High severity vulnerability that affects qs

Withdrawn, accidental duplicate publish. The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service memory consumption by using a large index value to create a sparse array...

GHSA-CRVJ-3GJ9-GM2P High severity vulnerability that affects qs

Withdrawn, accidental duplicate publish. The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service memory consumption by using a large index value to create a sparse array...

High severity vulnerability that affects uglify-js

Withdrawn, accidental duplicate publish. The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperl...

Moderate severity vulnerability that affects mustache

Withdrawn, accidental duplicate publish. mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting XSS attacks by leveraging a template with an attribute that is not quoted...

Moderate severity vulnerability that affects send

Withdrawn, accidental duplicate publish. visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public"...

NodeXP - Detection and Exploitation Tool for Node.js Services

NodeXP is an intergrated tool, written in Python 2.7, capable of detecting possible vulnerabilities on Node.js services as well as exploiting them in an automated way, based on ServerSideJavascriptInjection attack! Getting Started - Installation & Usage Download NodeXP by cloning the Git...

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161)

Summary IBM Cloud Private and IBM Cloud Private Cloud Foundry are vulnerable to multiple security vulnerabilities Vulnerability Details CVEID: CVE-2018-7167 DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill or Buffer.alloc , a remote attacker could exploit this...

Security update for nodejs8 (moderate)

This update for nodejs8 to version 8.11.4 fixes the following issues: Security issues fixed: - CVE-2018-12115: Fixed an out-of-bounds memory write in Buffer that could be used to write to memory outside of a Buffer's memory space buffer bsc1105019 - Upgrade to OpenSSL 1.0.2p, which fixed: -...

Response Splitting

node.js is vulnerable to response splitting. The library does not handle unicode characters properly, allowing a malicious user to conduct a response splitting attack...

Man-in-the-Middle (MitM)

node.js is vulnerable to a man-in-the-middle MitM attack. The library does not properly handle the wildcard character in the X.509 Certificate namefields. This can allow a malicious user to spoof servers and cause a MitM attack...

HTTP Response Splitting

nodejs is vulnerable to HTTP response splitting. This is due to a lack of validation for permitted characters in the reason argument in ServerResponsewriteHead function. An attacker is able to inject arbitrary HTTP headers into the server response via the affected argument and perform HTTP respon...

Node.js third-party modules: [http-live-simulator] Path traversal vulnerability

Module module name: http-live-simulator version: 1.0.6 npm page: https://www.npmjs.com/package/http-live-simulator Description this vulnerability is a bypass for the one found in this report in version 1.0.5 Steps To Reproduce: 1- Install the module : npm install -g http-live-simulator 2- Run the...

Node.js: Http request splitting

Hi, I came upon the following tweet today: https://twitter.com/YShahinzadeh/status/1039396394195451904 which details a http request splitting vulnerability in NodeJS. You can confirm it with the following repro script: const http = require'http' const server = http.createServerreq, res =...

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7158, CVE-2018-7159, CVE-2018-7160)

Summary IBM Cloud Private and IBM Cloud Private Cloud Foundry are vulnerable to multiple security vulnerabilities Vulnerability Details CVEID: CVE-2018-7158 DESCRIPTION: Node.js path module is vulnerable to a denial of service. By sending a specially crafted file path, an attacker could exploit...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud

Summary OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has addressed the applicable CVEs. Security vulnerabilities have been reported in Node.js that affect IBM® SDK for Node.js™ in IBM Cloud...

Joyent Node.js ps package command injection vulnerability

Joyent Node.js is the United States Joyent company's set of web applications built on Google V8 JavaScript engine on top of the platform. ps package is one of the modules used to view the running state of the process . A command injection vulnerability exists in Joyent Node.js ps package versions...

CVE-2018-16460

Summary: CVE-2018-16460 describes a command injection in the Node.js ps package when using versions before 1.0.0. The vulnerability arises because an attacker can control the PID, allowing arbitrary commands to be executed on the affected system. Affected software: ps package (Node.js ecosystem),...

CVE-2018-16460

A command Injection in ps package versions 1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID...

CVE-2018-16460

A command Injection in ps package versions 1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID...

CVE-2018-16460

A command Injection in ps package versions 1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID...