Important: nodejs

Issue Overview: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

libxmljs 安全漏洞

libxmljs is the LibXML binding for node.js. A security vulnerability exists in libxmljs that stems from the presence of a type confusion vulnerability...

Fedora 40 : nodejs-undici (2024-a5dc987f91)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-a5dc987f91 advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

DEBIAN-CVE-2024-33883

The ejs aka Embedded JavaScript templates package before 3.1.10 for Node.js lacks certain pollution protection...

RHEL 7 / 8 : Red Hat Ansible Automation Platform 1.2.2 (RHSA-2021:0781)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0781 advisory. Red Hat Ansible Automation Platform integrates Red Hat's automation suite consisting of Red Hat Ansible Tower, Red Hat Ansible Engine,...

RHEL 6 / 7 : rh-nodejs4-nodejs (RHSA-2017:3002)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2017:3002 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven,...

RHEL 6 / 7 : rh-nodejs6-nodejs (RHSA-2018:2944)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:2944 advisory. - nodejs: Out of bounds OOB write via UCS-2 encoding CVE-2018-12115 Note that Nessus has not tested for this issue but has instead relied only on...

RHEL 6 / 7 : rh-nodejs4-nodejs-tough-cookie (RHSA-2017:2912)

The remote Redhat Enterprise Linux 6 / 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2017:2912 advisory. Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar. The following packages have been upgraded to a later upstre...

RHEL 6 / 7 : rh-nodejs6-nodejs-tough-cookie (RHSA-2017:2913)

The remote Redhat Enterprise Linux 6 / 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2017:2913 advisory. Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar. The following packages have been upgraded to a later upstream versio...

RHEL 7 : rh-nodejs8-nodejs (RHSA-2018:2949)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2949 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

AZL-39968 CVE-2023-6237 affecting package nodejs18 for versions less than 18.20.2-1

Issue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVPPKEYpubliccheck to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)

A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...

RHEL 9 : nodejs:18 (RHSA-2024:1932)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1932 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

PT-2024-5124

Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21 Description: A flaw in the experimental permission model of Node.js allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used. This issue...

Ubuntu: Security Advisory (USN-6735-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2024:1309-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...

SUSE-SU-2024:1307-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...

Exploit for CVE-2024-27983

This repository builds up a vulnerable HTTP2 Node.js server se...