176 matches found
Important: nodejs:20 security update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: undici: Undici Uses Insufficiently Random Values CVE-2025-22150 nodejs: Node.js Worker Thread Exposure via Diagnostics Channel CVE-2025-23083...
CVE-2024-39943
rejetto HFS aka HTTP File Server 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users if they have Upload permissions. This occurs because a shell is used to execute df i.e., with execSync instead of spawnSync in childprocess in Node.js...
CVE-2025-23088
Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities...
CVE-2025-23089
...
Tuesday, January 21, 2025 Security Releases
Tuesday, January 21, 2025 Security Releases Security releases available Updates are now available for the 23.x, 22.x, 20.x, 18.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: undici v7.2.3, v6.21....
BIT-NODE-MIN-2021-44531
Accepting arbitrary Subject Alternative Name SAN types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js 12.22.9, 14.18.3, 16.13.2, and 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use...
BIT-NODE-MIN-2023-39332
Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings see CVE-2023-30584 and Buffer objects see CVE-2023-32004, but not through non-Buffer...
BIT-NODE-MIN-2024-21891
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experiment...
BIT-NODE-MIN-2024-21892
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAPNETBINDSERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this...
BIT-NODE-MIN-2024-22020
A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...
SUSE SLES15 / openSUSE 15 Security Update : nodejs20 (SUSE-SU-2024:4300-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:4300-1 advisory. - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to...
[SECURITY] [DLA 3886-1] nodejs security update
------------------------------------------------------------------------- Debian LTS Advisory DLA-3886-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucariès September 14, 2024 https://wiki.debian.org/LTS -...
EUVD-2024-1373
xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional...
Important: Red Hat Security Advisory: nodejs:18 security update
An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...
SUSE-SU-2024:1305-1 Security update for nodejs16
This update for nodejs16 fixes the following issues: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscation bsc1222384...
Internet Bug Bounty: Path traversal by monkey-patching Buffer internals
In Node.js 20 and 21, a path traversal vulnerability was introduced due to the ability to monkey-patch Buffer internals. By overwriting Buffer.prototype.utf8Write, an attacker could bypass the path resolution logic and access restricted file system paths. The vulnerability was caused by the...
CVE-2024-29042
CVE-2024-29042 affects the Translate package (Node.js and browser) prior to 3.0.0. An attacker who controls the second variable of the translate function can cause a cache poisoning attack by overwriting the cache key via the opt.id parameter, enabling them to influence subsequent users’ translat...
MGASA-2024-0046 Updated nodejs yarnpkg packages fix security vulnerabilities
This is a security release. The following CVEs are fixed in this release: CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- High CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- High CVE-2023-46809 -...
Node.js 安全漏洞
Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js that stems from the presence of an elevation of privilege vulnerability that can be exploited by an attacker to run arbitrary code...
SUSE-SU-2023:2655-1 Security update for nodejs16
This update for nodejs16 fixes the following issues: Update to version 16.20.1: - CVE-2023-30581: Fixed mainModule.proto Bypass Experimental Policy Mechanism bsc1212574. - CVE-2023-30585: Fixed privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process...