4412 matches found
AZL-65063 CVE-2025-23167 affecting package nodejs18 18.20.3-11
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
UBUNTU-CVE-2025-23166
The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...
[ASA-202505-8] nodejs-lts-iron: multiple issues
Arch Linux Security Advisory ASA-202505-8 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 Package : nodejs-lts-iron Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2873 Summary ======= T...
[ASA-202505-7] nodejs-lts-jod: denial of service
Arch Linux Security Advisory ASA-202505-7 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 Package : nodejs-lts-jod Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2872 Summary ======= The package...
[ASA-202505-6] nodejs: denial of service
Arch Linux Security Advisory ASA-202505-6 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23166 Package : nodejs Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2871 Summary ======= The package nodejs before version...
Malicious code in nodejs-fetch-proxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80749ffba9365d62c589ea0137cde9db701626ae4ba97fc9f9149b61809ac107 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-3910 Malicious code in nodejs-fetch-proxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80749ffba9365d62c589ea0137cde9db701626ae4ba97fc9f9149b61809ac107 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2025-23166
The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...
SUSE CVE-2025-23167
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
Moderate: Red Hat Security Advisory: nodejs:20 security update
An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...
Alibaba Cloud Linux 3 : 0165: nodejs:14 (ALINUX3-SA-2022:0165)
The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0165 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2022-32212: A OS Command Injection...
Alibaba Cloud Linux 3 : 0014: nodejs:14 (ALINUX3-SA-2022:0014)
The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0014 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2020-28469: This affects the package...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the llhttp implementation, when handing HTTP/1 headers terminated with \r\n\rX instead of the required \r\n\r\n. This allows attackers to bypass proxy-based access controls and submit unauthorized requests...
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits function, which incorrectly invokes ThrowException based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash. Note: The cryptographic...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ReadFileUtf8 internal binding, which fails to clean up pointers in uvfss.file. UTF-16 path buffers leak memory, which can lead to denial of service. Note: CVE-2025-23122 is a...
Moderate: Red Hat Security Advisory: nodejs:20 security update
An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
CVE-2025-47828
Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...
Medium: nodejs22
Issue Overview: An issue in sqlite v.3.49.0 allows an attacker to cause a denial of service via the SQLITEDBCONFIGLOOKASIDE component CVE-2025-29088 Integer Overflow vulnerability in SQLite SQLite3 v.3.50.0 allows a remote attacker to cause a denial of service via the setupLookaside function...
Fortinet FortiClient Code Execution due to Node.JS Environment Variable (FG-IR-24-025) (macOS)
The version of FortiClient installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-025 advisory. - An improper isolation or compartmentalization vulnerability CWE-653 in FortiClientMac version 7.4.2 and below, version...
@lumieducation/h5p-server Fails to Sanitize Plain Text Strings
Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...