4513 matches found
Node.js st module Directory Traversal
A directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e encoded dot dot in an unspecified path. id: CVE-2014-3744 info: name: Node.js st module Directory Traversal author: geeknik severity: high description: A...
Nodejs Squirrelly - Remote Code Execution
Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuratio...
Lodash Template - Server-Side Template Injection (RCE)
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...
RHSA-2026:39868 Red Hat Security Advisory: nodejs:24 security, bug fix, and enhancement update
Bulletin has no description...
nodejs:24 security, bug fix, and enhancement update
An update is available for nodejs, module.nodejs, nodejs-packaging, nodejs-nodemon, module.nodejs-packaging, module.nodejs-nodemon. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...
Node.js: Node.js: Trust-policy bypass due to hostname matching inconsistency
A flaw was found in Node.js. An inconsistency in how Node.js matches hostnames can be exploited by a remote attacker in multi-context mTLS mutual Transport Layer Security setups. This vulnerability allows for a trust-policy bypass, potentially leading to unauthorized access to sensitive informati...
nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch
A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS Transport Layer Security hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security...
Important: Red Hat Security Advisory: nodejs:24 security, bug fix, and enhancement update
An update for the nodejs:24 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
RHSA-2026:39246 Red Hat Security Advisory: nodejs22 security update
Bulletin has no description...
CVE-2026-53486
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink...
CVE-2026-53486 decompress: Archive extraction can create files and links outside the target directory
The decompress package for Node.js extracts archives. Prior to 10.2.1 and 11.1.3, archive extraction can create files and links outside the target directory. When extracting an archive to a directory, a crafted archive can read or write files outside that directory because hardlink and symlink...
Important: Red Hat Security Advisory: nodejs22 security update
An update for nodejs22 is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available f...
CVE-2026-39246
A flaw was found in the decompress package for Node.js. The package creates symlinks from archive entries during extraction without validating the link target against the output directory, because the existing containment check only applies to regular file entries. An attacker who can supply a...
Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nodejs24: nodejs24-24.18.0-0.3.hum1 aarch64, x8664 nodejs24-bin-24.18.0-0.3.hum1 noarch nodejs24-devel-24.18.0-0.3.hum1 aarch64, x8664 nodejs24-docs-24.18.0-0.3.hum1 noarch...
Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nodejs26: nodejs26-26.5.0-1.3.hum1 aarch64, x8664 nodejs26-bin-26.5.0-1.3.hum1 noarch nodejs26-devel-26.5.0-1.3.hum1 aarch64, x8664 nodejs26-docs-26.5.0-1.3.hum1 noarch...
Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nodejs26: nodejs26-26.4.0-1.4.hum1 aarch64, x8664 nodejs26-bin-26.4.0-1.4.hum1 noarch nodejs26-devel-26.4.0-1.4.hum1 aarch64, x8664 nodejs26-docs-26.4.0-1.4.hum1 noarch...
CVE-2026-49866
CVE-2026-49866 affects the JavaScript libp2p implementation, specifically the @libp2p/gossipsub component. The root cause is defaultDecodeRpcLimits allowing maxIhaveMessageIDs and maxIwantMessageIDs to be Infinity prior to v16.0.0, enabling oversized IHAVE/IWANT control message arrays in message/...
CVE-2026-48618 affecting package nodejs for versions less than 24.17.0-1
CVE-2026-48618 affecting package nodejs for versions less than 24.17.0-1. An upgraded version of the package is available that resolves this issue...
RLSA-2026:35842 Important: nodejs22 security, bug fix, and enhancement update
Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...
nodejs22 security, bug fix, and enhancement update
An update is available for nodejs22. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a platform built on Chrome's JavaScript runtime \ for easily...