GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
11 advisories
secp256k1-node allows private key extraction over ECDH
High
CVE-2024-48930
was published
for
secp256k1
(npm)
Oct 21, 2024
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Moderate
CVE-2024-53866
was published
for
pnpm
(npm)
Dec 10, 2024
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Critical
GHSA-vjh7-7g9h-fjfh
was published
for
elliptic
(npm)
Feb 12, 2025
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
Critical
CVE-2025-6545
was published
for
pbkdf2
(npm)
Jun 23, 2025
tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
High
CVE-2024-49364
was published
for
tiny-secp256k1
(npm)
Jun 30, 2025
tiny-secp256k1 allows for verify() bypass when running in bundled environment
High
CVE-2024-49365
was published
for
tiny-secp256k1
(npm)
Jun 30, 2025
node-tar has a race condition leading to uninitialized memory exposure
Moderate
CVE-2025-64118
was published
for
tar
(npm)
Oct 30, 2025
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
Critical
CVE-2025-9287
was published
for
cipher-base
(npm)
Aug 21, 2025
sha.js is missing type checks leading to hash rewind and passing on crafted data
Critical
CVE-2025-9288
was published
for
sha.js
(npm)
Aug 21, 2025
Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`
High
CVE-2026-23897
was published
for
@apollo/server
(npm)
Feb 4, 2026
pbkdf2 silently disregards Uint8Array input, returning static keys
Critical
CVE-2025-6547
was published
for
pbkdf2
(npm)
Jun 23, 2025
ProTip!
Advisories are also available from the
GraphQL API