SUSE CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc0x100, "This is not correctly encoded", "hex";' The buffer implementation was updated such that the buffer will...

SUSE CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method...

SUSE CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames leading to Domain Hijacking and injection...

SUSE CVE-2021-22940

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior...

nodejs-moment: Regular expression denial of service

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. Note: To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the...

logrocket-oauth2-example SQL注入漏洞

logrocket-oauth2-example is a source code implementation of OAuth 2.0 in Node.js by the individual developer Diogo Souza. logrocket-oauth2-example suffers from a SQL injection vulnerability that originates from inserting unfiltered user input into a SQL query, making it susceptible to SQL injecti...

DEBIAN-CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. There are two problems with this: 1 It does not check the return value, it assumes EntropySource always succeeds, but it can a...

Vulnerability fixed in Node.js

A vulnerability has been fixed in nodejs. The vulnerability allows a remote malicious person to execute arbitrary code. execute. This is caused by the inspect parameter and the allowing incorrect octal IP addresses, leading to DNS rebinding. Node.js has released updates to fix the vulnerability i...

Node.js 操作系统命令注入漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js Core. An attacker exploited the vulnerability to bypass access restrictions to Node Core data via DNS Rebinding in order to read sensitive information...

nodejs: HTTP request smuggling due to improper delimiting of header fields

A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling HRS. This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitra...

GHSA-F772-66G8-Q5H3 Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Impact = [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await...

Node.js 信任管理问题漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A trust management issue vulnerability exists in fs2 on Node.js, which stems from the fact that when fs2-io is used to establish a server-mode TLSSocket on Node.js, it ignores the parameter requestCert = true, skips the...

GHSA-MHXJ-85R3-2X55 file-type vulnerable to Infinite Loop via malformed MKV file

An issue was discovered in the file-type package from 13.0.0 until 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack when...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

DEBIAN-CVE-2022-32214

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...

UBUNTU-CVE-2022-32223

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine: OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf”...

UBUNTU-CVE-2022-32212

A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.20.0, 18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks...

UBUNTU-CVE-2022-32215

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS...

Malicious code in ugentec-framework-angular (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0a91b6a72d36e1f86952649dd1acf051dd8bc358d059c4ebe50b229b77170ece Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...