UBUNTU-CVE-2024-21896

The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from to obtain a Buffer from the result of path.resolve. By monkey-patching Buffer internals, namely...

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

...

SUSE CVE-2024-21896

The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from to obtain a Buffer from the result of path.resolve. By monkey-patching Buffer internals, namely...

UBUNTU-CVE-2023-42282

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses such as 0x7f.1 are improperly categorized as globally routable via isPublic...

Network Utilies for Node.js Command Injection Vulnerability

Network Utilies for Node.js is an application by Tomás Pollak, an individual developer. A command injection vulnerability exists in Network Utilies for Node.js prior to version 0.7.0, which stems from the use of the childprocess exec function without input cleanup, and could be exploited by an...

CVE-2023-49583

SAP BTP Security Services Integration Library Node.js @sap/xssec - versions 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

Vulnerability of the client HTTP/1.1 and the Node.js software platform, allowing attackers to expose protected information

The vulnerability of the HTTP/1.1 client and the Node.js software platform is related to insufficient protection of sensitive data. Exploiting this vulnerability can allow a remote attacker to disclose sensitive information...

SUSE CVE-2021-35065

The glob-parent package before 6.0.1 for Node.js allows ReDoS regular expression denial of service attacks against the enclosure regular expression...

node-js-1408 (=1.0.0), node-js-1409 (=1.0.0) potentially affected by CVE-2023-39619 via node-email-check (=1.0.4)

node-email-check NPM version =1.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on node-email-check and may be impacted: - node-js-1408 =1.0.0 - node-js-1409 =1.0.0 Source cves: CVE-2023-39619 Source advisory: OSV:GHSA-9242-6P36-6256...

SUSE CVE-2023-39333

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability...

SUSE CVE-2023-39331

A previously disclosed vulnerability CVE-2023-30584 was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please...

nodejs: HTTP Request Smuggling via Empty headers separated by CR

A vulnerability has been identified in the Node.js, where llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...

The vulnerability of the crypto.X509Certificate() function in the Node.js software platform, which allows a perpetrator to trigger a denial-of-service attack

The vulnerability of the crypto.X509Certificate function in the Node.js software platform is related to insufficient validation of input data. Exploiting this vulnerability could allow a remote attacker to cause service failures...

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

...

PT-2023-7240 · Adobe · @Adobe/Css-Tools

Name of the Vulnerable Software and Affected Versions: @adobe/css-tools versions 4.3.0 and earlier Description: The issue is related to an Improper Input Validation vulnerability in the CSS parser for Node.js css-tools. This vulnerability could result in a denial of service while attempting to...

SUSE CVE-2023-32004

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using th...

SUSE CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non- argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result...

SUSE CVE-2023-32558

The use of the deprecated API process.binding can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of...

Node.js path traversal vulnerability

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js version 20 that stems from allowing an attacker to bypass the privilege model via path traversal using the API process.binding...

PT-2023-26484 · Node.Js · Sails

Name of the Vulnerable Software and Affected Versions: Sails versions prior to 1.5.7 Description: Sails is a realtime MVC Framework for Node.js. An attacker can send a virtual request that will cause the node process to crash. Recommendations: For versions prior to 1.5.7, update to version 1.5.7 ...