2026-03-25 — 16 findings across ODS stack
Node.js released security patches on March 24, 2026 for all active release lines (20.x, 22.x, 24.x, 25.x), fixing 9 CVEs including 2 HIGH severity. The HIGH CVEs cover a TLS DoS via uncaught exception in SNICallback (CVE-2026-21637) and a DoS via __proto__ header name crash (CVE-2026-21710). Medium-severity issues include a timing side-channel in HMAC verification and an HTTP/2 memory leak.
ODS Impact: ODS runs Node.js 22.x (LTS 'Jod') for the ODS Dashboard (Next.js/Hono). CVE-2026-21637 (TLS DoS) and CVE-2026-21713 (HMAC timing side-channel) directly affect production. Upgrade to Node.js 22.22.2 immediately to patch all 7 CVEs affecting the 22.x line.
CVE-2026-33056 (CVSS 5.1 Medium / Red Hat 4.4) affects the tar-rs crate used by Cargo during package extraction. A malicious crate can follow symlinks to modify permissions on arbitrary directories on the filesystem. Rust 1.94.1 (scheduled March 26, 2026) will update to tar-rs 0.4.45 which patches the issue. crates.io already blocked upload of exploiting crates on March 13.
ODS Impact: All ODS Rust services (billing-engine, pdf-engine, oid, docstore, etc.) use Cargo for builds. Developers and CI pipelines building crates are exposed until Rust 1.94.1 ships on March 26. Risk is limited to build-time on developer machines and CI — not runtime. Update rustup to 1.94.1 the day it releases.
Next.js 16.2.1 was released on March 20, 2026 as a security patch over 16.2.0. Three CVEs were addressed: CVE-2026-29057 (HTTP proxy request smuggling in rewrites), CVE-2026-27979 (maxPostponedStateSize enforcement bypass), and CVE-2026-27978 (Server Action submissions from privacy-sensitive contexts). The 16.2 line also introduced Turbopack improvements with 200+ bug fixes and ~400% faster dev startup.
ODS Impact: ODS Dashboard (ods-dashboard service) is built on Next.js 16.2.0. Upgrade to 16.2.1 immediately — CVE-2026-29057 (request smuggling) is directly exploitable in apps using Next.js rewrites or proxies, which is the case for ODS Dashboard's Hono proxy layer.
Node.js 22.22.2 'Jod' (LTS) was released on March 24, 2026 as a security-only update. It patches all CVEs from the March 24 batch affecting the 22.x line: CVE-2026-21637 (TLS SNI DoS), CVE-2026-21710 (__proto__ header DoS), CVE-2026-21713 (HMAC timing side-channel), CVE-2026-21714 (HTTP/2 memory leak), CVE-2026-21717 (HashDoS in V8), CVE-2026-21715 (Permission Model bypass), and CVE-2026-21716 (FileHandle chmod patch bypass).
ODS Impact: ODS platform uses Node.js 22.x (LTS). The previous version 22.22.1 is vulnerable to 7 CVEs. Upgrade to 22.22.2 in all Node.js containers: ODS Dashboard, any Node.js tooling in CI/CD pipelines.
Coolify beta.470 was released on March 24, 2026 with a security-focused patch. Key fixes include proxy configuration validation, shell argument escaping in deployments (prevents injection), environment variable resolution in compose files, GitHub webhook handling, and hostname validation. New features include EspoCRM one-click template and Nightwatch monitoring. Storage API now exposes UUID endpoints for databases and services.
ODS Impact: ODS infrastructure uses Coolify as the PaaS layer for all service deployments across 4 GCP VPS nodes. The shell argument escaping fix is critical — malicious environment variable values in compose deployments could have executed arbitrary commands. Update Coolify from beta.469 to beta.470 immediately via the Coolify self-update mechanism.
ClickHouse 26.2 (Winter Release) was released in March 2026, with 26.2.4.23-stable published on March 24. It includes 25 new features, 43 performance improvements, and 183 bug fixes. The text-index and QBit data type are now production-ready. Batch inserts by time ('infinite inserts'), improved JSON parsing, faster joins, and better min-max index performance for inserts are key highlights. The ODS last-known version was 26.1.6.6.
ODS Impact: ODS Data Platform uses ClickHouse for the Zero-ETL analytics layer (OLAP). The 26.2 release is a minor version bump from 26.1 with no breaking changes noted. QBit data type and text-index GA could benefit full-text search across document metadata in DocStore analytics. Plan upgrade via Coolify service update after testing in staging.
Rust 1.94.1 is scheduled for release on March 26, 2026, as a patch release specifically to address CVE-2026-33056 in the tar-rs crate used by Cargo. This is an out-of-cycle security patch — Rust 1.94.0 was released March 5. Developers and CI pipelines should update immediately when 1.94.1 drops. The fix upgrades tar-rs to 0.4.45+.
ODS Impact: All ODS Rust services (oid, billing-engine, pdf-engine, docstore, etc.) build with Cargo. The vulnerability allows a malicious crate to chmod arbitrary filesystem directories during extraction. Update rustup on all build machines and CI runners to 1.94.1 as soon as it releases on March 26.
Rivet Actors is an open-source Rust framework providing stateful primitives for AI agents, collaborative apps, and durable execution. Built on FoundationDB with 5,298 stars, Apache-2.0 license, and actively committed to (last push March 25, 2026). It targets the same space as Cloudflare Durable Objects but self-hostable. Designed for realtime multiplayer, actor/event patterns, and fault-tolerant stateful workflows.
