Frontend Frameworks Vulnerabilities and Node.js Permission Model Update

Frontend frameworks vulnerabilities

Recent months have seen a surge in security vulnerabilities affecting popular frontend frameworks. Here are some notable examples:

Eclipse on Next.js - Conditioned exploitation of an intended race-condition.

eclipse on nextjs

Next.js Authorization Bypass - Next.js and the corrupt middleware: the authorizing artifact.

Even more Next.js security vulnerabilities disclosed include the following two reports: 1, 2, all by Rachid.A (zhero), security researcher.

nextjs authorization bypass

Nuxt, not immune of vulnerabilities, either - Nuxt, show me your payload - a basic CP DoS.

React-Router vulnerability - Pre-render data spoofing + CPDoS. This one sheds light on CVEs without much written context yet, but it follows a former React Router + Remix vulnerability disclosure.

Vite dev server found vulnerable - Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. Patched versions are already available so upgrade.


🔮 Node.js Tip of the Week

Node.js Tip of the Week: Sweet new permission model DX improvement providing an explicit allow-fs-read to app entrypoint. Thank you Rafael and Erick! ❤️


❗ New Security Vulnerabilities


Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.