Lucene search
+L

82 matches found

OSV
OSV
added 2026/06/29 5:48 a.m.7 views

BIT-NODE-MIN-2026-48933

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt is a multiple of 2GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

7.5CVSS7.1AI score0.02806EPSS
Exploits0References15
OSV
OSV
added 2026/06/29 5:48 a.m.5 views

BIT-NODE-2026-48930

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

9.8CVSS7.1AI score0.00405EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 2:16 a.m.13 views

CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability...

7.5CVSS0.00437EPSS
Exploits0References1
OSV
OSV
added 2026/06/26 2:16 a.m.4 views

ALPINE-CVE-2026-48928

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

5.4CVSS6.1AI score0.00256EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/26 1:14 a.m.8 views

CVE-2026-48933

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt is a multiple of 2GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

7.5CVSS6.6AI score0.02806EPSS
Exploits0
CVE
CVE
added 2026/06/26 1:14 a.m.54 views

CVE-2026-48619

CVE-2026-48619 describes a flaw in Node.js HTTP/2 client where a server can send an unlimited number of ORIGIN frames, potentially causing an Out of Memory (OOM) on the client. Affected releases are Node.js 22, 24, and 26. The June 2026 security releases provide fixes in updated versions: 22.23.0...

7.5CVSS6.7AI score0.00656EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/26 1:14 a.m.3 views

CVE-2026-48928

A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

4.2CVSS7.1AI score0.00256EPSS
Exploits0References3
NVD
NVD
added 2026/06/22 8:16 p.m.12 views

CVE-2026-48931

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.7CVSS0.00371EPSS
Exploits1References4
OSV
OSV
added 2026/06/22 8:16 p.m.3 views

ALPINE-CVE-2026-48931

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.7CVSS5.8AI score0.00371EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/06/22 6:59 p.m.15 views

CVE-2026-48931

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.7CVSS5.8AI score0.00371EPSS
Exploits1
AlpineLinux
AlpineLinux
added 2026/06/18 4:21 p.m.6 views

CVE-2026-48617

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22,...

1.8CVSS5.8AI score0.00208EPSS
Exploits0
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in http-parser

Node.js versions before 10.23.1, 12.20.1, 14.15.4, and 15.5.1 allow for two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields. In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling...

6.5CVSS6.9AI score0.16296EPSS
Exploits2References2
OSV
OSV
added 2026/04/22 8:25 p.m.10 views

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

8.6CVSS5.9AI score0.00327EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/04/13 2:27 a.m.6 views

nodejs: Nodejs denial of service

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

7.5CVSS7AI score0.01056EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.10 views

PT-2026-32033

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc url parameter during document upload...

5.3CVSS5.9AI score0.00222EPSS
Exploits0References4
OSV
OSV
added 2026/04/06 7:58 a.m.4 views

BIT-NODE-MIN-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS6.5AI score0.00385EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/30 7:7 p.m.3 views

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

5.3CVSS6.4AI score0.00454EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/03/30 7:7 p.m.3 views

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS6.5AI score0.00385EPSS
Exploits0
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.11 views

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20.x, 22.x, 24.x, and 25.x of Node.js have security vulnerabilities. These vulnerabilities stem from HMAC verification using a comparison that does not maintain constant time, whi...

5.9CVSS6.8AI score0.00385EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/02/25 10:33 p.m.11 views

@chocolatey-software/astro (>=2.0.0 <=2.5.0), choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2026-27729 via @astrojs/node (>=9.2.2 <=9.5.2)

@astrojs/node NPM version =9.2.2, =2.0.0, =0.3.1, =0.4.0 Source cves: CVE-2026-27729 Source advisory: OSV:GHSA-JM64-8M5Q-4QH8...

7.5CVSS5.8AI score0.00415EPSS
Exploits1
Rows per page
Query Builder