RLSA-2026:7675 Important: nodejs24 security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Tesseract 安全漏洞

Tesseract is an OCR image text recognition library developed by Nazim Gafarov for a Node.js platform. Versions of Tesseract 2.2.1 and earlier contained security vulnerabilities, which were caused by unvalidated file path parameters, potentially leading to OS command injection attacks...

MAL-2025-158114 Malicious code in lina-poke31 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector af3c2cfa15f3eec0d017b74b0ba31111eceef7f6f32da78b94956d0961f6f20d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

ROS-20251006-10

A vulnerability in the permissions model of the Node.js software platform is related to flaws in the processing of HTTP requests. Exploitation of the vulnerability could allow a remote attacker to bypass existing security restrictions and send unauthorized requests. existing security restrictions...

Linux Distros Unpatched Vulnerability : CVE-2024-36137

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission...

SUSE CVE-2024-21534

All versions of the package jsonpath-plus are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. Note: There were several attempts to fix it in versions 10.0.0-10.1...

UBUNTU-CVE-2023-39333

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability...

DEBIAN-CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsyn...

SUSE CVE-2015-8855

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS."...

Eta 跨站脚本漏洞

Eta is Eta open source a lightweight , fast embedded JS template engine . Can run in Node, Deno and browser . A cross-site scripting vulnerability exists in Eta. An attacker could exploit this vulnerability to perform cross-site scripting attacks...

nodejs-json-schema: Prototype pollution vulnerability

The json-schema Node.JS library was vulnerable to prototype pollution during the validation of a JSON object. An attacker, able to provide a specially crafted JSON file for validation, could use this flaw to modify the behavior of the node program, to, for example, execute arbitrary code...

GHSA-CV76-RV4H-4MQC OS Command Injection in proctree

OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix function...

nodejs-normalize-url: ReDoS for data URLs

A flaw was found in normalize-url. Node.js has a ReDoS regular expression denial of service issue because it has exponential performance for data...

OESA-2021-1291 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Fedora: Security Advisory for libuv (FEDORA-2020-bc0050aa3d)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

nodejs: HTTP request splitting

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the path option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to...

GHSA-G6F4-J6C2-W3P3 High severity vulnerability that affects uglify-js

Withdrawn, accidental duplicate publish. The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperl...

UBUNTU-CVE-2013-7453

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via vectors related to UI redressing...