CVE-2024-32869 Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where main.ts is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for t...

[SECURITY] Fedora 40 Update: nodejs18-18.20.2-1.fc40

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

Node.js Security Vulnerabilities

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 18.18.x, 20.4.x, and 21.x, which stems from the fact that setuid does not relinquish all privileges as a result of iouring, allowing the process to perform privileged...

Vulnerabilities fixed in IBM DB2

IBM has fixed vulnerabilities in several DB2 products such as DB2, DB2 for Cloud Pak and Web Query for i. A malicious party could exploit the exploit the vulnerabilities to grant himself locally elevated privileges assigned arbitrary code and thus execute arbitrary code with potentially privilege...

[SECURITY] Fedora 38 Update: nodejs20-20.8.1-1.fc38

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

Vulnerabilities fixed Node.js

Several vulnerabilities have been fixed in Node.js. A malicious party could potentially exploit the vulnerabilities remotely to cause a denial-of-service DoS, bypass of authentication and/or gaining access to sensitive data. The vulnerability with attribute CVE-2023-44487 is a Denial-of-Service D...

USN-6418-1: Node.js vulnerabilities

It was discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue was only fixed in Ubuntu 20.04 LTS. CVE-2021-22883...

[SECURITY] Fedora 37 Update: nodejs16-16.20.2-1.fc37

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

AZL-26938 CVE-2023-31130 affecting package nodejs for versions less than 16.20.1-2

c-ares is an asynchronous resolver library. aresinetnetpton is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to...

Node.js: OpenSSL error handling issues in nodejs crypto library

A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...

vm2 注入漏洞

vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. An injection vulnerability exists in versions prior to vm2 3.9.17, which stems from an exception cleanup presence...

RSSHub 跨站脚本漏洞

RSSHub is an RSS feed generator written in Node.js, distributed under the MIT license and maintained by DIYgod and other GitHub users. A cross-site scripting vulnerability exists in RSSHub. An attacker can exploit this vulnerability to execute arbitrary JavaScript code...

PT-2023-12423 · Unknown · Serenityos

Name of the Vulnerable Software and Affected Versions: SerenityOS affected versions not specified Description: A critical issue has been found in SerenityOS, affecting the function initialize typed array from array buffer in the library Userland/Libraries/LibJS/Runtime/TypedArray.cpp. This issue...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js that stems from the presence of an elevation of privilege vulnerability that can be exploited by an attacker to bypass authentication and access unauthorized modules...

SUSE CVE-2019-13617

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxtvsprintf in nxt/nxtsprintf.c during error handling, as demonstrated by an njsregexpliteral call that leads to an njsparserlexererror call and then an njsparserscopeerror call...

nodejs: HTTP request smuggling due to improper delimiting of header fields

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

AZL-41051 CVE-2022-32213 affecting package rust for versions less than 1.75.0-1

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...

Parse Server 安全漏洞

Parse Server is a backend that can be deployed to any infrastructure that can run Node.js. A denial-of-service vulnerability exists in Parse Server, which stems from certain types of invalid file requests not being handled properly and can be exploited by an attacker to cause the server to crash...

plist.js 安全漏洞

plist.js is a Mac OS X Plist parser/builder for Node.js and browsers. A security vulnerability exists in versions of plist.js prior to v3.0.4, which can be exploited by attackers to cause a denial of service DoS and possibly execute remote code...