npmjs-url-parse: Improper validation of protocol of the returned URL

An input validation flaw exists in the node.js-url-parse, which results in the URL being incorrectly set to the document location protocol instead of the URL being passed as an argument. An attacker could use this flaw to bypass security checks on URLs...

Druva inSync Client Arbitrary NodeJS Code Execution Vulnerability

Druva inSync Client is a lightweight application for managing data backups and allowing collaboration with other users. An arbitrary NodeJS code execution vulnerability exists in Druva inSync Client 6.5.0. The vulnerability stems from improper input validation. A locally authenticated attacker ca...

Command Injection

Overview docker-compose-remote-api is a Connection interface between docker-compose and the Docker Remote API. Affected versions of this package are vulnerable to Command Injection. Within index.js of the package, the function execserviceName, cmd, fnStdout, fnStderr, fnExit uses the variable...

nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication...

nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication...

ALPINE-CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed...

PT-2022-1546 · Node.Js +7 · Node.Js +7

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 12.22.9 Node.js versions prior to 14.18.3 Node.js versions prior to 16.13.2 Node.js versions prior to 17.3.1 Description: The issue is related to errors in the certificate authentication procedure, specifically with...

lodash input validation error vulnerability

lodash is an open source JavaScript utility library . An input validation error vulnerability exists in lodash version 0.0.1 for Node.js. The vulnerability stems from a network system or product that does not properly validate input data. No details of the vulnerability are provided at this time...

CVE-2019-19729

An issue was discovered in the BSON ObjectID aka bson-objectid package 1.3.0 for Node.js. ObjectID allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects bsontype==ObjectID in the user-input...

The vulnerability of the Apache Thrift interface description language in Node.js allows a hacker to gain unauthorized access to protected information.

The vulnerability of the Apache Thrift interface description language in Node.js lies in the lack of protection for service data. Exploiting this vulnerability can allow an attacker, operating remotely, to gain unauthorized access to protected information...

hexo-admin plugin for Node.js cross-site scripting vulnerability

hexo-admin plugin for Node.js is a backend administration plugin for use in Node.js. A cross-site scripting vulnerability exists in the Post editor feature in hexo-admin plugin for Node.js version 2.3.0 and earlier, which stems from the lack of proper validation of client-side data in a web...

The vulnerability relates to the implementation of the HTTP/2 server using the nginx software framework and Node.js, as well as the SwiftNIO networking library. It involves an uncontrolled resource consumption, allowing attackers to cause service failures.

The vulnerability of the HTTP/2 server implementation of nginx, a Node.js software platform, and the SwiftNIO networking framework is related to an uncontrolled resource consumption when processing a header with a parameter equal to zero. Exploiting this vulnerability could allow a malicious acto...

The vulnerability of the URL parser in the Node.js library allows a hacker to gain unauthorized access to protected data.

The vulnerability of Node.js’s URL parser lies in errors during the processing of HTTP packets. Exploiting this vulnerability allows a malicious actor, operating remotely, to gain unauthorized access to protected data through HTTP requests...

PT-2019-3464

Name of the Vulnerable Software and Affected Versions nginx affected versions not specified Node.js affected versions not specified SwiftNIO affected versions not specified Description The issue is related to an uncontrolled resource consumption when receiving a header with a length parameter set...

nodejs: Denial of Service with large HTTP headers

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to cause the HTTP...

The vulnerability in the Apache Thrift web server for Node.js exists due to an incorrect pathname limitation for the restricted access directory, allowing attackers to gain access to arbitrary files.

The vulnerability in the Apache Thrift web server for Node.js exists due to an incorrect pathname limitation for the restricted access directory. Exploiting this vulnerability could allow a malicious actor to gain access to arbitrary files...

thrift: Improper Access Control grants access to files outside the webservers docroot path

A flaw was found in the Node.js static web server in Apache Thrift, where it allowed a remote user to access files outside of the set web servers' docroot path. An attacker could use this flaw to possibly access unauthorized files and sensitive information...

keycloak: Node.js adapter internal NBF can be manipulated leading to DoS.

It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout. An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely...

DEBIAN-CVE-2019-5737

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service DoS by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated...

PT-2019-3473 · Apache +8 · Apache Traffic Server +9

Name of the Vulnerable Software and Affected Versions: Apache Traffic Server versions affected versions not specified Apache HTTP Server versions affected versions not specified Node.js versions affected versions not specified Description: The issue is related to errors in the mechanism controlli...