Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js version 16.5.4 and versions prior to 17.1.3 in the 17.x series, which stems from the fact that an incorrectly formatted MKV file may cause the file type detector to fall into an...

PT-2022-23214

Name of the Vulnerable Software and Affected Versions Apache SkyWalking NodeJS Agent versions prior to 0.5.1 Description The issue causes NodeJS services with the Apache SkyWalking NodeJS Agent installed to become unavailable when the OAP is unhealthy and the NodeJS agent cannot establish a...

PT-2022-10388

Name of the Vulnerable Software and Affected Versions glob-parent versions prior to 6.0.1 Description The issue allows ReDoS regular expression denial of service attacks against the enclosure regular expression in the glob-parent package for Node.js. Recommendations For versions prior to 6.0.1,...

ALPINE-CVE-2022-32215

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS...

AZL-41051 CVE-2022-32213 affecting package rust for versions less than 1.75.0-1

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...

CVE-2022-32222

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3...

got 安全漏洞

got is a user-friendly and powerful HTTP request library for Node.js. A security vulnerability exists in versions of got prior to 12.1.0 that originates from allowing redirection to UNIX sockets...

nodejs: Improper handling of URI Subject Alternative Names

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...

GHSA-P84X-5XX8-HFF9 bson-objectid contains Improper input validation

An issue was discovered in the BSON ObjectID aka bson-objectid package 1.3.0 for Node.js. ObjectID allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects bsontype==ObjectID in the user-input...

convict 安全漏洞

convict is a featured configuration management library for Node.js. A security vulnerability exists in versions prior to convict 6.2.3...

Node.js 跨站脚本漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in jquery.json-viewer version 1.4.0 and earlier versions of Node.js, which stems from the inability to correctly escape characters e.g., in a JSON object, as shown in the SCRIPT element...

Vulnerability fixed in Oracle Java SE and GraalVM Enterprise Edition

Oracle has fixed vulnerabilities in the following products: Java SE JDK and JRE GraalVM Enterprise Edition The vulnerabilities potentially enable a malicious party to execute attacks that result in the following categories of damage: Denial-of-Service DoS Manipulation of data Circumvention of...

vulhub

This repository is an offensive tool for vulnerability research and exploitation, specifically targeting various web applications and services. It contains a collection of exploits and tools for identifying and exploiting vulnerabilities in software and systems. The repository includes a variety ...

Vulnerabilities fixed in IBM Spectrum Control

IBM has fixed vulnerabilities in software bundled at Spectrum Control. These include previously fixed vulnerabilities in underlying products and libraries such as node.js, OpenSSL and Websphere Liberty. Previous security advisories have been published. A malicious party can exploit the...

PYSEC-2021-862

Connections initialized by the AWS IoT Device SDK v2 for Java versions prior to 1.4.2, Python versions prior to 1.6.1, C++ versions prior to 1.12.7 and Node.js versions prior to 1.5.3 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities CA in the...

nodejs: Use-after-free on close http2 on stream canceling

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity...

nodejs: Use-after-free on close http2 on stream canceling

A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit the memory corruption, which causes a change in the process behavior. The highest threat from this vulnerability is to confidentiality and integrity...

Elastic Stack 7.14.1 Security Update

Kibana code execution issue ESA-2021-21 It was discovered that a user with fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the kibana...

PT-2021-6779 · Node.Js +7 · Node.Js +7

Name of the Vulnerable Software and Affected Versions: Node.js affected versions not specified Description: The issue is related to insufficient validation of the rejectUnauthorized value in the Node.js https API. If the rejectUnauthorized parameter is set to undefined, no error is returned, and...

is-email 资源管理错误漏洞

is-email is an application used to validate email addresses. Segment is-email is vulnerable due to a ReDoS regular expression denial of service flaw discovered in Node.js prior to Segment is-email package 1.0.1. An attacker could exploit this flaw to cause the application to consume excessive CPU...