Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 16.x, 18.x, and 20.x that stems from the use of Module.load to bypass the policy mechanism when given a module outside of the policy.json definition...

Node.js Security Vulnerabilities

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 16.x, 18.x, and 20.x that stems from the ability to bypass the policy mechanism and define modules other than those given...

nodejs: DiffieHellman do not generate keys after setting a private key

A vulnerability has been identified in the Node.js, where a generateKeys API function returned from crypto.createDiffieHellman only generates missing or outdated keys, that is, it only generates a private key if none has been set yet...

SUSE CVE-2023-30583

fs.openAsBlob can bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag in Node.js 20. This flaw arises from a missing check in the fs.openAsBlob API. Please note that at the time this CVE was issued, the permission model is an...

PT-2023-4509 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js version 20 Description: A privilege escalation issue exists due to insufficient access control in the crypto.setEngine method of Node.js. This can be exploited by a remote attacker to bypass existing security restrictions. The attack...

GHSA-8VW3-VXMJ-H43W bwm-ng vulnerable to command injection

All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. Note: To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within t...

n158 命令注入漏洞

n158 is a simple way to handle HTTP servers and daemons using NodeJS. A security vulnerability exists in n158, which stems from improper input cleanup in the module.exports function and is vulnerable to command injection attacks...

n8n 安全漏洞

n8n is a scalable workflow automation tool from n8n open source. A security vulnerability exists in version 0.218.0 of the n8n package for Node.js. An attacker can exploit the vulnerability to elevate privileges...

Node.js: OpenSSL error handling issues in nodejs crypto library

A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...

vm2 安全漏洞

vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. A security vulnerability exists in vm2 version 3.9.15 and earlier. An attacker exploits this vulnerability to bypass...

Node.js: Permissions policies can be bypassed via process.mainModule

A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it possible to bypass the experimental Permissions https://nodejs.org/api/permissions.html feature in Node.js and access non authorized modules by using process.mainModule.require. This only...

nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS

A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of...

GHSA-P8P7-X288-28G6 Server-Side Request Forgery in Request

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect HTTP to HTTPS, or HTTPS to HTTP. NOTE: The request package is no longer supported by the maintain...

AZL-44241 CVE-2023-28155 affecting package js-jquery 3.5.0-4

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect HTTP to HTTPS, or HTTPS to HTTP. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

AZL-13684 CVE-2023-23919 affecting package nodejs for versions less than 16.19.1-1

A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...

DEBIAN-CVE-2023-23918

A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it possible to bypass the experimental Permissions https://nodejs.org/api/permissions.html feature in Node.js and access non authorized modules by using process.mainModule.require. This only...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js that stems from the presence of an elevation of privilege vulnerability that can be exploited by an attacker to bypass authentication and access unauthorized modules...

SUSE CVE-2013-7381

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify...

SUSE CVE-2013-7451

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag...

SUSE CVE-2013-7454

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via nested forbidden strings...