Medium: nodejs

Issue Overview: In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service...

Tuesday June 20 2023 Security Releases

Tuesday June 20 2023 Security Releases Update 20-June-2023 Security releases available Updates are now available for all supported Node.js release lines for the following issues. OpenSSL Security updates This security release includes the following OpenSSL security updates OpenSSL security adviso...

18 security update

nodejs 1:18.14.2-3 - Update bundled c-ares to 1.19.1 Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067...

Directory traversal

The n8n package 0.218.0 for Node.js allows Directory Traversal...

MGASA-2023-0078 Updated nodejs packages fix security vulnerability

The following CVEs are fixed in this release: CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule High CVE-2023-23920: Node.js insecure loading of ICU data through ICUDATA environment variable Low More detailed information on each of the vulnerabilities can be foun...

CVE-2023-23920

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

nodejs and nodejs-nodemon security, bug fix, and enhancement update

An update is available for nodejs-nodemon, nodejs. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a software development platform for building fast a...

Internet Bug Bounty: Node.js - DLL Hijacking on Windows

Full Node.js Security Releases - summarizing the issue is here:https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/ The original Node.js HackerOne report is here: https://hackerone.com/bugs?reportid=1447455 ----- Node.js versions earlier than 16.16.0 LTS and 14.20.0 are vulnerabl...

MGASA-2022-0077 Updated nodejs packages fix security vulnerability

Improper handling of URI Subject Alternative Names Medium. Accepting arbitrary Subject Alternative Name SAN types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often n...

CVE-2022-21824

Due to the formatting logic of the "console.table" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has...

OPENSUSE-SU-2021:3294-1 Security update for nodejs8

nodejs8 was updated to fix the following security issues: - CVE-2021-22930: http2: fixes use after free on close in stream canceling bsc1188917...

Elastic Kibana Node.js Security Vulnerabilities (ESA-2021-24)

Elastic Kibana is prone to multiple vulnerabilities in Node.js. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:elastic:kibana";...

OPENSUSE-SU-2021:1061-1 Security update for nodejs10

This update for nodejs10 fixes the following issues: Update nodejs10 to 10.24.1. Including fixes for - CVE-2021-22918: libuv upgrade - Out of bounds read bsc1187973 - CVE-2021-27290: ssri Regular Expression Denial of Service bsc1187976 - CVE-2021-23362: hosted-git-info Regular Expression Denial o...

Important: Red Hat Security Advisory: rh-nodejs10-nodejs security update

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

nodejs:12 security update

nodejs 1:12.20.1-1 - Security rebase for January security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - Resolves: RHBZ1916460, RHBZ1914786 - Resolves: RHBZ1914784, RHBZ1916396 nodejs-nodemon 2.0.3-1 - Resolves: RHBZ1921841, RHBZ1921843, RHBZ1921842 - Rebase ...

OPENSUSE-SU-2021:0082-1 Security update for nodejs10

This update for nodejs10 fixes the following issues: - New upstream LTS version 10.23.1: CVE-2020-8265: use-after-free in TLSWrap High bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as...

CVE-2020-8174

napigetvaluestring allows various kinds of memory corruption in node 10.21.0, 12.18.0, and 14.4.0...

Important: http-parser

Issue Overview: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed CVE-2019-15605 Affected Packages: http-parser Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference...

Code Injection in sidorares/node-wrk

Description The wrk module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection POC 1. Create the following PoC file: js // poc.js var wrk = require'wrk'; wrk threads: 1, connections: 's','aaa', duration:...

node-mpv command injection vulnerability

node-mpv is a wrapper to use the mpv player for node.js. A command injection vulnerability exists in node-mpv 1.4.3 and earlier. An attacker can exploit this vulnerability to execute arbitrary commands via the options parameter...