An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04NmZjLWY5Z3ItdjUzM84AA5xc

HTTP Handling Vulnerability in the Bare server


This vulnerability relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use.


Yes, the problem has been patched. We advise all users to upgrade to version @tomphttp/[email protected] as soon as possible.


Given the nature of the vulnerability, the most effective solution is to upgrade to the patched version of the package. Specific workaround strategies will be disclosed later due to security considerations.


Further information about this vulnerability will be provided at a later date to provide users with an opportunity to upgrade to a patched version and to prevent potential exploitation of the vulnerability. Users are advised to follow the repository announcements and updates.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 months ago
Updated: about 1 month ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-86fc-f9gr-v533, CVE-2024-27922
References: Repository:
Blast Radius: 26.2

Affected Packages

Dependent packages: 3
Dependent repositories: 467
Downloads: 41,715 last month
Affected Version Ranges: < 2.0.2
Fixed in: 2.0.2
All affected versions: 1.0.3, 1.0.4, 1.1.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 2.0.0, 2.0.1
All unaffected versions: 2.0.2, 2.0.3