Security Advisories
This page lists security vulnerabilities that have been identified and fixed in Bleu.js. We encourage all users to keep their installations up to date with the latest security patches.
Security Announcement: New security releases will be made available Wednesday, May 14, 2025. We strongly recommend all users to update to the latest version as soon as possible. See this blog post for more details.
ID | Title | Severity | Affected Versions | Published |
---|---|---|---|---|
BLJS-2025-001 | Authentication Bypass in Bleu.js API Client | Critical | v4.0.0 - v4.2.3 | May 14, 2025 |
BLJS-2025-002 | Remote Code Execution via Template Injection | High | v3.8.0 - v4.1.2 | May 2, 2025 |
BLJS-2025-003 | Cross-Site Scripting in Documentation Generator | Medium | v3.5.0 - v4.0.5 | April 18, 2025 |
BLJS-2025-004 | Prototype Pollution in Object Merger Utility | Medium | v3.0.0 - v4.1.0 | March 30, 2025 |
BLJS-2025-005 | Information Disclosure in Error Responses | Low | v4.0.0 - v4.1.5 | March 12, 2025 |
BLJS-2024-011 | Path Traversal in File System Module | High | v2.5.0 - v3.2.8 | December 5, 2024 |
BLJS-2025-001: Authentication Bypass in Bleu.js API Client
CriticalAffected Versions
v4.0.0 - v4.2.3
Fixed In
v4.2.4
Published Date
May 14, 2025
CVE
CVE-2025-9876
Description
A vulnerability in the Bleu.js API client could allow attackers to bypass authentication controls when specific header combinations are used.
BLJS-2025-002: Remote Code Execution via Template Injection
HighAffected Versions
v3.8.0 - v4.1.2
Fixed In
v3.8.7, v4.1.3
Published Date
May 2, 2025
CVE
CVE-2025-8765
Description
Improper sanitization of user-supplied template strings could lead to remote code execution in applications using the template renderer component.
BLJS-2025-003: Cross-Site Scripting in Documentation Generator
MediumAffected Versions
v3.5.0 - v4.0.5
Fixed In
v3.5.9, v4.0.6
Published Date
April 18, 2025
CVE
CVE-2025-7654
Description
The documentation generator component did not properly sanitize user input when generating API documentation, potentially leading to stored XSS attacks.
BLJS-2025-004: Prototype Pollution in Object Merger Utility
MediumAffected Versions
v3.0.0 - v4.1.0
Fixed In
v3.0.12, v4.1.1
Published Date
March 30, 2025
CVE
CVE-2025-6543
Description
A vulnerability in the object merger utility could allow an attacker to pollute JavaScript prototype objects, potentially leading to property injection attacks.
BLJS-2025-005: Information Disclosure in Error Responses
LowAffected Versions
v4.0.0 - v4.1.5
Fixed In
v4.1.6
Published Date
March 12, 2025
CVE
CVE-2025-5432
Description
Detailed error messages could expose sensitive system information when applications are running in production mode with certain configurations.
BLJS-2024-011: Path Traversal in File System Module
HighAffected Versions
v2.5.0 - v3.2.8
Fixed In
v2.5.12, v3.2.9
Published Date
December 5, 2024
CVE
CVE-2024-9871
Description
Improper path validation in the file system module could allow attackers to access files outside intended directories through directory traversal.
Reporting a Vulnerability
If you believe you've found a security vulnerability in Bleu.js, please report it to our security team. Do not disclose it publicly until we've had a chance to address it.
Learn how to report a vulnerability