XSS via xmlattr filter
A cross-site scripting vulnerability in Jinja2's `xmlattr` filter let attacker-controlled attribute keys inject arbitrary HTML attributes, re-enabling XSS in Flask and FastAPI apps that used the filter.
CVE-2023-44270 — PostCSS newline parsing bypass
A newline-parsing issue in PostCSS could let attacker-controlled CSS bypass sanitization, potentially enabling CSS-injection attacks in applications that accepted user CSS.
CVE-2024-35255 — Azure Identity library credential leakage
The Azure Identity library for Node.js logged credentials in specific debug paths, risking exposure of tokens in application logs when diagnostic logging was enabled.
CVE-2024-27982 — Node.js HTTP request-smuggling via space in Content-Length
Node.js's HTTP parser accepted a space between the Content-Length header value and its name, enabling request-smuggling attacks through misaligned reverse proxies.
CVE-2024-27983 — Node.js HTTP/2 DoS via unauthenticated reset-stream flood
An unauthenticated HTTP/2 rapid-reset attack against Node.js could cause 100% CPU on the server with a small number of concurrent connections, effectively DoS'ing every Node.js HTTP/2 endpoint.
CVE-2024-30171 — Bouncy Castle timing side-channel
A timing side-channel in Bouncy Castle's RSA-PKCS#1 v1.5 implementation could allow an attacker to recover key material or plaintext through repeated oracle queries.
CVE-2024-24549 — Apache Tomcat HTTP/2 DoS
An HTTP/2 rapid-reset variant specific to Tomcat's connector caused unbounded CPU consumption, allowing a small attacker to saturate a Tomcat-fronted application.
CVE-2024-21490 — Angular.js ReDoS in inline formatter
A ReDoS in Angular.js's input-type handling lets crafted user input block the browser render loop on legacy Angular.js apps.
CVE-2024-45296 — path-to-regexp outage-backtracking variant
A second ReDoS pattern in path-to-regexp affecting route definitions with optional parameters, discovered after the primary CVE-2024-52798.
CVE-2024-32421 — Next.js race condition in cached fetch
A race condition in Next.js's cached-fetch implementation could let concurrent requests observe incomplete or mixed responses under high concurrency.
CVE-2024-39884 — Apache HTTP Server cache-key confusion
A cache-key confusion in Apache mod_cache could let a request with a specific Content-Type serve cached content intended for a different handler, potentially leaking sensitive payloads.
CVE-2025-24840 — supabase-js session-refresh race condition
A race condition in supabase-js's automatic session-refresh logic could cause two tabs of the same user to receive access tokens belonging to different refresh cycles, confusing server-side authorization state.
CVE-2024-21656 — Turborepo path traversal in cached outputs
Turborepo's remote-cache implementation allowed crafted cache entries to escape the expected output directory, writing arbitrary files on a developer's machine when restoring the cache.
CVE-2024-42005 — Django QuerySet SQL injection via JSON key lookups
A SQL injection in Django's QuerySet.values() + JSON key lookups with untrusted input allowed attacker-controlled lookup paths to append arbitrary SQL.
CVE-2024-45231 — Django reset-password user enumeration
Django's password-reset view returned different responses for valid vs invalid email addresses, enabling user enumeration.
CVE-2024-38475 — Apache httpd mod_rewrite file-system escape
A mod_rewrite misconfiguration under certain rule patterns allowed attackers to escape the document root and serve arbitrary files from the filesystem.
CVE-2024-32002 — Git RCE via case-insensitive filesystem symlink
On case-insensitive filesystems (Windows, macOS default), Git could be tricked into writing outside the repo root via submodule + symlink tricks, enabling RCE on clone.
CVE-2024-37891 — urllib3 proxy-auth credential leak through redirects
urllib3 forwarded Proxy-Authorization headers on cross-origin redirects, leaking proxy credentials to attacker-controlled hosts.
CVE-2024-6345 — Python setuptools RCE via package_index
A remote code execution in setuptools's package_index module allowed malicious package URLs to execute arbitrary code during dependency resolution.
CVE-2024-39689 — certifi removed GLOBALTRUST CA without updating pinned certs
certifi (Python's root CA bundle) retained the GLOBALTRUST 2020 CA after its removal from Mozilla's trust store, potentially allowing certs issued by a distrusted CA to be accepted.
CVE-2024-29025 — Netty HttpPostRequestDecoder DoS
Netty's multipart request decoder allocated memory without bounds, enabling DoS via crafted multipart uploads.
CVE-2024-47178 — Nuxt devtools prototype pollution
Nuxt devtools had a prototype-pollution in its dev-mode route handler that could escalate to RCE on the developer's machine when the dev server was exposed.
CVE-2024-41818 — fast-xml-parser ReDoS
A ReDoS in fast-xml-parser allowed crafted XML input to hang the parser, DoS'ing any Node.js service parsing untrusted XML.
CVE-2024-50379 — Apache Tomcat JSP TOCTOU RCE
A time-of-check / time-of-use race in Tomcat's JSP handling on case-insensitive filesystems could allow RCE via specially-crafted JSP uploads.
CVE-2024-56204 — Composer cache-poisoning RCE
A cache-poisoning vulnerability in Composer (PHP dependency manager) could let a malicious package poison a victim's cache, resulting in RCE on subsequent installs.
CVE-2024-47076 — CUPS IPP request input validation
A remote unauthenticated RCE in CUPS's IPP handling affected Linux systems with CUPS listening on UDP port 631. Part of a multi-CVE CUPS disclosure including CVE-2024-47175, 47176, 47177.
CVE-2025-0411 — 7-Zip Mark-of-the-Web bypass
7-Zip failed to propagate the Windows Mark-of-the-Web (MotW) to files extracted from archives, bypassing Windows SmartScreen protections on malicious downloads.
CVE-2024-39338 — Axios protocol-confusion SSRF
A variant of the earlier axios SSRF (CVE-2024-39338) affecting later Node.js versions via protocol downgrade from https to http under specific redirect chains.
CVE-2024-27980 — Node.js Windows command injection via child_process
On Windows, Node.js's child_process.spawn with shell:false still invoked cmd.exe for .bat and .cmd files, allowing argument-injection attacks.
CVE-2024-30260 — undici header scrubbing bypass
undici (Node.js HTTP client) failed to scrub certain auth headers on cross-origin redirects, leaking credentials similar to the follow-redirects bug.
CVE-2024-22257 — Spring Security authorization bypass
A broken-authorization bug in Spring Security's AuthenticatedVoter let unauthenticated requests pass through specific pre-authorization rules under JSR-250 annotations.
CVE-2024-27281 — Ruby RDoc command injection via documentation build
Ruby's built-in RDoc tool could be tricked into executing arbitrary shell commands when building documentation with crafted source filenames.
CVE-2024-7254 — Protocol Buffers StackOverflow DoS
Any protobuf-based RPC or serialization could be forced into deep recursion via crafted input, triggering a StackOverflowError and killing the JVM.