Nodejs Command Injection Vulnerability

nodejs is a JavaScript runtime environment based on the ChromeV8 engine through the Chromev8 engine for the packaging and the use of event-driven and non-blocking IO applications so that the development of high-performance Javascript background applications has become possible . A command injecti...

llhttp: HTTP Request Smuggling when parsing the body of chunked requests

An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes

A regular expression denial of service ReDoS vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes...

RHEL 8 : nodejs:16 (RHSA-2021:5171)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5171 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

CentOS 8 : nodejs:16 (CESA-2021:5171)

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:5171 advisory. - nodejs-glob-parent: Regular expression denial of service CVE-2020-28469 - nodejs-ini: Prototype pollution via malicious INI file CVE-2020-7788 -...

nodejs:16 security, bug fix, and enhancement update

An update is available for nodejs-nodemon, nodejs, nodejs-packaging. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform f...

Critical: Red Hat Security Advisory: Red Hat Fuse 7.10.0 release and security update

A minor version update from 7.9 to 7.10 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring...

Moderate: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.9.0 enhancement, security, and bug fix update

Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.9.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVS...

OPENSUSE-SU-2021:1552-1 Security update for nodejs14

This update for nodejs14 fixes the following issues: nodejs14 was updated to 14.18.1: deps: update llhttp to 2.1.4 - HTTP Request Smuggling due to spaced in headers bsc1191601, CVE-2021-22959 - HTTP Request Smuggling when parsing the body bsc1191602, CVE-2021-22960 Changes in 14.18.0: buffer: +...

ALPINE-CVE-2021-43803

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes. PoC await...

CVE-2021-39135

A flaw was found in nodejs-arborist. Arborist could write package dependencies to any arbitrary location on the file system if an attacker had replaced a project folder with a symbolic link in the nodemodules folder. The highest threat from this vulnerability is to data integrity and system...

OPENSUSE-SU-2021:3940-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: - CVE-2021-22959: Fixed HTTP Request Smuggling due to spaced in headers bsc1191601. - CVE-2021-22960: Fixed HTTP Request Smuggling when parsing the body bsc1191602. - CVE-2021-37701: Fixed arbitrary file creation and overwrite in nodejs-tar...

SUSE-SU-2021:3940-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: - CVE-2021-22959: Fixed HTTP Request Smuggling due to spaced in headers bsc1191601. - CVE-2021-22960: Fixed HTTP Request Smuggling when parsing the body bsc1191602. - CVE-2021-37701: Fixed arbitrary file creation and overwrite in nodejs-tar...

SUSE-SU-2021:3886-1 Security update for nodejs14

This update for nodejs14 fixes the following issues: nodejs14 was updated to 14.18.1: deps: update llhttp to 2.1.4 Security fixes: - HTTP Request Smuggling due to spaced in headers bsc1191601, CVE-2021-22959 - HTTP Request Smuggling when parsing the body bsc1191602, CVE-2021-22960 Changes in...

Pterodactyl Cross-Site Request Forgery Vulnerability (CNVD-2021-90852)

Pterodactyl is an open source game server management panel built using PHP, Nodejs and Go. A cross-site request forgery vulnerability exists in Pterodactyl, which stems from the lack of proper CSRF protection in the product's routing configuration. An attacker could exploit the vulnerability to...

Low: Red Hat Security Advisory: Openshift Logging 5.1.4 bug fix and security update

An update is now available for OpenShift Logging 5.1.4. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

nodejs-glob-parent: Regular expression denial of service

A flaw was found in nodejs-glob-parent. The enclosure regex used to check for glob enclosures containing backslashes is vulnerable to Regular Expression Denial of Service attacks. This flaw allows an attacker to cause a denial of service if they can supply a malicious string to the glob-parent...

nodejs-ua-parser-js: Regular expression denial of service via the regex

A flaw was found in nodejs-ua-parser-js. The software is vulnerable to Regular Expression Denial of Service ReDoS via the regex for Redmi Phones and Mi Pad Tablets UA...