EUVD-2026-5014

A command injection vulnerability exists in nvm Node Version Manager versions 0.40.3 and below. The nvmdownload function uses eval to execute wget commands, and the NVMAUTHHEADER environment variable was not sanitized in the wget code path though it was sanitized in the curl code path. An attacke...

Node Version Manager security vulnerability

Node Version Manager is an open-source node version manager developed by nvm.sh. Versions of Node Version Manager prior to 0.40.3 contain security vulnerabilities. These vulnerabilities stem from the nvmdownload function using eval to execute the wget command, and the NVMAUTHHEADER environment...

PT-2026-5371

Name of the Vulnerable Software and Affected Versions nvm versions 0.40.3 and below Description A command injection issue exists in nvm Node Version Manager. The nvm download function utilizes eval to execute wget commands. The NVM AUTH HEADER environment variable was not properly sanitized when...

Exploit for CVE-2025-55182

Affect Version |组件|复现推荐使用版本|易受攻击版本范围| |--|--|--| |Node.js...

Malicious code in node-nvm-ssh (npm)

The package node-nvm-ssh was found to contain malicious code. --- -= Per source details. Do not edit below this line.=-...

MAL-2025-41394 Malicious code in msal-node2 (npm)

The package communicates with a domain associated with malicious activity...

UBUNTU-CVE-2024-21891

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experiment...

UBUNTU-CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

vm2 vulnerable to sandbox escape

vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. - vm2 version: 3.9.14 - Node version: 18.15.0, 19.8.1, 17.9.1 Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the...

Security fix for the ALT Linux 10 package node version 16.18.1-alt1

16.18.1-alt1 built March 18, 2023 Andrey Cherepanov in task 310327 Nov. 23, 2022 Vitaly Lipatov - new version 16.18.1 with rpmrb script - CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address Medium...

SUSE CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

...

DEBIAN-CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

AZL-31039 CVE-2022-35256 affecting package rust for versions less than 1.68.0-1

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

AZL-35235 CVE-2022-35256 affecting package rust for versions less than 1.75.0-1

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

UBUNTU-CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

Security fix for the ALT Linux 10 package node version 16.17.1-alt1

Sept. 30, 2022 Vitaly Lipatov 16.17.1-alt1 - new version 16.17.1 with rpmrb script - set npm = 8.15.0 - CVE-2022-32212: DNS rebinding in --inspect on macOS High - CVE-2022-32213: bypass via obs-fold mechanic Medium - CVE-2022-35255: Weak randomness in WebCrypto keygen - CVE-2022-35256: HTTP Reque...

PT-2022-22662 · Node.Js +6 · Node.Js +6

Name of the Vulnerable Software and Affected Versions: Node.js version 18 Description: A weak randomness issue exists in the WebCrypto keygen due to a change with EntropySource in SecretKeyGenTraits::DoKeyGen in src/crypto/crypto keygen.cc. There are two main problems: 1. The return value of...

PT-2022-6180 · Node.Js +8 · Node +8

Name of the Vulnerable Software and Affected Versions: Node versions 18.7.0 Description: The issue is related to the llhttp parser in the http module, which does not correctly handle header fields that are not terminated with CLRF, potentially resulting in HTTP Request Smuggling. There is also a...

GHSA-WFF4-FPWG-QQV3 Unexpected server crash in Next.js

Impact When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling. - Affected: All of the following must be true to be affected by this CVE - Node.j...