aikido.dev Secure My Code

Intel/AIKIDO-2026-11087

AIKIDO-2026-11087

hot-shots is vulnerable to Injection

Injection Pre-CVE Published Today

63

Medium Risk

This Affects:

0.0.1 - 14.3.1

Fixed in 15.0.0

Are you affected? Scan for Free

TL;DR

The hot-shots StatsD client builds metric packets from caller-supplied names, tag keys, and tag values. Before the fix, carriage-return characters were not stripped, so receivers that split lines on \r could accept attacker-influenced injected metrics. Transport sockets also lacked default error listeners, so unhandled socket errors could terminate the Node.js host process, and invalid oversized bufferFlushInterval values could force rapid buffer flush loops that exhaust CPU. Version 15.0.0 sanitizes \r, attaches safe default error handlers, validates flush intervals, and wraps interval flushes to prevent host crashes.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

hot-shots is vulnerable to Injection in versions 0.0.1 - 14.3.1.

How to fix this

Upgrade the hot-shots library to the patch version.

63

Medium Risk

This Affects:

0.0.1 - 14.3.1

Fixed in 15.0.0

Are you affected? Scan for Free

Links

github.com/bdeitte/hot-shots/blob/v15.0.0/CHANGES.md#1500-2026-5-28

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Free. No credit card required.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done