CVE-2013-7454

The CVE-2013-7454 entry concerns the Node.js validator module before 1.1.0, where the XSS filter can be bypassed by nested forbidden strings. Affected component: validator module (Node.js). Root cause: bypass of the blacklist-based XSS filter; exploitability is remote without authentication and c...

CVE-2016-4055

Moment.js (Node.js) is affected by CVE-2016-4055 due to a vulnerability in its regular expression handling that can enable a DoS (high CPU usage) via crafted input. Public details show the issue as a ReDoS against the moment package prior to 2.11.2, with remediation requiring upgrading to a patch...

CVE-2015-8856

CVE-2015-8856 affects the serve-index package for Node.js prior to 1.6.3, where file or directory names could be crafted to trigger cross-site scripting. The vulnerability allows remote injection of arbitrary scripts/HTML via such names. A fix is available in version 1.6.3 and later. The availabl...

CVE-2015-8858

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service CPU consumption via crafted input in a parse call, aka a "regular expression denial of service ReDoS."...

CVE-2015-8860

CVE-2015-8860 affects the tar module used with Node.js, where a symlink attack in an archive could allow a local attacker to overwrite arbitrary files. The vulnerability exists in tar package versions before 2.0.0; successful exploitation requires handling of symbolic links during extraction. Rem...

CVE-2013-7453

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting XSS filter via vectors related to UI redressing...

CVE-2015-8861

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting XSS attacks by leveraging a template with an attribute that is not quoted...

CVE-2015-8859

CVE-2015-8859 concerns the Node.js send package prior to 0.11.1, where an information leakage/root path disclosure vulnerability exists via unspecified vectors. Connected sources (GHSA-... and OSV entries) confirm this vulnerability, with remediation advised to upgrade to 0.11.1 or later. Affecte...

CVE-2015-8315

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS."...

CVE-2014-9772

The CVE-2014-9772 entry concerns the validator package for Node.js. Affected versions are prior to 2.0.0, where the built-in XSS filter can be bypassed using hex-encoded characters. This can allow bypass of the filter and may enable script execution in contexts that rely on the validator’s XSS pr...

CVE-2015-8857

The CVE-2015-8857 entry concerns the uglify-js package for Node.js. It describes that uglify-js before 2.4.24 fails to properly account for non-boolean values when rewriting boolean expressions, which could let an attacker bypass security mechanisms or cause unspecified other impacts via rewritte...

CVE-2015-8854

CVE-2015-8854 details (concrete): The vulnerability affects the Node.js marked module prior to 0.3.4. It enables a denial of service (CPU exhaustion) via unspecified vectors that trigger a catastrophic backtracking issue in the Em inline rule, i.e., a ReDoS. Affected products in public docs inclu...

CVE-2015-8861

CVE-2015-8861 affects the Handlebars package for Node.js, with a vulnerability in templates that contain unquoted attributes, enabling remote XSS. The issue is tied to Handlebars pre-4.0.0 versions. Impact is cross-site scripting in contexts that render untrusted templates; no exploit details are...

CVE-2014-9772

Removed by vendor...

CVE-2015-8857

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript...

CVE-2015-8862

The CVE-2015-8862 entry concerns the mustache package for Node.js. Affected software is mustache prior to version 2.2.1; the root cause is an XSS flaw introduced by an attribute in a mustache template that is not quoted. Impact is remote XSS where an attacker can leverage unquoted attributes to e...

CVE-2015-8858

CVE-2015-8858 : The vulnerability affects the uglify-js package before 2.6.0 used in Node.js, where a crafted input to parse() can trigger a regular expression denial of service (ReDoS) and cause high CPU usage. Root cause is a flaw in the regular expression handling within the parser. Impact is ...

CVE-2016-4055

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service CPU consumption via a long string, aka a "regular expression Denial of Service ReDoS."...

CVE-2015-8315

The Node.js ms module is vulnerable to a regular expression denial of service (ReDoS) when parsing extremely long version strings. This affects versions before 0.7.1 and can cause CPU exhaustion, potentially degrading availability. Multiple sources (NVD entry CVE-2015-8315 and OSS/NVD mirrors, np...

CVE-2015-8856

Cross-site scripting XSS vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name...