SB2026031336 - Splunk AppDynamics NodeJS Agent update for third-party components
Published: March 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 41 secuirty vulnerabilities.
1) Link following (CVE-ID: CVE-2021-35938)
The vulnerability allows a local privileged user to escalate privileges on the system.
The vulnerability occurs when rpm sets the desired permissions and credentials after installing a file. A local privileged user can use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system.
2) Out-of-bounds read (CVE-ID: CVE-2024-5642)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API when NPN is used. A remote attacker can trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
3) Inefficient algorithmic complexity (CVE-ID: CVE-2025-12084)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to usage of a quadratic algorithm when building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache(). A remote attacker can force the application to create excessively nested documents, leading to a denial of service condition.
4) Resource exhaustion (CVE-ID: CVE-2025-6075)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the os.path.expandvars() function. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Input validation error (CVE-ID: CVE-2025-8291)
The vulnerability allows a remote attacker to extract files into arbitrary locations on the system.
The vulnerability exists due to the zipfile module does not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value when extracting files. A remote attacker can use a specially crafted zip file to extract data into arbitrary locations on the system.
6) Resource management error (CVE-ID: CVE-2025-6069)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the html.parser.HTMLParser class. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
7) Input validation error (CVE-ID: CVE-2026-2391)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due the arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled. A remote attacker can pass overly large string to the application and consume all available memory resources, leading to a denial of service condition.
8) Resource exhaustion (CVE-ID: CVE-2025-15284)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the arrayLimit option does not enforce limits for bracket notation (a[]=1&a[]=2). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Link following (CVE-ID: CVE-2021-35939)
The vulnerability allows a local privileged user to escalate privileges on the system.
The vulnerability exist due to fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local privileged user who owns another ancestor directory could potentially use this flaw to gain root privileges.
10) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2021-35937)
The vulnerability allows a local privileged user to escalate privileges on the system.
The vulnerability exist due to race condition. A local privileged user can bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges.
11) Out-of-bounds write (CVE-ID: CVE-2025-68160)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error within the BIO filter (BIO_f_linebuffer). A remote attacker can pass an overly long string to the application, trigger an out-of-bounds write and perform a denial of service attack.
12) Path traversal (CVE-ID: CVE-2026-23745)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in src/unpack.ts within the [HARDLINK] and [SYMLINK] methods. A remote attacker can send a specially crafted HTTP request and read/overwrite arbitrary files on the system.
13) Path traversal (CVE-ID: CVE-2026-24842)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in lib/unpack.js. A remote attacker can send a specially crafted HTTP request and read or overwrite arbitrary files on the system.
14) Race condition (CVE-ID: CVE-2026-23950)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a race condition in Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS. A remote attacker can trick the victim into using a specially crafted archive to bypass the library's internal concurrency safeguards and perform Symlink Poisoning attacks.
15) Path traversal (CVE-ID: CVE-2025-45582)
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A local user can trick the victim into opening a specially crafted HTTP request and read arbitrary files on the system.
16) Path traversal (CVE-ID: CVE-2025-53905)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences in tar.vim plugin. A remote attacker can trick the victim into opening a specially crafted archive and overwrite arbitrary files on the system, leading to remote code execution.
17) Path traversal (CVE-ID: CVE-2025-53906)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences in zip.vim plugin. A remote attacker can trick the victim into opening a specially crafted archive and overwrite arbitrary files on the system, leading to remote code execution.
18) Cleartext transmission of sensitive information (CVE-ID: CVE-2025-69418)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag. When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. A remote attacker can intercept traffic and gain access to potentially sensitive information.
19) Type confusion (CVE-ID: CVE-2026-22796)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a type confusion error within the PKCS7_digest_from_attributes() function. A remote attacker can pass specially crafted PKCS#7 data to the application, trigger a type confusion error and perform a denial of service attack.
20) Out-of-bounds read (CVE-ID: CVE-2025-9086)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when reading cookie path. A malicious server can set a specially crafted cookie path using the secure keyword, trigger an out-of-bounds read error and crash the application.
21) Input validation error (CVE-ID: CVE-2025-46394)
The vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to insufficient validation of filenames inside a tar archive. A remote attacker can add a specially crafted file into an archive and trick the victim into overwriting critical files on the system, leading to a potential privilege escalation.
