nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets

A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...

nodejs: HTTP request smuggling due to improper delimiting of header fields

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

RHEL 8 : nodejs:14 (RHSA-2022:6448)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6448 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

CentOS 8 : nodejs:16 (CESA-2022:6449)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2022:6449 advisory. - nodejs-ansi-regex: Regular expression denial of service ReDoS matching ANSI escape codes CVE-2021-3807 - nodejs: DNS rebinding in --inspect via inval...

CentOS 8 : nodejs:14 (CESA-2022:6448)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2022:6448 advisory. - nodejs: DNS rebinding in --inspect via invalid IP addresses CVE-2022-32212 - nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encodin...

RHEL 8 : nodejs:16 (RHSA-2022:6449)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6449 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

SUSE-SU-2022:3251-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: - CVE-2022-35949: Fixed SSRF when an application takes in user input into the path/pathname option of undici.request bsc1202382. - CVE-2022-35948: Fixed CRLF injection via Content-Type bsc1202383. - CVE-2022-29244: Fixed npm pack ignores...

SUSE-SU-2022:3250-1 Security update for nodejs16

This update for nodejs16 fixes the following issues: - CVE-2022-35949: Fixed SSRF when an application takes in user input into the path/pathname option of undici.request bsc1202382. - CVE-2022-35948: Fixed CRLF injection via Content-Type bsc1202383. - CVE-2022-29244: Fixed npm pack ignores...

nodejs-underscore: Arbitrary code execution via the template function

A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...

nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets

A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...

nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

nodejs: DNS rebinding in --inspect via invalid IP addresses

A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided for instance, 10.0.2.555 is provided, browsers such as Firefox will make DNS requests ...

Important Photon OS Security Update - PHSA-2022-0515

Updates of 'nodejs' packages of Photon OS have been released...

RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2022:6389)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6389 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Malicious code in google-auth-library-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cba35f5d5ad2abbe0f380ecedf252a58857f3f01eb94ccd979f4ebcb752adef7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3411 Malicious code in google-auth-library-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cba35f5d5ad2abbe0f380ecedf252a58857f3f01eb94ccd979f4ebcb752adef7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1

CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32214 affecting package nodejs for versions less than 16.16.0-1

CVE-2022-32214 affecting package nodejs for versions less than 16.16.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32213 affecting package nodejs for versions less than 16.20.2-4

CVE-2022-32213 affecting package nodejs for versions less than 16.20.2-4. An upgraded version of the package is available that resolves this issue...

CVE-2022-32212 affecting package nodejs for versions less than 16.20.2-4

CVE-2022-32212 affecting package nodejs for versions less than 16.20.2-4. An upgraded version of the package is available that resolves this issue...