nim-lang/Nim

GitHub

github.com

nim-lang.org

Releases71

Frequency2 months 1 week

Last Release about 1 month ago

Stars18K

Nim is a statically typed compiled systems programming language. It combines successful concepts from mature languages like Python, Ada and Modula. Its design focuses on efficiency, expressiveness, and elegance (in that order of priority).

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-46872 ↗	Jan 13, 2023Friday, 13 January 2023, 06:15	6.1 MEDIUM	—
An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)
CVE-2022-23602 ↗	Feb 1, 2022Tuesday, 1 February 2022, 11:15	7.7 HIGH	5.5 MEDIUM
Nimforum is a lightweight alternative to Discourse written in Nim. In versions prior to 2.2.0 any forum user can create a new thread/post with an include referencing a file local to the host operating system. Nimforum will render the file if able. This can also be done silently by using NimForum's post "preview" endpoint. Even if NimForum is running as a non-critical user, the forum.json secrets can be stolen. Version 2.2.0 of NimForum includes patches for this vulnerability. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue.
CVE-2021-21374 ↗	Mar 26, 2021Friday, 26 March 2021, 22:15	8.1 HIGH	6.8 MEDIUM
Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to perform MitM can deliver a modified package list containing malicious software packages. If the packages are installed and used the attack escalates to untrusted code execution.
CVE-2020-15690 ↗	Jan 30, 2021Saturday, 30 January 2021, 06:15	9.8 CRITICAL	7.5 HIGH
In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character.
CVE-2020-15692 ↗	Aug 14, 2020Friday, 14 August 2020, 19:15	9.8 CRITICAL	10 HIGH
In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands.
CVE-2020-15693 ↗	Aug 14, 2020Friday, 14 August 2020, 19:15	6.5 MEDIUM	6.4 MEDIUM
In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or values.
CVE-2020-15694 ↗	Aug 14, 2020Friday, 14 August 2020, 19:15	7.5 HIGH	5 MEDIUM
In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.