SUSE CVE-2015-8854

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service CPU consumption via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service ReDoS."...

SUSE CVE-2015-8857

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript...

SUSE CVE-2017-18214

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055...

SUSE CVE-2019-13617

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxtvsprintf in nxt/nxtsprintf.c during error handling, as demonstrated by an njsregexpliteral call that leads to an njsparserlexererror call and then an njsparserscopeerror call...

SUSE CVE-2019-15604

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate...

SUSE CVE-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

Arbitrary Code Execution

Overview swig-templates is an A simple, powerful, and extendable templating engine for node.js and browsers, similar to Django, Jinja2, and Twig. Affected versions of this package are vulnerable to Arbitrary Code Execution via the renderFile method. Note: The following conditions are required to...

DEBIAN-CVE-2021-35065

The glob-parent package before 6.0.1 for Node.js allows ReDoS regular expression denial of service attacks against the enclosure regular expression...

nodejs: DNS rebinding in inspect via invalid octal IP address

A flaw was found in NodeJS. The issue occurs in the Node.js rebinding protector for --inspect that still allows invalid IP addresses, specifically, the octal format. This flaw allows an attacker to perform DNS rebinding and execute arbitrary code...

The vulnerability of the --inspect parameter implementation in Node.js’s object manipulation tools allows attackers to execute arbitrary code.

The vulnerability of the --inspect parameter in the Node.js object manipulation tool is related to errors during the conversion of the octal IP address. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a...

nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS, causing web cache poisoning, and conducting XSS attacks...

nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

ffmpeg-sdk 命令注入漏洞

ffmpeg-sdk is a ffmpeg wrapper for nodejs by the individual developer Shajan Jacob in India. A security vulnerability exists in ffmpeg-sdk, which stems from the vulnerability of index.js to command injection attacks...

properties-reader 安全漏洞

properties-reader is a Node.js property reader compatible with ini files by Steve King, a personal developer. A security vulnerability exists in properties-reader prior to version 2.2.0, which stems from the package's susceptibility to prototype contamination, and which can be exploited by an...

The llhttp parser <v14.20.1 <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js version 16.5.4 and versions prior to 17.1.3 in the 17.x series, which stems from the fact that an incorrectly formatted MKV file may cause the file type detector to fall into an...

PT-2022-23214

Name of the Vulnerable Software and Affected Versions Apache SkyWalking NodeJS Agent versions prior to 0.5.1 Description The issue causes NodeJS services with the Apache SkyWalking NodeJS Agent installed to become unavailable when the OAP is unhealthy and the NodeJS agent cannot establish a...

The vulnerability of the WHATWG Fetch API interface for Node.js, related to errors in cookie handling, allows attackers to gain unauthorized access to protected information.

The vulnerability of the WHATWG Fetch API interface for Node.js’ cross-fetching mechanism is related to errors in cookie handling. Exploiting this vulnerability can allow an attacker to gain unauthorized access to protected information...

PT-2022-10388

Name of the Vulnerable Software and Affected Versions glob-parent versions prior to 6.0.1 Description The issue allows ReDoS regular expression denial of service attacks against the enclosure regular expression in the glob-parent package for Node.js. Recommendations For versions prior to 6.0.1,...