Joyent
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Joyent product.
RSS Feeds for Joyent security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Joyent products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Joyent Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Joyent. Last year, in 2025 Joyent had 1 security vulnerability published. Right now, Joyent is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 5.50 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 8.50 |
| 2019 | 0 | 0.00 |
| 2018 | 8 | 7.16 |
It may take a day or so for new Joyent vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Joyent Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-30234 | Mar 19, 2025 |
CVE-2025-30234 Static Host SSH Keys in SmartOS Triton ImagesSmartOS, as used in Triton Data Center and other products, has static host SSH keys in the 60f76fd2-143f-4f57-819b-1ae32684e81b image (a Debian 12 LX zone image from 2024-07-26). |
Smartos
|
| CVE-2021-43395 | Dec 26, 2022 |
Illumos Kernel Deadlock via rename/rmdir on tmpfs (before f859e7171)An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. A local unprivileged user can cause a deadlock and kernel panic via crafted rename and rmdir calls on tmpfs filesystems. Oracle Solaris 10 and 11 is also affected. |
Smartos
|
| CVE-2020-27678 | Oct 26, 2020 |
An issue was discovered in illumos before 2020-10-22An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c. |
Smartos
|
| CVE-2020-7712 | Aug 30, 2020 |
This affects the package json before 10.0.0This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function. |
Json
|
| CVE-2018-12116 | Nov 28, 2018 |
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be providedNode.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. |
Node Js
|
| CVE-2018-12121 | Nov 28, 2018 |
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abortNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer. |
Node Js
|
| CVE-2018-12122 | Nov 28, 2018 |
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attackerNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. |
Node Js
|
| CVE-2016-9040 | Sep 07, 2018 |
An exploitable denial of service exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file systemAn exploitable denial of service exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when used with a 32 bit model. An attacker can cause a buffer to be allocated and never freed. When repeatedly exploit this will result in memory exhaustion, resulting in a full system denial of service. |
Smartos
|
| CVE-2018-3737 | Jun 07, 2018 |
sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. |
Sshpk
|
| CVE-2018-1171 | Mar 19, 2018 |
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301ZThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the DTrace DOF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of the host OS. Was ZDI-CAN-5106. |
Smartos
|