CVE-2025-57353

CVE-2025-57353 affects the Runtime components of the Node.js messageformat package (versions before 3.0.2). The issue is a prototype pollution vulnerability caused by insufficient validation of nested message keys during processing, allowing an attacker to modify Object.prototype and inject arbit...

CVE-2025-59364

The express-xss-sanitizer aka Express XSS Sanitizer package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body...

CVE-2025-58754 Axios is vulnerable to DoS attack through lack of data size check

Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory...

IBM WebSphere Application Server Liberty 17.0.0.3 < 25.0.0.10 (7244573)

The version of IBM WebSphere Application Server Liberty running on the remote host is affected by a vulnerability as referenced in the 7244573 advisory. - The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string 0. with an integer, which makes the output...

PT-2025-37272

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.11.0 Description Axios, a promise-based HTTP client for browsers and Node.js, is susceptible to a denial-of-service DoS attack when running on Node.js and processing URLs with the data: scheme. The Node http adapter...

GHSA-RRJV-57MM-J6CM vulnerabilities

Vulnerabilities for packages: nodejs...

CVE-2025-23166 vulnerabilities

Vulnerabilities for packages: nodejs...

Malicious code in duckdb (npm)

The DuckDB Node.js package duckdb version 1.3.3 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and resetting 2FA...

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.

...

Linux Distros Unpatched Vulnerability : CVE-2025-23167

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables...

Payload 代码问题漏洞

Payload is a Headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Payload has a code issue vulnerability that stems from JWT not being invalidated after logout, which could lead to token reuse...

Security Bulletin: Vulnerabilities in Node.js, Angular.js, Golang Go, Java, MongoDB, Linux kernel may affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in Node.js, Angular.js, Golang Go, Java, MongoDB Linux. Vulnerabilities include obtaining sensitive information, causing a denial of service condition, remote execution of arbitrary code on the system, and bypassing security...

Linux Distros Unpatched Vulnerability : CVE-2017-20165

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The...

Linux Distros Unpatched Vulnerability : CVE-2015-8854

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service CPU consumption via unspecified vectors that trigger a catastrophic...

Linux Distros Unpatched Vulnerability : CVE-2015-1370

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting XSS attacks via a vbscript ta...

Linux Distros Unpatched Vulnerability : CVE-2019-5737

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service DoS by...

Linux Distros Unpatched Vulnerability : CVE-2018-12123

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is...

Linux Distros Unpatched Vulnerability : CVE-2018-12121

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests wi...

Linux Distros Unpatched Vulnerability : CVE-2018-13797

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec rather than execFil...

NodeShield: Runtime Enforcement of Security-Enhanced SBOMs for Node.Js

The software supply chain is an increasingly common attack vector for malicious actors. The Node.js ecosystem has been subject to a wide array of attacks, likely due to its size and prevalence. To counter such attacks, the research community and practitioners have proposed a range of static and...