Apache Thrift Node.js static web server access control error vulnerability

Apache Thrift is the United States Apache Apache Software Foundation for cross-platform development of a framework . Node.js static web server is one of the static web server . An access control error vulnerability exists in the Apache Thrift Node.js static web server versions 0.9.2 through 0.11....

UBUNTU-CVE-2018-12122

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service DoS by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time...

UBUNTU-CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is...

PT-2018-11028 · Node.Js +4 · Node.Js +4

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Node.js versions prior to 10.14.0 Node.js versions prior to 11.3.0 Description: The issue allows for a Denial of Service with large HTTP headers. By using a combination of many...

nodejs: Out of bounds (OOB) write via UCS-2 encoding

In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le', Bufferwrite can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last...

GHSA-HXF5-MG84-PJ4M Moderate severity vulnerability that affects moment

Withdrawn, accidental duplicate publish. The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service CPU consumption via a long string, aka a "regular expression Denial of Service ReDoS."...

The vulnerability of the phpinfo command in Node.js, specifically pdfinfojs, arises from insufficient neutralization of special elements in input data. This allows attackers to execute arbitrary commands.

The vulnerability of the phpinfo function in Node.js, specifically pdfinfojs, stems from the lack of mechanisms to neutralize special elements in input commands. Exploiting this vulnerability allows a remote attacker to execute arbitrary code using a specially crafted request...

The vulnerability of the console-io command shell in Node.js, related to authentication process flaws, allows attackers to execute arbitrary code.

The vulnerability of the console-io command shell for Node.js is related to deficiencies in the authentication process. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by connecting to the console using websocket...

dns-sync Command Injection Vulnerability

dns-sync is a library used in Node.js that allows to resolve hostnames in a synchronized way. A security vulnerability exists in dns-sync. An attacker can exploit this vulnerability to inject commands with untrusted user input...

Augustine Path Traversal Vulnerability

augustine is a static HTTP server used in Node.js. A path traversal vulnerability exists in augustine, which stems from the program's lack of url validation. The vulnerability can be exploited by sending a specially crafted GET request to read the contents of an arbitrary file with a known path...

Node.js Denial of Service Vulnerability (CNVD-2018-11811)

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

CVE-2016-10623

macaca-chromedriver-zxa is a Node.js wrapper for the selenium chromedriver. macaca-chromedriver-zxa downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

DEBIAN-CVE-2016-10539

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string...

Joyent Node.js atob Denial of Service Vulnerability

Joyent Node.js is the United States Joyent a set of web applications built on top of Google V8 JavaScript engine platform. atob is one of the use of Buffer to simulate the browser ATOB functionality of the module . A security vulnerability exists in atob 2.0.3 and earlier on Joyent Node.js 4.x an...

CVE-2016-10590

cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested zip file with an attacker controlled zip file if the attacker i...

Joyent Node.js ssri module denial of service vulnerability

Joyent Node.js is a set of Joyent's web application platform built on top of Google's V8 JavaScript engine. ssri module is one of the modules used for parsing, manipulating, serializing, and verifying the integrity of sub-resources . A security vulnerability exists in the index.js file in the...

AZL-32178 CVE-2017-18214 affecting package reaper for versions less than 3.1.1-10

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055...

UBUNTU-CVE-2018-7651

index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string...

UBUNTU-CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc0x100, "This is not correctly encoded", "hex";' The buffer implementation was updated such that the buffer will...