Red Hat Rhdh
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhdh.
By the Year
In 2026 there have been 3 vulnerabilities in Red Hat Rhdh with an average score of 8.5 out of ten. Last year, in 2025 Rhdh had 5 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Rhdh in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 2.43.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 8.47 |
| 2025 | 5 | 6.04 |
| 2024 | 3 | 6.37 |
It may take a day or so for new Rhdh vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhdh Security Vulnerabilities
Prototype Pollution via __proto__ in flatted prior to 3.4.2
CVE-2026-33228
9.8 - Critical
- March 20, 2026
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key "__proto__" returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Prototype Pollution
Red Hat Dev Hub Orchestrator Plug. DoS via GQL Input Injection
CVE-2026-3118
6.5 - Medium
- February 25, 2026
A security flaw was identified in the Orchestrator Plugin of Red Hat Developer Hub (Backstage). The issue occurs due to insufficient input validation in GraphQL query handling. An authenticated user can inject specially crafted input into API requests, which disrupts backend query processing. This results in the entire Backstage application crashing and restarting, leading to a platform-wide Denial of Service (DoS). As a result, legitimate users temporarily lose access to the platform.
SQL Injection
React Router createFileSessionStorage path traversal before 7.9.4/2.17.2
CVE-2025-61686
9.1 - Critical
- January 10, 2026
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2.
Directory traversal
Nodemailer DoS via crafted email header triggers infinite recursion
CVE-2025-14874
7.5 - High
- December 18, 2025
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Improper Check or Handling of Exceptional Conditions
Email Parser Vulnerability: Quoted External Address Escapes Recipient
CVE-2025-13033
7.5 - High
- November 14, 2025
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Improper Validation of Syntactic Correctness of Input
Insufficient Access Control in Red Hat Developer Hub Container Image
CVE-2025-5417
6.1 - Medium
- August 19, 2025
An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts.
Incorrect Privilege Assignment
CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556
3.7 - Low
- August 06, 2025
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
Improper Validation of Specified Type of Input
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717
6 - Medium
- April 25, 2024
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
XSS
Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249
7.4 - High
- April 17, 2024
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
Origin Validation Error
Red Hat Developer Hub (RHDH) Access Token Leak via Catalog-Import
CVE-2023-6944
5.7 - Medium
- January 04, 2024
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw access token. Upon gaining access to this token and depending on permissions, an attacker could push malicious code to repositories, delete resources in Git, revoke or generate new keys, and sign code illegitimately.
Generation of Error Message Containing Sensitive Information
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhdh or by Red Hat? Click the Watch button to subscribe.
