OESA-2024-1169 nodejs security update

Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser. Security Fixes: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the...

The vulnerability of the “is-my-json-valid” library on the Node.js software platform allows a perpetrator to trigger a service failure.

The vulnerability of the Node.js software library “is-my-json-valid” relates to an inefficient regular expression used for checking JSON fields. This allows a malicious actor, operating remotely, to cause a service failure by sending a specially crafted JSON file...

SUSE CVE-2023-46809

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/hkario/marvin/, if PCKS 1 v1.5 padding is allowed when performing RSA descryption using a privat...

SUSE CVE-2024-22019

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service DoS. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk...

The vulnerability of the sshpk library on the Node.js software platform, which allows a hacker to cause a service failure.

The vulnerability of the sshpk library on the Node.js software platform is related to the unlimited distribution of resources. Exploiting this vulnerability can allow a malicious actor to cause service failures remotely...

The vulnerability of the `child_process.exec` function in the cross-platform networking utility of Node.js allows a hacker to execute arbitrary commands.

The vulnerability of the childprocess.exec function in the cross-platform networking library of Node.js exists due to insufficient validation of input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

CVE-2023-49583 Escalation of Privileges in SAP BTP Security Services Integration Library ([Node.js] @sap/xssec)

SAP BTP Security Services Integration Library Node.js @sap/xssec - versions 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

USN-6491-1 nodejs vulnerabilities

Axel Chong discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. CVE-2022-32212 Zeyu Zhang discovered that Node.js incorrectl...

The vulnerability of the emulator for testing JavaScript code on the Node.js software platform, which allows attackers to carry out XSS attacks.

The vulnerability of the emulator used to test JavaScript code on the Node.js software platform exists because measures to protect the structure of web pages have not been taken. Exploiting this vulnerability allows a malicious actor to carry out XSS attacks remotely...

SUSE CVE-2022-33987

The got package before 12.1.0 also fixed in 11.8.5 for Node.js allows a redirect to a UNIX socket...

The vulnerability of the Node.js software platform, related to insufficient data authenticity checking, allows a perpetrator to bypass integrity checks.

The vulnerability of the Node.js software platform is related to insufficient verification of data authenticity. Exploiting this vulnerability could allow a malicious actor, operating remotely, to disable the integrity checks...

Vulnerabilities fixed Node.js

Several vulnerabilities have been fixed in Node.js. A malicious party could potentially exploit the vulnerabilities remotely to cause a denial-of-service DoS, bypass of authentication and/or gaining access to sensitive data. The vulnerability with attribute CVE-2023-44487 is a Denial-of-Service D...

Node.js path traversal vulnerability

Node.js is an open source, cross-platform JavaScript runtime environment. A path traversal vulnerability exists in Node.js version 20.x, which stems from the node:fs function allowing paths to be specified as strings or Uint8Array objects...

nodejs: Permissions policies can be bypassed via process.binding

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

nodejs-semver: Regular expression denial of service

A Regular Expression Denial of Service ReDoS vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size,...

nodejs: Permissions policies can be bypassed via Module._load

A vulnerability was found in NodeJS. This security issue occurs as the use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module...

The vulnerability of the fs.openAsBlob() method in the Node.js software platform allows attackers to compromise the integrity of protected information.

The vulnerability of the fs.openAsBlob method in the Node.js programming platform is related to errors in using the --allow-fs-read flag for file system access. Exploiting this vulnerability allows a malicious actor to compromise the integrity of protected information...

The vulnerability of the crypto.setEngine() method in the Node.js software platform allows a hacker to circumvent existing security restrictions.

The vulnerability of the crypto.setEngine method in the Node.js software platform is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to circumvent existing security restrictions remotely...

The vulnerability of the fs.watchFile method in the Node.js software platform allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the fs.watchFile method in the Node.js software platform is related to errors in using the --allow-fs-read flag with an argument other than =. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

UBUNTU-CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsyn...