CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-4432 – Ring: some aes functions may panic when overflow checking is enabled in ring
https://notcve.org/view.php?id=CVE-2025-4432
09 May 2025 — A flaw was found in Rust's Ring package. A panic may be triggered when overflow checking is enabled. In the QUIC protocol, this flaw allows an attacker to induce this panic by sending a specially crafted packet. It will likely occur unintentionally in 1 out of every 2**32 packets sent or received. • https://access.redhat.com/security/cve/CVE-2025-4432 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 3.7EPSS: 0%CPEs: 10EXPL: 0CVE-2025-3416 – Openssl: rust-openssl use-after-free in `md::fetch` and `cipher::fetch`
https://notcve.org/view.php?id=CVE-2025-3416
08 Apr 2025 — A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string. • https://access.redhat.com/security/cve/CVE-2025-3416 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 45EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3508 – Bzip2: compressed content bomb leads to denial of service of bombastic api
https://notcve.org/view.php?id=CVE-2024-3508
25 Apr 2024 — A flaw was found in Bombastic, which allows authenticated users to upload compressed (bzip2 or zstd) SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed. Se encontró una falla en Bombastic, que permite a los usuarios autenticados cargar SBOM comprimidos (bzip2 o zstd). El endpoint de API verifica la presencia de algunos campos y valores en el JSON. • https://access.redhat.com/security/cve/CVE-2024-3508 • CWE-400: Uncontrolled Resource Consumption CWE-434: Unrestricted Upload of File with Dangerous Type •