nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite

A flaw was found in the npm package "tar" aka node-tar. Extracting tar files that contain both a directory and a symlink with the same name, where the symlink and directory names in the archive entry used backslashes as a path separator, made it possible to bypass node-tar symlink checks on...

Debian DSA-5170-1 : nodejs - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5170 advisory. - The parser in accepts requests with a space SP right after the header name before the colon. This can lead to HTTP Request Smuggling HRS in llhttp v2.1.4 and...

validate-data denial-of-service vulnerability (CNVD-2022-66399)

validate-data is a NodeJs backend library by Anoop P R Individual Developer. It is used to validate data according to the provided rules. A denial of service vulnerability exists in validate-data version v0.1.1, which stems from not properly handling incoming error messages and can be exploited b...

DSA-5170-1 nodejs - security update

Bulletin has no description...

Malicious Package

Overview heroku-nodejs-plugin is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

Malicious Package

Overview nodejs-email is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

nodejs: Improper handling of URI Subject Alternative Names

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...

nodejs: Certificate Verification Bypass via String Injection

It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host...

Moderate: Red Hat Enhancement Advisory: nodejs:12 bug fix and enhancement update

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Bug Fixes and Enhancements: nodejs:12/nodejs: rebase to last upstream release...

Malicious code in nodejs-docs-samples-iot-mqtt-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8a02c1e75441fabe4bcc6557ef33ce2bba5bdb671f2147161ddf0d05a90809ca Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-3040 Malicious code in finastra-nodejs-libs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4e6a9bcca9d10ce688e00eb4a63926581e73d476c15bb88fff42f9fb30a39f25 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in facebook-nodejs-business-sdk-tests (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e8d8d81ca4b948dcfa09565e5cd03395cbd94a463bf6d49437beb32b5bb1d202 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2961 Malicious code in facebook-nodejs-business-sdk-tests (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e8d8d81ca4b948dcfa09565e5cd03395cbd94a463bf6d49437beb32b5bb1d202 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in output-scrubber-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 829581de609b2fcf550934065e545fa2285dce1e58ea023cc6a0dad0ac0c3d51 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-7038 Malicious code in wallet-nodejs-binding (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 19008a50d899f9a3a78116d541b53e03f18a52847e6345eec6823b6adcc6a564 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in wallet-nodejs-binding (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 19008a50d899f9a3a78116d541b53e03f18a52847e6345eec6823b6adcc6a564 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in redox-sample-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bdfcea410bd0098b0575e6d4dee47cf9f4d4afbc2087c9a1fb51a622cf29d682 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-5724 Malicious code in redox-sample-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bdfcea410bd0098b0575e6d4dee47cf9f4d4afbc2087c9a1fb51a622cf29d682 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in capacitybot-cf-nodejs-fct (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f5b42f3b06d0df2c9f6aae3bfb77770c06bbe2113bc58d1516d24cb876fb1aa3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-1825 Malicious code in capacitybot-cf-nodejs-fct (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f5b42f3b06d0df2c9f6aae3bfb77770c06bbe2113bc58d1516d24cb876fb1aa3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...