Command injection

A command Injection in ps package versions 1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID...

Node.js third-party modules: [buttle] Unsafe rendering of Markdown files

I would like to report Cross Site Scripting vulnerablity in buttle module It allows to execute arbitary javascript due to unsafe rendering of markdown files. Module module name: buttle version: 0.2.0 npm page: https://www.npmjs.com/package/buttle Module Description Another static file server? Why...

Node.js third-party modules: [takeapeek] Path traversal allow to expose directory and files

I would like to report Path Travelsal in takeapeek It allows attacker to list directory and files. Module module name: takeapeek version: 0.2.2 npm page: https://www.npmjs.com/package/takeapeek Module Description A simple static webserver with only one command. Heavily inspired by glance, this is...

Node.js third-party modules: [knightjs] Path Traversal allows to read content of arbitrary files

I would like to report Path Travelsal in Knightjs It allows attacker to read content of arbitary file on remote server. Module module name: Knightjs version: 0.0.1 npm page: https://www.npmjs.com/package/knightjs Module Description knight is a simple static server without configuration on the top...

Node.js third-party modules: List any file in the folder by using path traversal

I would like to report Path Traversal in simplehttpserver. It allows to list any file in another folder of web root. Module module name: simplehttpserver version: v0.2.1 npm page: https://www.npmjs.com/package/simplehttpserver Module Description 'simpehttpserver' is an simple imitation of python'...

Node.js third-party modules: [tianma-static] Stored xss on filename

I would like to report stored xss in tianma-static It allows anyone to execute arbitary javascript for doing anything. Module module name: tianma-static version: 1.0.4 npm page: https://www.npmjs.com/package/tianma-static Module Description Provide a static file service. Vulnerability Vulnerabili...

[SECURITY] Fedora 27 Update: nodejs-8.11.4-1.fc27

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

FreeBSD : node.js -- multiple vulnerabilities (0904e81f-a89d-11e8-afbb-bc5ff4f77b71)

Node.js reports : OpenSSL: Client DoS due to large DH parameter This fixes a potential denial of service DoS attack against client connections by a malicious server. During a TLS communication handshake, where both client and server agree to use a cipher-suite using DH or DHE Diffie-Hellman, in...

Node.js < 10.9.0, < 8.11.4, < 6.14.4 OOB Write Vulnerability - Windows

Node.js is prone to an out-of-bounds write vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodejs:node.js";...

Node.js 10.x < 10.9.0 Unintentional Exposure of Uninitialized Memory Vulnerability - Windows

Node.js is prone to an unintentional exposure of uninitialized memory. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Node.js 10.x < 10.9.0 Unintentional Exposure of Uninitialized Memory Vulnerability - Mac OS X

Node.js is prone to an unintentional exposure of uninitialized memory. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Node.js < 10.9.0, < 8.11.4, < 6.14.4 OOB Write Vulnerability - Mac OS X

Node.js is prone to an out-of-bounds write vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodejs:node.js";...

Syhunt Community Hybrid Scanner v6.2

Syhunt Community is a hybrid static and dynamic web application security scanner. Syhunt is able to scan any kind of application source code for potential security vulnerabilities, pinpointing the exact lines of the code that need to be patched. Or you can simply enter a start URL and get detaile...

[SECURITY] Fedora 28 Update: nodejs-8.11.4-1.fc28

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

Unspecified vulnerability in Joyent Node.js (CNVD-2019-42560)

Joyent Node.js is the United States Joyent company's set of web applications built on top of the Google V8 JavaScript engine platform. The platform is primarily used for building highly scalable applications and writing code that can handle tens of thousands of simultaneous connections to a singl...

Moderate: Red Hat Security Advisory: Red Hat OpenShift Application Runtimes Node.js 10.9.0 security update

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

nodejs: Unintentional exposure of uninitialized memory

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is...

Moderate: Red Hat Security Advisory: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

Node.js third-party modules: [serve] XSS via HTML tag injection in directory lisiting page

I would like to report HTML injection in serve module. It allows malicious HTML tags injection and execution of arbitrary JS code Module module name: serve version: 9.6.0 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...

CVE-2018-7166

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying encoding can be passed as a number, this is...