Security Vulnerabilities

• castilho blog - The blog post discusses a vulnerability in the Better-Auth library, where an open redirect issue allows attackers to bypass trusted origin checks using special URL schemes. This flaw could lead to token theft, such as password reset tokens, by redirecting users to malicious sites. The vulnerability was partially patched, but a bypass was still possible, highlighting the need for thorough validation of URL inputs. Developers using Better-Auth should ensure they apply the latest patches and review their URL validation logic to prevent such exploits.

• Netflix Vulnerability: Dependency Confusion in Action - Lupin & Holmes - A late-night brainstorm led to discovering a dependency confusion vulnerability in Netflix’s software supply chain, highlighting the importance of scrutinizing all dependencies and the value of collaboration between security researchers and companies for effective vulnerability management.

• Node.js - In March 2025, a security incident involving Node.js test CI hosts was reported, revealing a TOCTOU vulnerability that allowed unauthorized code execution via Jenkins pipelines. The Node.js team swiftly restricted access, rebuilt compromised hosts, and enhanced security by validating commit SHAs. This incident didn’t affect the Node.js runtime, and no user action is required. The team emphasizes balancing security with developer experience and encourages responsible vulnerability reporting.

• A Link To The Past: Uncovering a New Vulnerability in tar-fs | Seal Security - Seal Security uncovered a critical vulnerability in the tar-fs package, allowing attackers to exploit symlinks to write arbitrary files, potentially leading to remote code execution, highlighting the need for immediate patching and careful review of npm dependencies.

• Critical SQL Injection Vulnerability in LlamaIndex (CVE-2025-1793) – Advisory and Analysis | Blog | Endor Labs - LlamaIndex’s critical SQL injection vulnerability (CVE-2025-1793) highlights how LLMs can inadvertently expose vector stores to attacks, emphasizing the need for immediate patching, input validation, and secure query practices to protect sensitive data.

Tools & Libraries

• GitHub - lirantal/url-sheriff: validate and prevent against SSRF - URL Sheriff is a Node.js library designed to prevent SSRF attacks by validating URLs, supporting custom DNS resolvers, allow-lists, and scheme restrictions, with detailed debug logging for troubleshooting and monitoring.

Best Practices & Insights

• Applying Sandbox Security to Node.JS Unikernels with OpenBSD Pledge and Unveil - The article explores using OpenBSD’s pledge and unveil syscalls with Nanos unikernels to enhance Node.js application security by restricting syscalls and filesystem access, offering a proactive security approach without code changes, and highlighting the benefits of unikernels in DevOps environments.

• What is a Vulnerability and What’s Not? Making Sense of Node.js and Express Threat Models by Ulises Gascón - Ulises Gascón’s article emphasizes the importance of understanding Node.js and Express threat models, highlighting the need for developers to grasp what constitutes a vulnerability and how to effectively defend against potential attacks using tools like Burp Suite and OWASP ZAP.