Vulnerability Analysis
In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.
568 articles
path-parse regular expression denial of service (CVE-2021-23343)
A ReDoS flaw in path-parse (CVE-2021-23343) lurks deep in webpack and resolve dependency trees. Here's the impact, timeline, and how to fix it.
browserslist ReDoS vulnerability (CVE-2021-23364)
A ReDoS flaw in browserslist (CVE-2021-23364) let crafted query strings stall builds across the JS ecosystem. Here's the full breakdown and fix.
minimatch regular expression denial of service (CVE-2022-3517)
A ReDoS flaw in minimatch (CVE-2022-3517) lets a single crafted string hang Node.js processes. Here's what's affected, the risk context, and how to fix it.
ansi-regex ReDoS vulnerability (CVE-2021-3807)
CVE-2021-3807 is a ReDoS flaw in the widely-used ansi-regex npm package. Here's the impact, affected versions, CVSS/EPSS context, and how to fix it.
nth-check ReDoS vulnerability (CVE-2021-3803)
CVE-2021-3803 turned a niche CSS selector parser into an ecosystem-wide audit headache. Here's the real exploitability picture and how to fix it.
tough-cookie prototype pollution (CVE-2023-26136)
CVE-2023-26136: a prototype pollution flaw in tough-cookie hides deep in transitive Node.js dependencies. Impact, timeline, and remediation steps.
cross-spawn ReDoS vulnerability (CVE-2024-21538)
CVE-2024-21538 is a ReDoS flaw in the widely-used cross-spawn npm package. Learn the impact, CVSS/EPSS context, and how to remediate it.
Express.js open redirect vulnerability (CVE-2024-29041)
CVE-2024-29041 lets attackers weaponize Express.js redirects for phishing. See affected versions, CVSS/EPSS data, and how to remediate fast.
http-cache-semantics ReDoS vulnerability (CVE-2022-25881)
CVE-2022-25881 lets attacker-influenced HTTP responses trigger catastrophic regex backtracking in http-cache-semantics, hanging Node.js services. Here's how to detect and fix it.
Python setuptools package_index ReDoS (CVE-2022-40897)
CVE-2022-40897 is a ReDoS flaw in setuptools' package_index.py that can hang CI pipelines when parsing crafted index pages. Here's how to detect and fix it.
Python requests library proxy-auth credential leak (CVE-2023-32681)
CVE-2023-32681 lets Python's requests library leak Proxy-Authorization credentials to destination servers on HTTPS redirects. Here's the impact, timeline, and fix.
urllib3 CA certificate verification bypass (CVE-2019-11324)
CVE-2019-11324 let urllib3 silently trust unintended CAs during custom certificate validation, undermining pinned-trust and mTLS setups.