CVE-2016-10539

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string...

CVE-2016-10539

The CVE-2016-10539 issue affects the negotiator npm package (Node.js) ≤0.6.0, where parsing the Accept-Language header can trigger a Regular Expression Denial of Service via a specially crafted input. The vulnerability impacts modules/frameworks using negotiator (e.g., Express, Koa). Remediation:...

unicode code execution vulnerability

unicode is a tool that provides data from unicode for nodejs. A security vulnerability exists in unicode versions prior to 9.0.0, which originates from a program that insecurely downloads resources over the HTTP protocol. An attacker can exploit the vulnerability to alter or read resources and...

[SECURITY] Fedora 28 Update: nodejs-base64-url-2.2.0-1.fc28

Base64 encode, decode, escape and unescape for URL applications...

CVE-2016-10698

mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested resources with an attacker controlled...

CVE-2018-3745

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below...

CVE-2016-10577

ibmdb is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibmdb before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

CVE-2016-10577

ibmdb is an asynchronous/synchronous interface for node.js to IBM DB2 and IBM Informix. ibmdb before 1.0.2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

CVE-2016-10586

macaca-chromedriver is a Node.js wrapper for the selenium chromedriver. macaca-chromedriver before 1.0.29 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

Input validation

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below...

CVE-2016-10558

aerospike is an Aerospike add-on module for Node.js. aerospike versions below 2.4.2 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binar...

Remote code execution

aerospike is an Aerospike add-on module for Node.js. aerospike versions below 2.4.2 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binar...

Remote code execution

macaca-chromedriver is a Node.js wrapper for the selenium chromedriver. macaca-chromedriver before 1.0.29 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker...

CVE-2016-10558

aerospike is an Aerospike add-on module for Node.js. aerospike versions below 2.4.2 download binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution RCE by swapping out the requested binary with an attacker controlled binar...

CVE-2015-9244

Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape which could lead to SQL Injection...

CVE-2016-10590

CVE-2016-10590 affects the Node.js wrapper cue-sdk-node, which downloads zipped resources over HTTP. The underlying issue is insecure HTTP transfers that enable a MITM attacker to swap the requested zip with a malicious one, potentially enabling remote code execution on the host. The public advis...

CVE-2016-10698

Summary: The connected advisories confirm that mystem-fix downloads binaries over HTTP, creating a MITM risk that could allow remote code execution if an attacker intercepts the binary. The GHSA entry explicitly states that affected versions insecurely download executables over HTTP, enabling pot...

CVE-2015-9241

Affected software: hapi node module (Node.js) prior to version 11.1.3. Root cause: certain inputs in If-Modified-Since or Last-Modified headers cause an 'illegal access' exception, leading hapi to keep the socket open instead of returning HTTP 500, effectively a denial of service. Impact: potenti...

CVE-2018-3745

CVE-2018-3745 describes an information disclosure/DoS risk in the atob Node.js module (versions 2.0.3 and earlier) caused by allocating uninitialized Buffers when a number is provided as input on Node.js 4.x and earlier. The vulnerability affects the atob module itself and is due to uninitialized...

CVE-2016-10577

CVE-2016-10577 concerns the ibm_db Node.js interface to IBM DB2/Informix. The affected library (ibm_db before 1.0.2) downloads binary resources over HTTP, exposing users to MITM modification or interception of binaries. The documentation states that a remote attacker positioned on the network cou...