UBUNTU-CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

GHSA-62CX-5XJ4-WFM4 ggit is vulnerable to Command Injection via the fetchTags(branch) API

All versions of the package ggit are vulnerable to Command Injection via the fetchTagsbranch API, which allows user input to specify the branch to be fetched and then concatenates this string along with a git command which is then passed to the unsafe exec Node.js child process API...

ALPINE-CVE-2023-39333

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability...

GHSA-HHHV-Q57G-882Q jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext

A vulnerability has been identified in the JSON Web Encryption JWE decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a resul...

nodejs 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in nodejs that stems from not strictly using CRLF sequences to delimit HTTP requests, which could lead to HTTP request smuggling HRS...

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. Node.js suffers from a security vulnerability that stems from not generating a key after setting a private key, which can easily lead to security issues with using the application...

UBUNTU-CVE-2023-23918

A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it possible to bypass the experimental Permissions https://nodejs.org/api/permissions.html feature in Node.js and access non authorized modules by using process.mainModule.require. This only...

SUSE CVE-2014-7192

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to execute arbitrary code via a crafted file...

SUSE CVE-2015-8315

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS."...

DEBIAN-CVE-2022-43548

A OS Command Injection vulnerability exists in Node.js versions 14.21.1, 16.18.1, 18.12.1, 19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.Th...

nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

nodejs: DNS rebinding in --inspect via invalid IP addresses

A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided for instance, 10.0.2.555 is provided, browsers such as Firefox will make DNS requests ...

llhttp: HTTP Request Smuggling when parsing the body of chunked requests

An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an...

PT-2021-15277 · Node.Js · Node.Js

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 16.4.1 Node.js versions prior to 14.17.2 Node.js versions prior to 12.22.2 Description: The issue allows for local privilege escalation attacks under certain conditions on Windows platforms due to improper...

jose-node-cjs-runtime 安全漏洞

npm jose-node-cjs-runtime is an application from the American company npm. Provides distributions of jose with smaller bundle/installation sizes. A security vulnerability exists in jose-node-cjs-runtime in versions prior to 3.11.4, which stems from the possibility of a significant difference in t...

decompress package path traversal vulnerability

decompress package is a decompression package. A path traversal vulnerability exists in decompress package versions prior to 4.2.1 Node.js. This vulnerability can be exploited to write arbitrary files with the help of the '... /' string to write arbitrary files...

UBUNTU-CVE-2017-1000188

nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile resulting in code injection...

nodejs: Constant Hashtable Seeds vulnerability

It was found that Node.js was using a non-randomized seed when populating hash tables. An attacker, able to supply a large number of inputs, could send specially crafted entries to the Node.js application, maximizing hash collisions to trigger an excessive amount of CPU usage, resulting in a deni...