Node.js third-party modules: OS Command Injection on Jison [all-parser-ports]

I would like to report OS Command Injection vulnerability on Jison in parser ports. CSharp, PHP It allows arbitrary OS shell command execution through a crafted command-line argument. Basic Information Module: jison Version: 0.4.18 NPM Project Page: https://www.npmjs.com/package/jison Module...

Security Bulletin: A vulnerability in Node.js affects IBM Cloud App Management V2018

Summary There is a vulnerability in Node.js used by IBM® Cloud App Management V2018. Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode and sending headers very slowly to force the connection and associated resources to stay alive for a lo...

USN-4123-1: npm/fstream vulnerability

It was discovered that npm/fstream incorrectly handled certain crafted tarballs. An attacker could use this vulnerability to write aritrary files to the filesystem...

CVE-2019-15954: Total.js CMS 12 Widget Remote Code Execution

Total.js is a Node.js Framework for building e-commerce applications, REST services, real-time apps, or apps for Internet of Things IoT, etc. Total.js CMS is a Content Management System application that is part of the Total.js framework. A commercial version is also available, and can be seen use...

OpenSSL security releases may require Node.js security releases

OpenSSL security releases may require Node.js security releases Summary The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details. OpenSSL The OpenSSL project announced...

Node.js third-party modules: Trojan:JS/CoinMiner in npm files

Hello, I am a front end developer and use Vue.js and Visual Studio Code and have had an issue recently with scripts not running in my terminal so decided to fault find. All programmes that I can think of are up to date, and today I decided to do a full windows defender scan and found the above...

Node.js third-party modules: gitlabhook OS Command Injection

I would like to report OS Command Injection in gitlabhook. It allows execution of arbitrary code on the remote server, that waits for instructions from gitlab. Module module name: gitlabhook version: 0.0.17 npm page: https://www.npmjs.com/package/gitlabhook Module Description This is an easy to u...

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Nginx servers, and Node.js software platforms allows a attacker to cause a service failure.

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Nginx servers, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting this vulnerability can allow a malicious actor to cause service failures remotely...

Fedora Update for nodejs FEDORA-2019-6a2980de56

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

The vulnerability relates to the implementation of the HTTP/2 network protocol on Windows operating systems, Apache Traffic Server web servers, H2O web servers, network programming tools such as netty, SwiftNIO, Envoy, and the Node.js software platform. This allows attackers to induce service failures.

The vulnerability of the HTTP/2 network protocol implementation in Windows operating systems, Apache Traffic Server web servers, H2O web servers, network programming tools such as netty, SwiftNIO, Envoy, and Node.js software platforms is related to an uncontrolled resource consumption. Exploiting...

Fedora 30 : 1:nodejs (2019-5a6a7bc12c) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)

Update to Node.js 10.6.13 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. C Tenable Network...

Fedora 29 : 1:nodejs (2019-6a2980de56) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)

Update to Node.js 10.6.13 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. C Tenable Network...

[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Fedora Update for nodejs FEDORA-2019-5a6a7bc12c

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Node.js third-party modules: [crypto-js] Insecure entropy source - Math.random()

Module module name: crypto-js version: 3.1.9-1 npm page: https://www.npmjs.com/package/crypto-js Module Description JavaScript library of crypto standards. Module Stats Replace stats below with numbers from npm’s module page: 184959 downloads in the last day 912568 downloads in the last week...

Node.js: Hostname spoofing

Summary: I found that url.parse is vulnerable to hostsplit that causes hostname spoofing. Description: Steps To Reproduce: url.parse'http://evil.c℀.victim.test/?' returns evil.ca/c.victim.test as hostname, so this hostname matches .victim.test but will access evil.ca. Welcome to Node.js v12.9.0...

FreeBSD : Node.js -- multiple vulnerabilities (c97a940b-c392-11e9-bb38-000d3ab229d6) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)

Node.js reports : Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/t hird-party/2019-002.md for more information. Updates are now available for all active...

Node.js third-party modules: `indexFile` option passed as an argument to node-server can lead to arbitrary file read

Hi Guys, I would like to report Path Traversal vulnerability in indexFile parameter passed as an option tonode-server. This vulnerability affects both CLI --indexFile and options.indexFile passed as an argument to Server.prototype.serveDir function in node-static.js Module module name: node-stati...

Node.js: Http response is not ended although underlying socket is already destroyed

Summary: When node server receives http request and hooks to end, finish and error events are attached on response object to handle cases when response is closed/ended but underlying socket is abruptly terminated then none of those events is fired. This leads to state when response seems to be...