nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

ALSA-2024:1444 Important: nodejs:16 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks CVE-2024-22019 nodejs: HTTP/2: Multiple HTTP/2 enabled...

CVE-2024-0727 affecting package nodejs for versions less than 16.20.2-2

CVE-2024-0727 affecting package nodejs for versions less than 16.20.2-2. A patched version of the package is available...

AZL-35911 CVE-2024-22025 affecting package nodejs18 for versions less than 18.18.2-5

A vulnerability in Node.js has been identified, allowing for a Denial of Service DoS attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch function in Node.js always decodes Brotli, making i...

AZL-35899 CVE-2024-22017 affecting package nodejs for versions less than 20.14.0-1

setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid. This vulnerability affects all users using version greater or...

Important Photon OS Security Update - PHSA-2024-3.0-0738

Updates of 'linux-aws', 'linux-rt', 'linux-esx', 'nodejs', 'linux-secure', 'linux', 'openvswitch' packages of Photon OS have been released...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

Top 10 web application vulnerabilities in 2021–2023

To help companies with navigating the world of web application vulnerabilities and securing their own web applications, the Open Web Application Security Project OWASP online community created the OWASP Top Ten. As we followed their rankings, we noticed that the way we ranked major vulnerabilitie...

SUSE SLES15 Security Update : nodejs16 (SUSE-SU-2024:0728-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0728-1 advisory. Security issues fixed: CVE-2023-46809: Node.js is vulnerable to the Marvin Attack timing variant of the Bleichenbacher attack again...

CVE-2023-42282 affecting package nodejs for versions less than 16.20.2-3

CVE-2023-42282 affecting package nodejs for versions less than 16.20.2-3. A patched version of the package is available...

Important: nodejs20

Issue Overview: The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. This misleading documentation affects all users using the experimental permission model in active release lines: 20.x and 21.x. Please note...

The vulnerability of the chown package on the Node.js software platform allows a malicious actor to gain unauthorized access to arbitrary directories.

The vulnerability of the chown package on the Node.js software platform is related to synchronization errors when using a shared resource „Race Condition“. Exploiting this vulnerability can allow an attacker to gain unauthorized access to arbitrary directories...

SUSE SLES12 Security Update : nodejs16 (SUSE-SU-2024:0731-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0731-1 advisory. Security issues fixed: CVE-2023-46809: Node.js is vulnerable to the Marvin Attack timing variant of the Bleichenbacher attack again...

Denial Of Service (DOS)

NodeJS is vulnerable to Denial Of Service DOS. The vulnerability is caused due the fact that the fetch function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed int...

CentOS 9 : nodejs-nodemon-2.0.20-2.el9

The remote CentOS Linux 9 host has a package installed that is affected by a vulnerability as referenced in the nodejs- nodemon-2.0.20-2.el9 build changelog. - Minimist =1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey lines 69-95. CVE-2021-44906 Note that Nessus has...

CentOS 9 : nodejs-nodemon-2.0.20-3.el9

The remote CentOS Linux 9 host has a package installed that is affected by a vulnerability as referenced in the nodejs- nodemon-2.0.20-3.el9 build changelog. - The glob-parent package before 6.0.1 for Node.js allows ReDoS regular expression denial of service attacks against the enclosure regular...

CentOS 9 : nodejs-16.16.0-1.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the nodejs-16.16.0-1.el9 build changelog. - Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs...

PT-2024-5241 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x, 20.x, and 21.x Description: The issue is related to the improper handling of batch files in child process.spawn and child process.spawnSync on Windows platforms. This allows a malicious command line argument to inject...

SUSE-SU-2024:0644-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.19.1: security updates CVE-2024-21892: Code injection and privilege escalation through Linux capabilities bsc1219992. CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks...

SUSE-SU-2024:0643-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: Update to 20.11.1: security updates CVE-2024-21892: Code injection and privilege escalation through Linux capabilities bsc1219992. CVE-2024-22019: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks...