Security Advisories

This page lists security vulnerabilities that have been identified and fixed in Bleu.js. We encourage all users to keep their installations up to date with the latest security patches.

Security Announcement: New security releases will be made available Wednesday, May 14, 2025. We strongly recommend all users to update to the latest version as soon as possible. See this blog post for more details.

IDTitleSeverityAffected VersionsPublished
BLJS-2025-001Authentication Bypass in Bleu.js API ClientCriticalv4.0.0 - v4.2.3May 14, 2025
BLJS-2025-002Remote Code Execution via Template InjectionHighv3.8.0 - v4.1.2May 2, 2025
BLJS-2025-003Cross-Site Scripting in Documentation GeneratorMediumv3.5.0 - v4.0.5April 18, 2025
BLJS-2025-004Prototype Pollution in Object Merger UtilityMediumv3.0.0 - v4.1.0March 30, 2025
BLJS-2025-005Information Disclosure in Error ResponsesLowv4.0.0 - v4.1.5March 12, 2025
BLJS-2024-011Path Traversal in File System ModuleHighv2.5.0 - v3.2.8December 5, 2024

BLJS-2025-001: Authentication Bypass in Bleu.js API Client

Critical

Affected Versions

v4.0.0 - v4.2.3

Fixed In

v4.2.4

Published Date

May 14, 2025

CVE

CVE-2025-9876

Description

A vulnerability in the Bleu.js API client could allow attackers to bypass authentication controls when specific header combinations are used.

BLJS-2025-002: Remote Code Execution via Template Injection

High

Affected Versions

v3.8.0 - v4.1.2

Fixed In

v3.8.7, v4.1.3

Published Date

May 2, 2025

CVE

CVE-2025-8765

Description

Improper sanitization of user-supplied template strings could lead to remote code execution in applications using the template renderer component.

BLJS-2025-003: Cross-Site Scripting in Documentation Generator

Medium

Affected Versions

v3.5.0 - v4.0.5

Fixed In

v3.5.9, v4.0.6

Published Date

April 18, 2025

CVE

CVE-2025-7654

Description

The documentation generator component did not properly sanitize user input when generating API documentation, potentially leading to stored XSS attacks.

BLJS-2025-004: Prototype Pollution in Object Merger Utility

Medium

Affected Versions

v3.0.0 - v4.1.0

Fixed In

v3.0.12, v4.1.1

Published Date

March 30, 2025

CVE

CVE-2025-6543

Description

A vulnerability in the object merger utility could allow an attacker to pollute JavaScript prototype objects, potentially leading to property injection attacks.

BLJS-2025-005: Information Disclosure in Error Responses

Low

Affected Versions

v4.0.0 - v4.1.5

Fixed In

v4.1.6

Published Date

March 12, 2025

CVE

CVE-2025-5432

Description

Detailed error messages could expose sensitive system information when applications are running in production mode with certain configurations.

BLJS-2024-011: Path Traversal in File System Module

High

Affected Versions

v2.5.0 - v3.2.8

Fixed In

v2.5.12, v3.2.9

Published Date

December 5, 2024

CVE

CVE-2024-9871

Description

Improper path validation in the file system module could allow attackers to access files outside intended directories through directory traversal.

Reporting a Vulnerability

If you believe you've found a security vulnerability in Bleu.js, please report it to our security team. Do not disclose it publicly until we've had a chance to address it.

Learn how to report a vulnerability