SUSE CVE-2023-39333

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability...

nodejs: HTTP Request Smuggling via Empty headers separated by CR

A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...

The vulnerability of the crypto.X509Certificate() function in the Node.js software platform, which allows a perpetrator to trigger a denial-of-service attack

The vulnerability of the crypto.X509Certificate function in the Node.js software platform is related to insufficient validation of input data. Exploiting this vulnerability could allow a remote attacker to cause service failures...

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

...

PT-2023-7240 · Adobe · @Adobe/Css-Tools

Name of the Vulnerable Software and Affected Versions: @adobe/css-tools versions 4.3.0 and earlier Description: The issue is related to an Improper Input Validation vulnerability in the CSS parser for Node.js css-tools. This vulnerability could result in a denial of service while attempting to...

SUSE CVE-2023-32004

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using th...

SUSE CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non- argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result...

SUSE CVE-2023-32558

The use of the deprecated API process.binding can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of...

Node.js path traversal vulnerability

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js version 20 that stems from allowing an attacker to bypass the privilege model via path traversal using the API process.binding...

PT-2023-26484 · Node.Js · Sails

Name of the Vulnerable Software and Affected Versions: Sails versions prior to 1.5.7 Description: Sails is a realtime MVC Framework for Node.js. An attacker can send a virtual request that will cause the node process to crash. Recommendations: For versions prior to 1.5.7, update to version 1.5.7 ...

engine.io: Specially crafted HTTP request can trigger an uncaught exception

A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. Node.js has a security vulnerability that stems from the ability to bypass policy mechanisms...

SUSE CVE-2023-30582

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non- argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a...

PT-2023-4496 · Node.Js +7 · Node.Js +7

Name of the Vulnerable Software and Affected Versions: Node.js versions v16, v18, and v20 Description: The issue is related to the use of proto in process.mainModule. proto .require, which can bypass the policy mechanism and allow requiring modules outside of the policy.json definition. This...

PT-2023-24680 · Zxcvbn-Ts · Zxcvbn-Ts

Name of the Vulnerable Software and Affected Versions: zxcvbn-ts versions prior to 3.0.2 Description: This issue affects users running on the NodeJS platform who are using the second argument of the zxcvbn function. It can result in unbounded resource consumption as the user inputs array is...

[SECURITY] Fedora 38 Update: python-fastapi-0.95.2-1.fc38

FastAPI is a modern, fast high-performance, web framework for building APIs with Python 3.7+ based on standard Python type hints. The key features are: =EF=BF=BD=EF=BF=BD=EF=BF=BD Fast: Very high performance, on par with NodeJS and Go thanks to Starlette and Pydantic. One of the fastest Python...

Node.js: Fetch API did not protect against CRLF injection in host headers

A flaw was found in the fetch API in Node.js that did not prevent CRLF injection in the 'host' header. This issue could allow HTTP response splitting and HTTP header injection...

Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

DEBIAN-CVE-2023-28155

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect HTTP to HTTPS, or HTTPS to HTTP. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...