This document copyright Checkmarx, all rights reserved. In this edition of Last Week In AppSec, we find a couple of DoS issues in popular tools like Java SE (and GraalVM) and React, along with a surprise directory traversal in the pnpm package manager for npm. Oracle Java SE / GraalVM: remote DoS in sandboxed client contexts (CVE-2026-21945) CVE-2026-21945 CVSS v3.1 =7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Oracle Java SE SDK, including GraalVM, has an easily exploitable vulnerability that at minimum can result in a Denial of Service (DoS) leading to a crash. Crashing bugs should always be prioritized highly, though, because if an adversary can force a crash, that is often a stepping stone to a more serious issue (like an RCE). However, despite its high CVSS score, most organizations are unlikely to be supplying untrusted code to these systems in most deployments – meaning that while you should plan to update (and may have to in high-compliance environments), for most teams it isn’t going to be a significant priority. If you do have a system that runs code from untrusted sources (for example, if your product is something that runs your customers’ code for any reason), then you should treat this as a much higher priority. Affected: Java SE 8 (and variants), 11.0.29, 17.0.17, 21.0.9, 25.0.1; GraalVM for JDK 17.0.17 / 21.0.9 GraalVM EE 21.3.16. Any products or components that integrate the above If you have a high-risk use case, and you’re unable to upgrade promptly, make sure your systems monitoring tools are paying attention and flagging signs of compromise like overly-frequent crashes. Get notified of new research by email Subscribe Never Miss Checkmarx Zero Research Updates. Subscribe today! By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested. React has a DoS too (CVE-2026-23864) CVE-2026-23864 CVSS v3.1 =7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H The 19.x tree of React, the popular JavaScript / Node framework, is vulnerable to a DoS when using Server Function endpoints. This is a resource-exhaustion type flaw, allowing attackers to send malicious HTTP requests to those endpoints that will consume resources without limit, eventually causing reduced performance, increased operations costs, and even system failures. Fortunately, you can use Checkmarx SCA to identify the vulnerable versions for upgrade, and search your Global Inventory to see where you’re using the affected components: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack in React versions prior to 19.0.4 / 19.1.5 / 19.2.4. AI Estimated CPE: cpe:2.3:a:meta:react_server_components:*:*:*:*:*:node.js:*:* If upgrades are difficult or expensive, rate-limiting access to Server Function endpoints using your edge infrastructure (reverse proxies, WAF, etc.) and setting sensible worker pool configurations can limit damage. But I wouldn’t recommend relying on this as a “fix”; it only reduces the harm until you can upgrade. pnpm Package Manager lets malicious content slip by its defenses (CVE-2026-23888) CVE-2026-23888 CVSS v3.1 =6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) In versions of pnpm prior to 10.28.1, adversaries could work around the tool’s limits on where npm package contents can land, simply by constructing an archive file (.zip, etc.) that has pathnames in it like ../../../../../../../usr/bin/malware-binary; this type of archive path traversal (sometimes called “Zip Slip”) often isn’t considered by developers, and it looks like the pnpm team missed it too. Because this allows attackers to drop files pretty much wherever they want (as long as the user running pnpm has permissions), attackers can: cause damage by overwriting sensitive files replace configurations; for example, causing future invocations of pnpm to use an attacker-controlled npm alternative registry full of malware potentially create an RCE under certain conditions. It’s important to update CI/CD configurations quickly, and ensure developers know to upgrade to a version of pnpm 10.28.1 or above. To determine your version, simply run: pnpm -v Subscribe to e-mail updates Never Miss Checkmarx Zero Research Updates. Subscribe today! By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested. linkedin-app Share on LinkedIn Share on Bluesky Follow Checkmarx Zero: linkedin-app Tags: Java JavaScript Node.js NPM pnpm React