22) Resource exhaustion (CVE-ID: CVE-2025-59375)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger large dynamic memory allocations via a small document and perform a denial of service (DoS) attack.
23) Integer overflow (CVE-ID: CVE-2025-13601)
The vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to integer overflow within the g_escape_uri_string() function. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and perform a denial of service attack.
24) Out-of-bounds write (CVE-ID: CVE-2025-68973)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the armor_filter() function in g10/armor.c. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds write and execute arbitrary code on the target system.
25) Integer overflow (CVE-ID: CVE-2025-48964)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in ping. A remote attacker can send a specially crafted ICMP Echo Reply packet to trigger an integer overflow and crash the application.
26) Uncontrolled Recursion (CVE-ID: CVE-2025-9714)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion in XPath evaluation within the xmlXPathRunEval() function in xpath.c. A remote attacker can pass specially crated XML data to the application and perform a denial of service (DoS) attack.
27) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-56433)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to shadow-utils establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users).
28) Buffer overflow (CVE-ID: CVE-2025-6965)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing aggregated terms. A remote attacker can pass specially crafted input to the application where the number of aggregate terms exceeds the number of columns available, trigger memory corruption and perform a denial of service (DoS) attack.
29) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-4598)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in systemd-coredump when handling process crashes. A local user who can force a SUID process to crash can replace it with a non-SUID binary to access the original's privileged process coredump and read sensitive data, such as /etc/shadow content, loaded by the original process.
30) Heap-based buffer overflow (CVE-ID: CVE-2025-14104)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing 256-byte usernames within the setpwnam() function. A local user can trigger a heap-based buffer overflow and execute arbitrary code on the target system.
The vulnerability affects any SUID login-utils utility writing to password database.
31) Input validation error (CVE-ID: CVE-2024-58251)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in netstat when launched with an argv[0] containing an ANSI terminal escape sequence. A local user can lock the terminal when netstat is used by a victim.
32) NULL pointer dereference (CVE-ID: CVE-2026-22795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when parsing PKCS#12 file. A remote attacker can pass a specially crafted PKCS#12 file to the application and perform a denial of service (DoS) attack.
33) Stack-based buffer overflow (CVE-ID: CVE-2025-15467)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters. A remote attacker can supply a specially crafted CMS message with an oversized IV, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
34) Out-of-bounds write (CVE-ID: CVE-2025-9230)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when trying to decrypt CMS messages encrypted using password based encryption. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.
Successful exploitation of the vulnerability requires that password based (PWRI) encryption support in CMS messages is enabled.
35) Type Confusion (CVE-ID: CVE-2025-69420)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a type confusion error within the TS_RESP_verify_response() function when handling ASN1_TYPE data.. A remote attacker can pass a malformed TimeStamp Response to the application and perform a denial of service attack.
36) NULL pointer dereference (CVE-ID: CVE-2025-69421)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the PKCS12_item_decrypt_d2i_ex function. A remote attacker can pass a specially crafted PKCS#12 file to the application and perform a denial of service (DoS) attack.
37) Out-of-bounds write (CVE-ID: CVE-2025-69419)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error within the PKCS12_get_friendlyname() function when parsing PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point. A remote attacker can pass a specially crafted PKCS#12 file to the application, trigger an out-of-bounds write and perform a denial of service attack.
38) Covert Timing Channel (CVE-ID: CVE-2025-9231)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to timing side-channel in SM2 signature computations on 64 bit ARM platforms. A remote attacker can recover the private key and decrypt data.
39) Stack-based buffer overflow (CVE-ID: CVE-2025-11187)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when parsing PKCS#12 files. A remote attacker can pass a specially crafted PKCS#12 file to the application, trigger a stack-based buffer overflow and perform a denial of service attack.
40) NULL pointer dereference (CVE-ID: CVE-2025-15468)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the SSL_CIPHER_find() function. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
41) Resource exhaustion (CVE-ID: CVE-2025-66199)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in CompressedCertificate. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected.
Servers that do not request client certificates are not vulnerable to client-initiated attacks.
Remediation
Install update from vendor's website.