169 matches found
USN-7599-1 python-urllib3 vulnerabilities
Jacob Sandum discovered that urllib3 handled redirects even when they were explicitly disabled while using the PoolManager. An attacker could possibly use this issue to obtain sensitive information. CVE-2025-50181 Illia Volochii discovered that urllib3 incorrectly handled retry and redirect...
nodejs: Remote Crash via SignTraits::DeriveBits() in Node.js
A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits. This vulnerability can allow a remote attacker to crash the Node.js runtime via untrusted input, triggering an exception in a background thread...
nodejs: Memory Leak in Node.js ReadFileUtf8 Binding Leading to DoS
A flaw was found in the ReadFileUtf8 internal binding of Node.js. This vulnerability can allow an attacker to cause an application denial of service via repeated file read operations that trigger an unrecoverable memory leak due to a corrupted pointer in the underlying file system binding...
nodejs: Improper HTTP Header Termination in Node.js 20 Enables Request Smuggling
A flaw was found in the HTTP parser of Node.js. This vulnerability allows attackers to perform request smuggling and bypass proxy-based access controls via improperly terminated HTTP/1 headers using \r\n\rX instead of the standard \r\n\r\n...
Multer 安全漏洞
Multer is an expressjs open source middleware for Node.js. A security vulnerability exists in Multer versions prior to 2.0.0, which stems from improper handling of streams and could lead to resource exhaustion and memory leaks...
SUSE CVE-2025-23165
In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uvfss.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory...
OESA-2025-1274 nodejs security update
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...
undici: Undici Uses Insufficiently Random Values
A flaw was found in the undici package for Node.js. Undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests t...
nodejs: Node.js Worker Thread Exposure via Diagnostics Channel
A flaw was found in the Node.js diagnosticschannel. This vulnerability allows an attacker to reinstate and misuse worker constructors, potentially bypassing the Permission Model via hooking into events when a worker thread is created...
PT-2025-7066 · Node.Js +1 · Node.Js +1
Name of the Vulnerable Software and Affected Versions: parse-duraton versions prior to 2.1.3 Description: The issue is related to an event loop delay due to the CPU-bound operation of resolving the provided string, which can range from 0.5ms to 50ms per operation, depending on the size of the inp...
useragent 安全漏洞
useragent is a high-performance user agent parser for Node.js by the individual developer Arnout Kazemier. A security vulnerability exists in useragent that stems from a regular expression denial of service vulnerability...
AZL-47430 CVE-2024-42460 affecting package reaper for versions less than 3.1.1-11
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero...
UBUNTU-CVE-2024-42460
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero...
nodejs: CONTINUATION frames DoS
A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which...
nodejs: HTTP Request Smuggling via Content Length Obfuscation
An HTTP Request Smuggling vulnerability was found in Node.js due to Content-Length Obfuscation in the HTTP server. Malformed headers, particularly if a space is inserted before a content-length header, can result in HTTP request smuggling. This flaw allows attackers to inject a second request...
nodejs: CONTINUATION frames DoS
A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which...
nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...
PT-2024-4071 · Node.Js +1 · Ip +1
Name of the Vulnerable Software and Affected Versions: ip package versions through 2.0.1 for Node.js Description: The issue is related to the improper categorization of certain IP addresses as globally routable via the isPublic function, which might allow Server-Side Request Forgery SSRF attacks...
libxmljs 安全漏洞
libxmljs is the LibXML binding for node.js. A security vulnerability exists in libxmljs2 that stems from the presence of a type confusion vulnerability...
PT-2024-2954 · Node.Js +3 · Undici +3
Name of the Vulnerable Software and Affected Versions: Undici versions prior to 5.28.4 Undici versions prior to 6.11.1 Description: The issue is related to the Undici HTTP/1.1 client for Node.js, which has a flaw in its authorization procedure. Specifically, Undici clears Authorization and...