AZL-13684 CVE-2023-23919 affecting package nodejs for versions less than 16.19.1-1

A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js that stems from the presence of an elevation of privilege vulnerability that can be exploited by an attacker to bypass authentication and access unauthorized modules...

SUSE CVE-2013-7381

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify...

SUSE CVE-2013-7451

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag...

SUSE CVE-2013-7454

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via nested forbidden strings...

SUSE CVE-2015-8854

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service CPU consumption via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service ReDoS."...

SUSE CVE-2015-8857

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript...

SUSE CVE-2017-18214

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055...

SUSE CVE-2019-13617

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxtvsprintf in nxt/nxtsprintf.c during error handling, as demonstrated by an njsregexpliteral call that leads to an njsparserlexererror call and then an njsparserscopeerror call...

SUSE CVE-2019-15604

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate...

SUSE CVE-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

Arbitrary Code Execution

Overview swig-templates is an A simple, powerful, and extendable templating engine for node.js and browsers, similar to Django, Jinja2, and Twig. Affected versions of this package are vulnerable to Arbitrary Code Execution via the renderFile method. Note: The following conditions are required to...

DEBIAN-CVE-2021-35065

The glob-parent package before 6.0.1 for Node.js allows ReDoS regular expression denial of service attacks against the enclosure regular expression...

nodejs: DNS rebinding in inspect via invalid octal IP address

A flaw was found in NodeJS. The issue occurs in the Node.js rebinding protector for --inspect that still allows invalid IP addresses, specifically, the octal format. This flaw allows an attacker to perform DNS rebinding and execute arbitrary code...

nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a...

nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS, causing web cache poisoning, and conducting XSS attacks...

ffmpeg-sdk 命令注入漏洞

ffmpeg-sdk is a ffmpeg wrapper for nodejs by the individual developer Shajan Jacob in India. A security vulnerability exists in ffmpeg-sdk, which stems from the vulnerability of index.js to command injection attacks...

properties-reader 安全漏洞

properties-reader is a Node.js property reader compatible with ini files by Steve King, a personal developer. A security vulnerability exists in properties-reader prior to version 2.2.0, which stems from the package's susceptibility to prototype contamination, and which can be exploited by an...

The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

...