Red Hat Serverless
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Serverless.
Recent Red Hat Serverless Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2025:8670 | (RHSA-2025:8670) Moderate: Release of OpenShift Serverless Logic 1.36.0 security update & enhancements | June 9, 2025 |
| RHSA-2025:0664 | (RHSA-2025:0664) Moderate: Release of OpenShift Serverless Logic 1.35.0 security update & enhancements | January 23, 2025 |
| RHSA-2024:8023 | (RHSA-2024:8023) Important: Release of OpenShift Serverless Logic 1.34.0 security update & enhancements | October 14, 2024 |
| RHSA-2024:4867 | (RHSA-2024:4867) Moderate: Release of openshift-serverless-clients kn 1.33.1 security update and bug fixes | July 25, 2024 |
| RHSA-2024:4057 | (RHSA-2024:4057) Important: Release of OpenShift Serverless Logic 1.33.0 security update & enhancements | June 24, 2024 |
| RHSA-2024:4028 | (RHSA-2024:4028) Moderate: Release of OpenShift Serverless 1.33.0 security update & enhancements | June 20, 2024 |
| RHSA-2024:4023 | (RHSA-2024:4023) Important: Release of openshift-serverless-clients kn 1.33.0 security update & enhancements | June 20, 2024 |
| RHSA-2024:1333 | (RHSA-2024:1333) Moderate: Release of OpenShift Serverless 1.32.0 | March 14, 2024 |
| RHSA-2024:0880 | (RHSA-2024:0880) Critical: Release of OpenShift Serverless Client kn 1.31.1 security update | February 20, 2024 |
| RHSA-2024:0843 | (RHSA-2024:0843) Critical: Release of OpenShift Serverless 1.31.1 | February 15, 2024 |
By the Year
In 2025 there have been 3 vulnerabilities in Red Hat Serverless with an average score of 6.2 out of ten. Last year, in 2024 Serverless had 9 security vulnerabilities published. Right now, Serverless is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.50
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 3 | 6.23 |
| 2024 | 9 | 6.73 |
| 2023 | 1 | 8.10 |
It may take a day or so for new Serverless vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Serverless Security Vulnerabilities
Nx npm package tampering: FS scan and credential exfil to GitHub
CVE-2025-10894
9.6 - Critical
- September 24, 2025
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts.
Embedded Malicious Code
CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556
3.7 - Low
- August 06, 2025
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
Improper Verification of Cryptographic Signature
serialize-javascript XSS via unsanitized regex input
CVE-2024-11831
5.4 - Medium
- February 10, 2025
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
XSS
Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355
6.5 - Medium
- October 01, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Use of Uninitialized Variable
Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653
5.3 - Medium
- July 08, 2024
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Memory Leak
Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727
8.3 - High
- May 14, 2024
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Improper Validation of Integrity Check Value
Quarkus JAX-RS Auth Bypass via Abstract Class Methods
CVE-2023-5675
6.5 - Medium
- April 25, 2024
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
AuthZ
Memory Leak in Eclipse Vert.x TCP TLS Server via Fake SNI
CVE-2024-1300
5.4 - Medium
- April 02, 2024
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
Memory Leak
Vert.x HTTP Client Memory Leak via Netty FastThreadLocal
CVE-2024-1023
6.5 - Medium
- March 27, 2024
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
Memory Leak
Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394
7.5 - High
- March 21, 2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Memory Leak
Undertow WriteTimeoutStreamSinkConduit Causing Memory/File Exhaustion
CVE-2024-1635
7.5 - High
- February 19, 2024
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
Resource Exhaustion
Keycloak Redirect URI Validation Bypass Token Theft
CVE-2023-6291
7.1 - High
- January 26, 2024
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
Open Redirect
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests
CVE-2023-4853
8.1 - High
- September 20, 2023
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Improper Neutralization of Input Leaders
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Serverless or by Red Hat? Click the Watch button to subscribe.