ODS Impact: Directly relevant to ODS Workflow Engine (P2) and any future agentic features. Rivet's actor model could complement Redpanda's event streaming — actors handle state transitions while Redpanda carries events. The FoundationDB backend provides ACID transactions at scale. Worth prototyping for the Workflow Engine's stateful orchestration needs instead of building from scratch.
OpenAI released Codex as open-source (Apache-2.0, Rust) — a lightweight coding agent that runs in the terminal. With 67,425 stars and active development (last commit March 25, 2026, 2,244 open issues), it provides an agentic coding assistant framework. It competes directly with Claude Code but is OpenAI-centric. The Rust implementation makes it fast and portable.
ODS Impact: Relevant to ODS's ADLC pipeline tooling. The open-source Codex code reveals architectural patterns for building agentic dev workflows in Rust. It can be adapted or studied for the ODS agent orchestration layer. More immediately: developers on the ODS team could use it as an alternative terminal AI assistant for Rust development.
Ruflo is an enterprise-grade agent orchestration platform for Claude with 25,367 stars and MIT license. Built in TypeScript, it provides multi-agent swarms, RAG integration, MCP server support, and Claude Code skill integration. Last commit March 20, 2026. It handles agent memory, worker tracking, and distributed swarm intelligence for AI systems built on the Anthropic Claude API.
ODS Impact: Directly mirrors the ODS ADLC orchestration architecture. Ruflo's patterns for multi-agent coordination, memory management, and Claude Code integration are immediately relevant. The MCP server integration and claude-code-skills concepts are already in use in ODS. Study Ruflo's swarm coordination and circuit-breaker patterns for improving the ADLC supervisor design.
Node.js 25.8.2 (Current) was released on March 24, 2026 as part of the coordinated security release. It patches the same CVEs as other lines plus CVE-2026-21711 (Permission Model bypass: UDS server bind/listen without --allow-net) and CVE-2026-21712 (assertion error in node_url.cc via malformed URL). The 25.x Current line is not used in ODS production but may be used in dev tooling.
ODS Impact: ODS production uses 22.x LTS. This finding is informational — if any developer uses Node.js 25.x locally or in CI scripts, they should upgrade to 25.8.2.
Debezium 3.5.0.Beta2 was released on March 16, 2026, adding Oracle 26ai compatibility, significantly faster LogMiner restart performance, new CockroachDB schema and heartbeat features. Stable version 3.4.2.Final (released March 2) includes 16 bug fixes. Debezium now supports the latest Oracle release (Oracle 26ai / 23.26.0).
ODS Impact: ODS P1 uses Debezium for CDC (Change Data Capture) from PostgreSQL to Redpanda. The 3.5 beta line is not recommended for production yet — use 3.4.2.Final for stability. The Oracle 26ai support is not directly relevant to ODS (PostgreSQL only), but faster LogMiner restarts improve CDC pipeline resilience in future mixed environments.
Neon is a serverless PostgreSQL platform that separates storage from compute, enabling database branching (create dev/test DB copies instantly), autoscaling, and scale-to-zero. Written in Rust, licensed Apache-2.0, with 21,313 stars. It is production-ready and used as a managed service. The architecture is directly relevant to ODS's multi-tenant PostgreSQL approach where each service has its own schema.
ODS Impact: Neon's branching model could significantly accelerate ODS development — developers could branch the entire ods postgres database for feature work without affecting peers. Consider evaluating Neon as a managed alternative to self-hosted PostgreSQL 17 on GCP, particularly for staging/dev environments. Schema-per-service design aligns well with Neon's branching semantics.
Node.js 24.14.1 'Krypton' (LTS) was released on March 24, 2026, as part of the coordinated security release. This is the 24.x LTS line which became active in late 2025. It patches the same High/Medium/Low CVEs as the other release lines. Node.js 24.x includes V8 updated to the latest, built-in WebSocket client, and improved ESM support.
ODS Impact: ODS is on Node.js 22.x LTS. Node.js 24.x (Krypton) is the next LTS generation. ODS should plan migration to 24.x in Q3 2026 before Node.js 22.x EOL. Start with ODS Dashboard testing on 24.x in a dev environment.
RustSec advisory RUSTSEC-2026-0057 marks the tokio-reactor crate as unmaintained as of March 20, 2026. The tokio-reactor crate was an older compatibility shim for Tokio's reactor pattern that has been superseded by tokio's built-in runtime. Any crates still depending on tokio-reactor as a transitive dependency should be audited. No active CVE associated — this is an unmaintained package notice.
ODS Impact: ODS services use Actix-web (which depends on Tokio). If any transitive dependency still pulls in tokio-reactor, it should be eliminated. Run cargo tree | grep tokio-reactor on all ODS Rust services to audit. Modern tokio (1.x) does not require tokio-reactor — this is only a concern for very old or unmaintained crate dependencies.
Pascal Editor is an open-source TypeScript tool for creating and sharing 3D architectural projects, with 5,930 stars and MIT license. It is actively maintained (last push March 24, 2026) with only 24 open issues. The project targets architectural visualization and design collaboration, not directly relevant to ODS document workflows.
ODS Impact: Low relevance to ODS core stack. Could be tangentially interesting if ODS ever adds a visual floor-plan or architectural drawing capability to the DocEditor service. No immediate action needed.