GitLab Advisory Database

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentials from popular online services. It is recommended all credentials be rotated, npm cache is cleared, .node_modules directory is removed and all dependencies be rolled back to …

This advisory is a duplicate of CVE-2025-43865 and has been removed.

This advisory is a duplicate of CVE-2025-43864 and has been removed.

This advisory has been marked as False Positive and has been removed.

Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12. The update of AGE will …

There are issues with the AGE drivers for Golang and Python that enable SQL injections to occur. This impacts AGE for PostgreSQL 11 & AGE for PostgreSQL 12, all versions up-to-and-including 1.1.0, when using those drivers. The fix is to update to the latest Golang and Python drivers in addition to the latest version of AGE that is used for PostgreSQL 11 or PostgreSQL 12. The update of AGE will …

There is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to …

The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default.