331 matches found
StringBuilder for Node.js Security Vulnerability
StringBuilder for Node.js is a simple and fast in-memory string generator for Node.js by Magic Len Personal Developer. A security vulnerability exists in StringBuilder for Node.js, which stems from an incorrect calculation of the memory length and is susceptible to out-of-bounds reads, which can...
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
...
CVE-2023-42955
Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the...
Oceanic 安全漏洞
Oceanic is a NodeJS library for interacting with Discord open-sourced by Oceanic. A security vulnerability exists in Oceanic versions prior to 1.10.4, which stems from uncleaned user input that may result in URL path traversal...
UBUNTU-CVE-2024-33883
The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...
Node.js 安全漏洞
Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 18.x, 20.x, and 21.x. The vulnerability stems from the fact that an attacker can make the server completely unavailable by sending a small number of HTTP/2 framed packets...
nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...
nodejs: setuid() does not drop all privileges due to io_uring
A flaw was found in Node.js, where the setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This issue allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid...
nodejs: code injection and privilege escalation through Linux capabilities
A flaw was found in Node.js. On Linux, Node.js ignores certain environment variables if an unprivileged user has set them while the process is running with elevated privileges, except for CAPNETBINDSERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this...
PT-2024-2956 · Node.Js +3 · Undici +3
Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.28.4 Undici versions prior to 6.11.1 Description: The issue is related to insufficient access control in the Undici HTTP/1.1 client for Node.js, allowing a remote attacker to execute arbitrary code by altering the...
nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...
DEBIAN-CVE-2024-22025
A vulnerability in Node.js has been identified, allowing for a Denial of Service DoS attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch function in Node.js always decodes Brotli, making i...
Node.js Security Vulnerabilities
Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 18.18.x, 20.4.x, and 21.x, which stems from the fact that setuid does not relinquish all privileges as a result of iouring, allowing the process to perform privileged...
OESA-2024-1169 nodejs security update
Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser. Security Fixes: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the...
SUSE CVE-2023-46809
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/hkario/marvin/, if PCKS 1 v1.5 padding is allowed when performing RSA descryption using a privat...
SUSE CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service DoS. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk...
CVE-2023-49583 Escalation of Privileges in SAP BTP Security Services Integration Library ([Node.js] @sap/xssec)
SAP BTP Security Services Integration Library Node.js @sap/xssec - versions 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...
USN-6491-1 nodejs vulnerabilities
Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. CVE-2022-32212 Zeyu Zhang discovered that Node.js incorrectl...
SUSE CVE-2022-33987
The got package before 12.1.0 also fixed in 11.8.5 for Node.js allows a redirect to a UNIX socket...
Vulnerabilities fixed Node.js
Several vulnerabilities have been fixed in Node.js. A malicious party could potentially exploit the vulnerabilities remotely to cause a denial-of-service DoS, bypass of authentication and/or gaining access to sensitive data. The vulnerability with attribute CVE-2023-44487 is a Denial-of-Service D...