编号撤回

Node.js is an open source, cross-platform JavaScript runtime environment from Node.js Open Source. This CVE number has been withdrawn...

PT-2026-2477

Name of the Vulnerable Software and Affected Versions Node.js affected versions not specified Description A flaw exists in the Node.js software platform related to improper handling of exceptional states. Exploitation may allow a remote attacker to cause a denial-of-service condition. Specificall...

The vulnerability of the getWindowsIEEE8021x function in the npm systeminformation package of the Node.js software platform allows a perpetrator to escalate their privileges and execute arbitrary commands.

The vulnerability of the getWindowsIEEE8021x function in the npm systeminformation package of the Node.js software platform is related to improper code generation during the processing of SSID identifiers. Exploiting this vulnerability can allow an attacker to enhance their privileges and execute...

Astra Linux - уязвимость в nodejs

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key inf...

The vulnerability of the experimental-permission configuration in the Node.js software platform allows a hacker to bypass security restrictions and gain unauthorized access to protected information.

The vulnerability of the experimental-permission configuration in the Node.js software platform is related to incorrect restrictions on the path to the restricted directory. Exploiting this vulnerability allows a malicious actor to bypass security restrictions and gain unauthorized access to...

The vulnerability of the process.binding() function in the Node.js software platform allows attackers to circumvent security restrictions and gain unauthorized access to protected information.

The vulnerability of the process.binding function in the Node.js platform is related to incorrect restrictions on the path to the restricted directory. Exploiting this vulnerability allows an attacker to bypass security restrictions and gain unauthorized access to protected information...

GHSA-MGFV-M47X-4WQP useragent Regular Expression Denial of Service vulnerability

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. PoC js async function exploit const useragent = require"useragent"; // Create a malicious user-agent that...

Malicious code in @taxify/nodejs-common (npm)

--- -= Per source details. Do not edit below this line.=-...

SUSE CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

PT-2024-7176 · Sap · Sap Hana Node.Js Client Package

Name of the Vulnerable Software and Affected Versions: SAP HANA Node.js client package versions 2.0.0 through 2.21.30 Description: The issue is related to a Prototype Pollution vulnerability in the SAP HANA Node.js client package, specifically affecting the nestTables feature. This vulnerability...

VulnCheck KEV: CVE-2022-29078

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon...

In the Elliptic package 6.5.6 for Node.js ECDSA signature malleability occurs because BER-encoded signatures are allowed.

...

GHSA-F7Q4-PWC6-W24P Elliptic's EDDSA missing signature length check

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

DEBIAN-CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

UBUNTU-CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

The vulnerability of the child_process.spawn() and child_process.spawnSync() functions in the Node.js software platform for Windows operating systems allows a hacker to bypass security restrictions and execute arbitrary commands.

The vulnerability of the childprocess.spawn and childprocess.spawnSync functions in the Node.js software platform for Windows operating systems is related to the improper handling of the shell parameter in .bat and .cmd files. Exploiting this vulnerability allows a remote attacker to bypass...

The vulnerability of the Experimental Permission Model component in the Node.js software platform allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Experimental Permission Model component in the Node.js software platform is related to errors in permission handling when the --allow-fs-read flag is used. Exploiting this vulnerability can allow a perpetrator to gain unauthorized access to protected information...

nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service

A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fetch function in Node.js that always decodes Brotli, making it possible for an attacker to caus...

StringBuilder for Node.js Security Vulnerability

StringBuilder for Node.js is a simple and fast in-memory string generator for Node.js by Magic Len Personal Developer. A security vulnerability exists in StringBuilder for Node.js, which stems from an incorrect calculation of the memory length and is susceptible to out-of-bounds reads, which can...

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

...