Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
RequireJS on Node.js: Malicious Code Execution via Prototype Pollution
OESA-2026-1600
Summary
If you're using RequireJS on your Node.js server, an attacker could inject malicious code or crash your server by manipulating how it loads JavaScript modules. Update to the latest version of RequireJS to fix this security issue.
What to do
- Update nodejs-requirejs to version 2.1.11-3.oe2403sp3.
- Update nodejs-requirejs to version 2.1.11-3.oe2403sp1.
- Update nodejs-requirejs to version 2.1.11-3.oe2403sp2.
- Update nodejs-requirejs to version 2.1.11-3.oe2003sp4.
- Update nodejs-requirejs to version 2.1.11-3.oe2203sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nodejs-requirejs | <= 2.1.11-3.oe2403sp3 | 2.1.11-3.oe2403sp3 |
| – | nodejs-requirejs | <= 2.1.11-3.oe2403sp1 | 2.1.11-3.oe2403sp1 |
| – | nodejs-requirejs | <= 2.1.11-3.oe2403sp2 | 2.1.11-3.oe2403sp2 |
| – | nodejs-requirejs | <= 2.1.11-3.oe2403sp3 | 2.1.11-3.oe2403sp3 |
| – | nodejs-requirejs | <= 2.1.11-3.oe2003sp4 | 2.1.11-3.oe2003sp4 |
| – | nodejs-requirejs | <= 2.1.11-3.oe2203sp4 | 2.1.11-3.oe2203sp4 |
Original title
nodejs-requirejs security update
Original description
RequireJS is a JavaScript file and module loader. It is optimized for in-browser use, but it can be used in other JavaScript environments, like Rhino and Node. Using a modular script loader like RequireJS will improve the speed and quality of your code.
Security Fix(es):
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.(CVE-2024-38999)
Security Fix(es):
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.(CVE-2024-38999)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-38999 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026