nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...

nodejs: HTTP header values do not have trailing optional whitespace trimmed

A flaw was found in Node.js where the HTTPs header values were not stripped of trailing whitespace. An attacker can use this flaw to send an HTTPs request which is validated by an upstream proxy server, but not by the Node.js HTTPs server...

UBUNTU-CVE-2013-7381

libnotify before 1.0.4 for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify...

The vulnerability relates to the implementation of the HTTP/2 network protocol on Windows operating systems, Apache Traffic Server web servers, H2O web servers, network programming tools such as netty, SwiftNIO, Envoy, and the Node.js software platform. This allows attackers to induce service failures.

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Apache Traffic Server web servers, H2O web servers, network programming tools such as netty, SwiftNIO, Envoy, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting...

The vulnerability relates to the implementation of the HTTP/2 network protocol on Windows operating systems, nginx servers, network programming tools like netty, Envoy, SwiftNIO, and Node.js software platforms. This allows attackers to induce service failures.

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, nginx servers, network programming tools like Netty, Envoy, SwiftNIO, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting this vulnerability can allow a maliciou...

DEBIAN-CVE-2019-14939

An issue was discovered in the mysql aka mysqljs module 2.17.1 for Node.js. The LOAD DATA LOCAL INFILE option is open by default...

PT-2019-3015

Name of the Vulnerable Software and Affected Versions HTTP/2 implementations affected versions not specified nginx affected versions not specified Node.js affected versions not specified Apache HTTP Server affected versions not specified Windows affected versions not specified Description The iss...

Jenkins 2.150.2 - Remote Command Execution (Metasploit)

Jenkins 2.150.2 - Remote Command Execution Metasploit This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins user...

Jenkins 2.150.2 Remote Command Execution Via Node JS

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins users who has JOB creation and BUILD privileges. The...

Jenkins 2.150.2 - Remote Command Execution Exploit

Exploit for linux platform in category web applications This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule 'Jenkins %q This module can run commands on the system using Jenkins...

libnmapp package command injection vulnerability

The libnmapp package is a package for accessing nmap from Node.js. A command injection vulnerability exists in versions of libnmapp package prior to 0.4.16. An attacker can exploit this vulnerability to inject arbitrary operating system commands via the range field...

UBUNTU-CVE-2018-12116

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to...

PT-2018-2973

Name of the Vulnerable Software and Affected Versions Node.js versions prior to 6.15.0 Node.js versions prior to 8.14.0 Description The issue is related to HTTP request splitting, where Node.js can be tricked into using unsanitized user-provided Unicode data for the path option of an HTTP request...

nodejs: Out of bounds (OOB) write via UCS-2 encoding

In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding recognized by Node.js under the names 'ucs2', 'ucs-2', 'utf16le' and 'utf-16le', Bufferwrite can be abused to write outside of the bounds of a single Buffer. Writes that start from the second-to-last...

GHSA-PGV6-JRVV-75JP Moderate severity vulnerability that affects send

Withdrawn, accidental duplicate publish. visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public"...

DEBIAN-CVE-2018-13797

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec rather than execFile call...

Forms Cross-Site Scripting Vulnerability

Forms is a tool for creating, parsing and validating forms in Node.js. A cross-site scripting vulnerability exists in Forms versions prior to 1.3.0, which stems from the program's failure to properly escape HTML and can be exploited by a remote attacker to inject arbitrary web script or HTML...

Node.js Denial of Service Vulnerability (CNVD-2018-11809)

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

UBUNTU-CVE-2018-7167

Calling Buffer.fill or Buffer.alloc with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc and Buffer.fill were updated so that they zero fill instead of hanging in these cases. All versions of...