CVE-2025-1843
published 2025-03-03CVE-2025-1843: A vulnerability, which was classified as critical, has been found in Mini-Tmall up to 20250211. This issue affects the function select of the file…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.4th percentile
A vulnerability, which was classified as critical, has been found in Mini-Tmall up to 20250211. This issue affects the function select of the file com/xq/tmall/dao/ProductMapper.java. The manipulation of the argument orderBy leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| project_team | tmall_demo | <= 2025-02-11 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-55132 nodejs: Nodejs filesystem permissions bypass
bugzilla·2026-01-20·CVSS 5.3
CVE-2025-55132 [MEDIUM] CVE-2025-55132 nodejs: Nodejs filesystem permissions bypass
CVE-2025-55132 nodejs: Nodejs filesystem permissions bypass
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:1843 https://access.redhat.com/errata/RHSA-2026:1843
---
This issue has been addressed in the foll
Bugzilla
CVE-2025-59466 nodejs: Nodejs denial of service
bugzilla·2026-01-20·CVSS 7.5
CVE-2025-59466 [HIGH] CVE-2025-59466 nodejs: Nodejs denial of service
CVE-2025-59466 nodejs: Nodejs denial of service
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:1843 https://access.redhat.com/errata/RHSA-2026:1843
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-202
2025-03-03
Published