Lucene search
K

77 matches found

NVD
NVD
added 2025/04/18 4:15 p.m.20 views

CVE-2025-32442

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

7.5CVSS0.00635EPSS
Exploits1References4
OSV
OSV
added 2025/04/18 3:59 p.m.15 views

CVE-2025-32442 Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

7.5CVSS7.3AI score0.00635EPSS
Exploits1References6
OSV
OSV
added 2025/02/11 7:15 a.m.13 views

BIT-NODE-MIN-2025-23085

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...

5.3CVSS6AI score0.01282EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/01/22 1:11 a.m.5 views

CVE-2025-23088

...

8.7AI score
Exploits0
Cvelist
Cvelist
added 2025/01/22 1:11 a.m.14 views

CVE-2025-23087

...

Exploits0
OSV
OSV
added 2024/12/16 2:7 p.m.18 views

BIT-NODE-MIN-2020-8201

Node.js 12.18.4 and 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture ...

7.4CVSS7.2AI score0.05093EPSS
Exploits0References7
OSV
OSV
added 2024/12/16 2:6 p.m.11 views

BIT-NODE-MIN-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method...

8.1CVSS7.8AI score0.09009EPSS
Exploits1References10
OSV
OSV
added 2024/12/16 2:6 p.m.18 views

BIT-NODE-MIN-2020-8287

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields. In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling...

6.5CVSS7.2AI score0.16296EPSS
Exploits2References11
OSV
OSV
added 2024/12/16 2:3 p.m.11 views

BIT-NODE-MIN-2022-21824

Due to the formatting logic of the "console.table" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has...

8.2CVSS8.4AI score0.21514EPSS
Exploits0References9
OSV
OSV
added 2024/12/16 1:58 p.m.7 views

BIT-NODE-MIN-2023-30588

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key inf...

5.3CVSS6.3AI score0.01157EPSS
Exploits0References4
OSV
OSV
added 2024/12/16 1:58 p.m.22 views

BIT-NODE-MIN-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

7.5CVSS7.2AI score0.03906EPSS
Exploits1References11
OSV
OSV
added 2024/12/16 1:56 p.m.46 views

BIT-NODE-MIN-2023-46809

Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/hkario/marvin/, if PCKS 1 v1.5 padding is allowed when performing RSA descryption using a privat...

7.4CVSS6.6AI score0.01302EPSS
Exploits0References4
CNNVD
CNNVD
added 2024/09/07 12:0 a.m.3 views

Node.js 安全漏洞

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js versions 22.x, 20.x, and 18.x that stems from improper handling of batch files with all possible extensions, which can lead to arbitrary command injection as well as code execution...

8.1CVSS8.6AI score0.01098EPSS
Exploits0References4
OSV
OSV
added 2024/03/19 5:15 a.m.4 views

UBUNTU-CVE-2024-22017

setuid does not affect libuv's internal iouring operations if initialized before the call to setuid. This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid. This vulnerability affects all users using version greater or...

7.3CVSS6.9AI score0.00893EPSS
Exploits0References6
OSV
OSV
added 2024/02/20 2:15 a.m.2 views

UBUNTU-CVE-2024-21890

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: --allow-fs-read=/home/node/.ssh/.pub will ignore pub and give access to everything after .ssh/. This misleading documentation affects all users...

6.5CVSS6.9AI score0.00945EPSS
Exploits0References4
OSV
OSV
added 2023/08/21 5:15 p.m.3 views

DEBIAN-CVE-2023-32002

The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CV...

9.8CVSS7AI score0.0143EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2023/08/11 2:13 a.m.5 views

SUSE CVE-2023-32006

The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...

5.6CVSS8.2AI score0.01273EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2023/08/09 12:0 a.m.12 views

PT-2023-4548 · Node.Js +10 · Node.Js +10

Name of the Vulnerable Software and Affected Versions: Node.js versions 16.x through 20.x Description: The issue is related to the use of module.constructor.createRequire, which can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This...

9.8CVSS7.4AI score0.87211EPSS
Exploits7References181
Positive Technologies
Positive Technologies
added 2023/08/09 12:0 a.m.5 views

PT-2023-4549 · Node.Js +9 · Node.Js +9

Name of the Vulnerable Software and Affected Versions: Node.js versions 16.x through 20.x Description: A privilege escalation issue exists in the experimental policy mechanism due to inadequate access controls. This can be exploited by a remote attacker to bypass existing security restrictions. T...

9.8CVSS7.9AI score0.87211EPSS
Exploits7References184
Positive Technologies
Positive Technologies
added 2023/07/28 12:0 a.m.14 views

PT-2023-7025 · Node.Js +6 · Node.Js +6

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to the fixed version Description: Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module...

9.8CVSS6.5AI score0.99999EPSS
Exploits22References158
Rows per page
Query Builder