CVE-2024-56334

systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands. This...

Exception unhandled, lead to server crash

Description In node js express, if exception is uncaught, the server will crash. fs module sometimes throw exception when dealing with file upload. Unauth user can send something to the server trigger the exception lead to server crash. Proof of Concept import requests import random import string...

useragent 安全漏洞

useragent is a high-performance user agent parser for Node.js by the individual developer Arnout Kazemier. A security vulnerability exists in useragent that stems from a regular expression denial of service vulnerability...

AZL-47430 CVE-2024-42460 affecting package reaper for versions less than 3.1.1-11

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero...

UBUNTU-CVE-2024-42460

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero...

The vulnerability of the Permission Model component in the Node.js software platform allows attackers to compromise the confidentiality and integrity of protected information.

The vulnerability of the Permission Model component in the Node.js software platform is related to deficiencies in access control. Exploiting this vulnerability could allow attackers to compromise the confidentiality and integrity of protected information when the --allow-fs-write flag is used...

The vulnerability of the isPublic() function in the node-ip utility of the Node.js software platform allows a attacker to execute an SSRF attack.

The vulnerability of the isPublic function in the node-ip utility of the Node.js software platform is related to incorrect classification of IP addresses. Exploiting this vulnerability could allow a remote attacker to execute an SSRF attack...

nodejs: CONTINUATION frames DoS

A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which...

nodejs: HTTP Request Smuggling via Content Length Obfuscation

An HTTP Request Smuggling vulnerability was found in Node.js due to Content-Length Obfuscation in the HTTP server. Malformed headers, particularly if a space is inserted before a content-length header, can result in HTTP request smuggling. This flaw allows attackers to inject a second request...

nodejs: CONTINUATION frames DoS

A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

PT-2024-4071 · Node.Js +1 · Ip +1

Name of the Vulnerable Software and Affected Versions: ip package versions through 2.0.1 for Node.js Description: The issue is related to the improper categorization of certain IP addresses as globally routable via the isPublic function, which might allow Server-Side Request Forgery SSRF attacks...

libxmljs 安全漏洞

libxmljs is the LibXML binding for node.js. A security vulnerability exists in libxmljs2 that stems from the presence of a type confusion vulnerability...

nodejs: code injection and privilege escalation through Linux capabilities

A flaw was found in Node.js. On Linux, Node.js ignores certain environment variables if an unprivileged user has set them while the process is running with elevated privileges, except for CAPNETBINDSERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this...

The vulnerability in the HTTP/1.1 client of the Node.js software platform arises from insufficient protection of service data due to improper cleaning of Proxy-Authentication headers. This allows attackers to enhance their privileges.

The vulnerability of the HTTP/1.1 Undici software platform for Node.js is related to insufficient protection of service data due to improper cleaning of Proxy-Authentication headers. Exploiting this vulnerability can allow a remote attacker to increase their privileges...

PT-2024-2954 · Node.Js +3 · Undici +3

Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.28.4 Undici versions prior to 6.11.1 Description: The issue is related to the Undici HTTP/1.1 client for Node.js, which has a flaw in its authorization procedure. Specifically, Undici clears Authorization and...

nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0 Node.js 20.4.0 and Node.js 21.

...

AZL-35898 CVE-2024-22025 affecting package nodejs for versions less than 20.14.0-1

A vulnerability in Node.js has been identified, allowing for a Denial of Service DoS attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch function in Node.js always decodes Brotli, making i...

OESA-2024-1172 nodejs security update

Node.js is an open-source, cross-platform, JavaScript runtime environment, it executes JavaScript code outside of a browser. Security Fixes: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the...