dicer 安全漏洞

dicer is a very fast streaming multipart parser for mscdex individual developers. A security vulnerability exists in dicer. A malicious attacker can send modified forms to the server and crash the nodejs service. An attacker can send the payload over and over again, thus crashing the service over...

bignum 安全漏洞

bignum is an arbitrary precision integral algorithm for Node.js using OpenSSL by Stefan Thomas, a personal developer. A security vulnerability exists in bignum that stems from vulnerability to denial of service DoS attacks...

Vulnerabilities fixed in IBM Cognos Analytics

Several vulnerabilities have been fixed in IBM Cognos Analytics. Most of the vulnerabilities are in third-party software components third-party software components included with IBM Cognos, including OpenSSL and Node.js. The vulnerabilities allow a malicious party to execute attacks that result i...

Accepting arbitrary Subject Alternative Name (SAN) types unless a PKI is specifically defined to use a particular SAN type can result in bypassing name-constrained intermediates. Node.js < 12.22.9 < 14.18.3 < 16.13.2 and < 17.3.1 was accepting URI SAN types which PKIs are often not defined to use. Additionally when a protocol allows URI SANs Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

...

UBUNTU-CVE-2022-21824

Due to the formatting logic of the "console.table" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has...

SUSE-SU-2022:0563-1 Security update for nodejs8

This update for nodejs8 fixes the following issues: - CVE-2021-23343: Fixed ReDoS via splitDeviceRe, splitTailRe and splitPathRe bsc1192153. - CVE-2021-32803: Fixed insufficient symlink protection in node-tar allowing arbitrary file creation and overwrite bsc1191963. - CVE-2021-32804: Fixed...

llhttp: HTTP Request Smuggling due to spaces in headers

An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an attacker can use this flaw to inject...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

GHSA-X55W-VJJP-222R inflect vulnerable to Inefficient Regular Expression Complexity

inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity...

nodejs: Use-after-free on close http2 on stream canceling

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity...

nodejs-lodash: command injection via template

A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables...

nodejs: Incomplete validation of tls rejectUnauthorized parameter

A flaw was found in Node.js. If the Node.js HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, no error is returned, and the connections to servers with an expired certificate are accepted. The highest threat from this vulnerability is to integrity...

nodejs: Improper handling of untypical characters in domain names

A flaw was found in Node.js. These vulnerabilities include remote code execution, Cross-site scripting XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library, which can lead to the output of wrong hostnames leading to Domai...

nodejs: Use-after-free on close http2 on stream canceling

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity...

UBUNTU-CVE-2021-22939

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted...

UBUNTU-CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames leading to Domain Hijacking and injection...

PT-2021-5821 · Node.Js +7 · Node.Js +7

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 12.22.4 Node.js versions prior to 14.17.4 Node.js versions prior to 16.6.0 Description: The issue is related to a use after free attack in Node.js, where an attacker might exploit memory corruption to change process...

ALPINE-CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...

UBUNTU-CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...

DEBIAN-CVE-2021-33623

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method...