354 matches found
DEBIAN-CVE-2018-13797
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec rather than execFile call...
Forms Cross-Site Scripting Vulnerability
Forms is a tool for creating, parsing and validating forms in Node.js. A cross-site scripting vulnerability exists in Forms versions prior to 1.3.0, which stems from the program's failure to properly escape HTML and can be exploited by a remote attacker to inject arbitrary web script or HTML...
Node.js Denial of Service Vulnerability (CNVD-2018-11809)
Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...
UBUNTU-CVE-2018-7167
Calling Buffer.fill or Buffer.alloc with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc and Buffer.fill were updated so that they zero fill instead of hanging in these cases. All versions of...
CVE-2016-10571
bkjs-wand is imagemagick wand support for node.js and backendjs bkjs-wand versions lower than 0.3.2 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controll...
UBUNTU-CVE-2018-7159
The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12. The HTTP specification does not allow for spaces in the Content-Length value and the Node.js HTTP parser has been...
Node.js Denial of Service Vulnerability (CNVD-2017-36052)
Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...
nodejs: Constant Hashtable Seeds vulnerability
It was found that Node.js was using a non-randomized seed when populating hash tables. An attacker, able to supply a large number of inputs, could send specially crafted entries to the Node.js application, maximizing hash collisions to trigger an excessive amount of CPU usage, resulting in a deni...
MGASA-2017-0204 Updated nodejs packages fix security vulnerability
Node.js has a defect that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead on an HTTP response, a new-line character may be used to inject additional responses CVE-2016-5325. The tls.checkServerIdentity function in...
Red Hat Keycloak Node.js adapter authentication bypass vulnerability
Red Hat Keycloak Node.js adapter Red Hat's open source set of Node.js adapters for authentication and access management software in modern applications and services. A security vulnerability exists in Red Hat Keycloak Node.js adapter versions 2.5 through 3.0, which stems from the program failing ...
DEBIAN-CVE-2015-8858
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service CPU consumption via crafted input in a parse call, aka a "regular expression denial of service ReDoS."...
IBM SDK for Node.js Denial of Service Vulnerability
IBM SDK for Node.js is a set of U.S. IBM based on the Node.js open source project and for the IBM platform to provide an independent JavaScript runtime environment and server-side JavaScript solutions . A local denial of service vulnerability exists in IBM SDK for Node.js. An attacker could explo...
DEBIAN-CVE-2016-2086
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header...
TrendMicro node.js http server arbitrary command execution vulnerability
Trend Micro is a global leader in network security software and services, leading the trend from desktop antivirus to network server and gateway antivirus with excellent foresight and technological innovation capabilities, and proving Trend Micro's foresight and leadership to the industry with it...