AZL-69706 CVE-2025-5222 affecting package nodejs18 for versions less than 18.20.3-10

A stack buffer overflow was found in Internationl components for unicode ICU . While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution...

nodejs: Node.js Worker Thread Exposure via Diagnostics Channel

A flaw was found in the Node.js diagnosticschannel. This vulnerability allows an attacker to reinstate and misuse worker constructors, potentially bypassing the Permission Model via hooking into events when a worker thread is created...

MAL-2025-745 Malicious code in nodejs-paypal-checkout-demo (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 909c8505097e7b62c38bde6c75bb0ba8516f566136ec093b913944bcbdd1130e Any computer that has this package installed or running should be considered...

编号撤回

Node.js is an open source, cross-platform JavaScript runtime environment from Node.js Open Source. This CVE number has been withdrawn...

PT-2026-2477

Name of the Vulnerable Software and Affected Versions Node.js affected versions not specified Description A flaw exists in the Node.js software platform related to improper handling of exceptional states. Exploitation may allow a remote attacker to cause a denial-of-service condition. Specificall...

The vulnerability of the getWindowsIEEE8021x function in the npm systeminformation package of the Node.js software platform allows a perpetrator to escalate their privileges and execute arbitrary commands.

The vulnerability of the getWindowsIEEE8021x function in the npm systeminformation package of the Node.js software platform is related to improper code generation during the processing of SSID identifiers. Exploiting this vulnerability can allow an attacker to enhance their privileges and execute...

Astra Linux – Vulnerability in Node.js

When an invalid public key is used to create an X509 certificate using the crypto.X509Certificate API, a non-expected termination occurs. This makes it vulnerable to DoS attacks, as the attacker could cause interruptions in the application’s processing. The process terminates when accessing the...

The vulnerability of the process.binding() function in the Node.js software platform allows attackers to circumvent security restrictions and gain unauthorized access to protected information.

The vulnerability of the process.binding function in the Node.js platform is related to incorrect restrictions on the path to the restricted directory. Exploiting this vulnerability allows an attacker to bypass security restrictions and gain unauthorized access to protected information...

The vulnerability of the experimental-permission configuration in the Node.js software platform allows a hacker to bypass security restrictions and gain unauthorized access to protected information.

The vulnerability of the experimental-permission configuration in the Node.js software platform is related to incorrect restrictions on the path to the restricted directory. Exploiting this vulnerability allows a malicious actor to bypass security restrictions and gain unauthorized access to...

GHSA-MGFV-M47X-4WQP useragent Regular Expression Denial of Service vulnerability

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. PoC js async function exploit const useragent = require"useragent"; // Create a malicious user-agent that...

Malicious code in @taxify/nodejs-common (npm)

--- -= Per source details. Do not edit below this line.=-...

SUSE CVE-2024-48948

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an truncateToN anomaly. This leads to...

PT-2024-7176 · Sap · Sap Hana Node.Js Client Package

Name of the Vulnerable Software and Affected Versions: SAP HANA Node.js client package versions 2.0.0 through 2.21.30 Description: The issue is related to a Prototype Pollution vulnerability in the SAP HANA Node.js client package, specifically affecting the nestTables feature. This vulnerability...

VulnCheck KEV: CVE-2022-29078

The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon...

In the Elliptic package 6.5.6 for Node.js ECDSA signature malleability occurs because BER-encoded signatures are allowed.

...

GHSA-F7Q4-PWC6-W24P Elliptic's EDDSA missing signature length check

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

DEBIAN-CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

UBUNTU-CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended...

The vulnerability of the child_process.spawn() and child_process.spawnSync() functions in the Node.js software platform for Windows operating systems allows a hacker to bypass security restrictions and execute arbitrary commands.

The vulnerability of the childprocess.spawn and childprocess.spawnSync functions in the Node.js software platform for Windows operating systems is related to the improper handling of the shell parameter in .bat and .cmd files. Exploiting this vulnerability allows a remote attacker to bypass...

The vulnerability of the Experimental Permission Model component in the Node.js software platform allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Experimental Permission Model component in the Node.js software platform is related to errors in permission handling when the --allow-fs-read flag is used. Exploiting this vulnerability can allow a perpetrator to gain unauthorized access to protected information...