From 3c5834e8830578115d97f93c620f1440567dce0f Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 16 Jul 2025 17:19:42 -0300
Subject: [PATCH] Sync security vulnerabilities

---
 vuln/core/154.json | 14 ++++++++++++++
 vuln/core/155.json | 14 ++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 vuln/core/154.json
 create mode 100644 vuln/core/155.json

diff --git a/vuln/core/154.json b/vuln/core/154.json
new file mode 100644
index 00000000..e582d944
--- /dev/null
+++ b/vuln/core/154.json
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-27210"
+  ],
+  "vulnerable": "20.x || 22.x || 24.x",
+  "patched": "^20.19.4 || ^22.17.1 || ^24.4.1",
+  "ref": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases/",
+  "description": "Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()",
+  "overview": "An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. \n\nThis vulnerability affects Windows users of `path.join` API.",
+  "affectedEnvironments": [
+    "win32"
+  ],
+  "severity": "high"
+}
diff --git a/vuln/core/155.json b/vuln/core/155.json
new file mode 100644
index 00000000..dce073b6
--- /dev/null
+++ b/vuln/core/155.json
@@ -0,0 +1,14 @@
+{
+  "cve": [
+    "CVE-2025-27209"
+  ],
+  "vulnerable": "24.x",
+  "patched": "^24.4.1",
+  "ref": "https://nodejs.org/en/blog/vulnerability/july-2025-security-releases/",
+  "description": "HashDoS in V8",
+  "overview": "The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed.\n\n* This vulnerability affects Node.js v24.x users.",
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
+}