153 matches found
Nodejs Security Vulnerabilities
nodejs is a JavaScript runtime environment based on the ChromeV8 engine by packaging the Chromev8 engine and the use of event-driven and non-blocking IO applications to make the development of high-performance Javascript background applications possible. A security vulnerability exists in Nodejs,...
nodejs: HTTP request smuggling via two copies of a header field in an http request
A flaw was found in nodejs. Affected versions of Node.js allow two copies of a header field in an HTTP request. The first header field is recognized while the second is ignored leading to HTTP request smuggling. The highest threat from this vulnerability is to data confidentiality and integrity...
nodejs: use-after-free in the TLS implementation
A flaw was found in nodejs. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResu...
nodejs: HTTP request smuggling due to CR-to-Hyphen conversion
A flaw was found in Node.js, where affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This flaw leads to HTTP Request Smuggling as it is a non-standard interpretation of the header. The highest threat from this vulnerability is to...
nodejs: TLS session reuse can lead to hostname verification bypass
A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions...
nodejs: HTTP header values do not have trailing optional whitespace trimmed
A flaw was found in Node.js where the HTTPs header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTPs request which is validated by an upstream proxy server, but not by the Node.js HTTPs server...
nodejs: Hostname spoofing in URL parser for javascript protocol
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...
nodejs: Out of bounds (OOB) write via UCS-2 encoding
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le', Bufferwrite can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last...
DEBIAN-CVE-2018-7164
Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by...
UBUNTU-CVE-2017-15896
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSLread due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption...
CVE-2017-1000189
nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile...
Elastic Stack 5.5.1 and Kibana 4.6.5 security update
Kibana Node.js security flaw ESA-2017-14 The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests...
Red Hat OpenShift Container Platform nodejs Denial of Service Vulnerability
Red Hat OpenShift Container Platform is a Red Hat application platform that enables organizations to develop, deploy, and manage existing container-based applications across physical, virtual, and public cloud infrastructures. nodejs is a web application platform built on top of Google's V8...