string

Regular Expression Denial of Service in string package

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS)

es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`

FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString

@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings

Malicious code in string-multiutils (npm)

happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

dojox vulnerable to unescaped string injection

OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)

Malicious code in seacpe-string-regexp (npm)

html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS)

@lumieducation/h5p-server Fails to Sanitize Plain Text Strings

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

DbGate has cross site scripting via the SVG Icon String Handler component

string-kit Inefficient Regular Expression Complexity vulnerability

JHipster Kotlin using insecure source of randomness `RandomStringUtils` before v1.2.0

Malicious code in body-string-rest (npm)

ReDoS via long string of semicolons in tough-cookie

Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker

Uncontrolled Resource Consumption in fast-string-search

oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

Malicious code in ibm-strings (npm)

Malicious code in string-parser-utils (npm)

Malicious code in owa-strings (npm)

Malicious code in lodaschisstring (npm)

Malicious code in gradient-stringss (npm)

Malicious code in stringjs_lib (npm)

Malicious code in string-width-aliased (npm)

Denial of Service in uap-core when processing crafted User-Agent strings

color-string@2.1.1 contains malware after npm account takeover

Malicious code in json2stringfy (npm)

Elysia has a string URL format ReDoS

Malicious code in remark-stringify10 (npm)

n8n: Webhook Node IP Whitelist Bypass via Partial String Matching

Malicious code in fetch-string (npm)

Remote Code Execution (RCE) via String Literal Injection into math-codegen

Malicious code in shakti-strings (npm)

@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry

Malicious code in color-string (npm)

module-from-string prototype pollution

steal Inefficient Regular Expression Complexity vulnerability via string variable

Malicious code in plugin-proposal-json-strings (npm)

Malicious code in @hongfangze/string (npm)

PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag

Feathers socket handler allows abusing implicit toString

Malicious code in body-string (npm)

Malicious code in 5string (npm)

Malicious code in oj-sp-common-strings (npm)

Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

Malicious code in gradient-stringnnnn (npm)

Malicious code in gradient-strings (npm)

Malicious code in tree-sitter-strings (npm)

Malicious code in gradient-stringn (npm)

Malicious code in unique-string-64 (npm)

Malicious code in @maxcointech/simple-string-utils (npm)

markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template

Malicious code in simple-string-utils3 (npm)

Malicious code in string-process-mate (npm)

Malicious code in arrays-string (npm)

node-stringbuilder vulnerable to Out-of-bounds Read

Out-of-bounds Read in stringstream

Malicious code in atlaspack-transformer-string (npm)

Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching

Passing in a non-string 'html' argument can lead to unsanitized output

Malicious code in jsostablestringilfy (npm)

Malicious code in eslint-plugin-i18n-strings (npm)

Malicious code in string_decoder-browserify (npm)

query-parser-string is vulnerable to Prototype Pollution

Malicious code in non-string-num (npm)

Out-of-bounds Read in fast-string-search

Malicious code in parse-escape-regex-string (npm)

Malicious code in parse-regex-string (npm)

Malicious code in string-manipulation-typescript (npm)

Malicious code in string-setup-helper (npm)

Malicious code in quewynstring (npm)

qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

Malicious code in son-stringiy-safe (npm)

Malicious code in testring-build (npm)

Malicious code in string-tools-be6c (npm)

Malicious code in transform-json-strings (npm)

http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass

undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

Malicious code in stringify-coder (npm)