Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.27.0 Release.

CVE-2025-13465 — lodash: prototype pollution in _.unset and _.omit functions CVE-2025-54386 — traefik: Traefik's Client Plugin is Vulnerable to Path Traversal, Arbitrary File Overwrites and Remote Code Execution CVE-2025-61726 — golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61728 — golang: archive/zip: Excessive CPU consumption when building archive index in archive/zip CVE-2025-61729 — crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate CVE-2025-64756 — glob: glob: Command Injection Vulnerability via Malicious Filenames CVE-2025-68121 — crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption CVE-2025-69873 — ajv: ReDoS via $data reference CVE-2026-1002 — io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files CVE-2026-22045 — traefik: Traefik: Denial of Service via ACME TLS-ALPN fast path resource exhaustion CVE-2026-23745 — node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives CVE-2026-23950 — node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition CVE-2026-24049 — wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking CVE-2026-24842 — node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check CVE-2026-25223 — Fastify: Fastify: Validation bypass due to malformed Content-Type header leading to integrity impact CVE-2026-25639 — axios: Axios affected by Denial of Service via proto Key in mergeConfig CVE-2026-25949 — github.com/traefik/traefik: Traefik: Denial of Service via stalled STARTTLS requests CVE-2026-26960 — node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation CVE-2026-26996 — minimatch: minimatch: Denial of Service via specially crafted glob patterns