HAXcms with nodejs backend 安全漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A security vulnerability exists in HAXcms with nodejs backend version 11.0.9 and earlier, which stems from hardcoding default credentials and JWT private keys, which could lead to unauthorized access...

SUSE CVE-2025-27210

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join API...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment from the Node.js open source. A security vulnerability exists in Node.js version v24.x, which stems from an improper implementation of string hash computation and could lead to a hash collision attack...

DEBIAN-CVE-2025-50182

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means...

AZL-69706 CVE-2025-5222 affecting package nodejs18 for versions less than 18.20.3-10

A stack buffer overflow was found in Internationl components for unicode ICU . While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution...

nodejs: Node.js Worker Thread Exposure via Diagnostics Channel

A flaw was found in the Node.js diagnosticschannel. This vulnerability allows an attacker to reinstate and misuse worker constructors, potentially bypassing the Permission Model via hooking into events when a worker thread is created...

MAL-2025-745 Malicious code in nodejs-paypal-checkout-demo (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 909c8505097e7b62c38bde6c75bb0ba8516f566136ec093b913944bcbdd1130e Any computer that has this package installed or running should be considered...

编号撤回

Node.js is an open source, cross-platform JavaScript runtime environment from Node.js Open Source. This CVE number has been withdrawn...

PT-2026-2477

Name of the Vulnerable Software and Affected Versions Node.js affected versions not specified Description A flaw exists in the Node.js software platform related to improper handling of exceptional states. Exploitation may allow a remote attacker to cause a denial-of-service condition. Specificall...

Astra Linux - уязвимость в nodejs

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key inf...

GHSA-MGFV-M47X-4WQP useragent Regular Expression Denial of Service vulnerability

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. PoC js async function exploit const useragent = require"useragent"; // Create a malicious user-agent that...

Malicious code in @taxify/nodejs-common (npm)

--- -= Per source details. Do not edit below this line.=-...

SUSE CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

PT-2024-7176 · Sap · Sap Hana Node.Js Client Package

Name of the Vulnerable Software and Affected Versions: SAP HANA Node.js client package versions 2.0.0 through 2.21.30 Description: The issue is related to a Prototype Pollution vulnerability in the SAP HANA Node.js client package, specifically affecting the nestTables feature. This vulnerability...

VulnCheck KEV: CVE-2022-29078

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon...

In the Elliptic package 6.5.6 for Node.js ECDSA signature malleability occurs because BER-encoded signatures are allowed.

...

GHSA-F7Q4-PWC6-W24P Elliptic's EDDSA missing signature length check

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

DEBIAN-CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

UBUNTU-CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service

A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fetch function in Node.js that always decodes Brotli, making it possible for an attacker to caus...