40 matches found
MiracleLinux 8 : nodejs:20 (AXSA:2024-7668:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7668:01 advisory. nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS1 v1.5 padding Marvin CVE-2023-46809 nodejs: reading unprocessed HTTP...
EUVD-2024-19624
Malicious code in bioql PyPI...
EUVD-2023-36291
Malicious code in bioql PyPI...
EUVD-2023-36802
Malicious code in bioql PyPI...
EUVD-2023-34967
Malicious code in bioql PyPI...
CVE-2025-23167
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
CVE-2025-23167
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
GHSA-9M48-R3W4-X35V vulnerabilities
Vulnerabilities for packages: nodejs...
Oracle Linux 9 : nodejs:20 (ELSA-2024-5815)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-5815 advisory. nodejs 1:20.16.0-1 - Update to 20.16.0 Fixes: CVE-2024-36137 CVE-2024-22018 CVE-2024-22020 nodejs-nodemon nodejs-packaging Tenable has extracted the...
CVE-2024-22018
A flaw was found in the Node.js package. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files they do not have explicit read access to...
CVE-2024-22018
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...
nodejs:20 security update
nodejs 1:20.12.2-2 - Backport nghttp2 patch for CVE-2024-28182 1:20.12.2-1 - Rebase to version 20.12.0 Fixes: CVE-2024-27983 CVE-2024-27982 CVE-2024-22025 node Fixes: CVE-2024-25629 c-ares nodejs-nodemon nodejs-packaging...
Rocky Linux 8 : nodejs:20 (RLSA-2024:1687)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1687 advisory. - The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For exampl...
Oracle Linux 9 : nodejs:20 (ELSA-2024-1688)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1688 advisory. - Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 high Tenable has extracted the preceding description block directly from the Oracl...
Oracle Linux 8 : nodejs:20 (ELSA-2024-1687)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1687 advisory. - Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 high Tenable has extracted the preceding description block directly from the Oracl...
Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2024-544)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-544 advisory. 2024-03-13: CVE-2024-22025 was added to this advisory. The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file...
Path traversal
The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from to obtain a Buffer from the result of path.resolve. By monkey-patching Buffer internals, namely...
CVE-2024-21890
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/. This misleading documentation affects all users...
CVE-2024-21896
The permission model protects itself against path traversal attacks by calling path.resolve on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from to obtain a Buffer from the result of path.resolve. By monkey-patching Buffer internals, namely...
Rocky Linux 8 : nodejs:20 (RLSA-2023:7205)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:7205 advisory. - When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return ...