EUVD-2026-17174

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

Astra Linux – Vulnerability in Node.js

A security flaw in Node.js allows for bypassing network import restrictions. By embedding non-network-related imports within data URLs, attackers can execute arbitrary code, compromising system security. This vulnerability has been confirmed on various platforms. It can be mitigated by prohibitin...

EUVD-2018-18908

Malware in sbrugna...

EUVD-2023-34964

Malicious code in bioql PyPI...

BIT-NODE-MIN-2025-23167

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...

PT-2025-21254 · Node.Js +5 · Llhttp +6

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to the llhttp v9 upgrade node-undici in Debian Linux affected versions not specified Description: A flaw in the HTTP parser of Node.js allows improper termination of HTTP/1 headers using r rX instead of the required r r...

nodejs: Bypass network import restriction via data URL

A flaw was found in the Node.js package. By embedding non-network imports in data URLs, this flaw allows an attacker to execute arbitrary code, compromising system security...

nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service

A flaw was found in Node.js that allows a denial of service attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability stems from the fetch function in Node.js that always decodes Brotli, making it possible for an attacker to caus...

nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization

A flaw was found in Node.js. Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwritten with user-defined implementations, leading to a filesystem permission model bypass through a path traversal attack...

nodejs: Improper handling of URI Subject Alternative Names

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names SAN entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host...

nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets

A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...

nodejs: HTTP request smuggling due to CR-to-Hyphen conversion

A flaw was found in Node.js, where affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This flaw leads to HTTP Request Smuggling as it is a non-standard interpretation of the header. The highest threat from this vulnerability is to...

nodejs: memory corruption in napi_get_value_string_* functions

A flaw was found in nodejs. Calling napigetvaluestringlatin1, napigetvaluestringutf8, or napigetvaluestringutf16 with a non-NULL buf, and a bufsize of 0 will cause the entire string value to be written to buf, probably overrunning the length of the buffer...

nodejs: HTTP request smuggling using malformed Transfer-Encoding header

A flaw was found in the Node.js code where a specially crafted HTTPs request sent to a Node.js server failed to properly process the HTTPs headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is...