Design/Logic Flaw

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as...

CVE-2016-2216

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as...

CVE-2016-2086

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header...

CVE-2016-2216

CVE-2016-2216 affects Node.js HTTP header parsing in several branches (0.10.x, 0.11.x, 0.12.x, 4.x, 5.x). Root cause: header parsing inadequately validates UTF-8/Unicode characters, enabling HTTP response-splitting protection bypass. Demonstrated by crafted encoded input like %c4%8d%c4%8a. Impact...

CVE-2016-2086

CVE-2016-2086 affects Node.js HTTP request parsing via Content-Length mishandling, enabling remote HTTP request smuggling. Public docs identify Node.js versions affected (0.10.x up to 0.10.42, 0.12.x up to 0.12.10, 4.x up to 4.3.0, 5.x up to 5.6.0) and describe impact as potential for cache poiso...

CVE-2016-2216

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as...

CVE-2016-2216

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as...

CVE-2016-2086

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header...

Fedora 24 : nodejs-5.10.0-1.fc24 / nodejs-bl-1.1.2-1.fc24 / nodejs-buffertools-2.1.3-12.fc24 / etc (2016-6ab2d29fba)

Update Node.js to the 5.x stable branch This update also includes a fix for a man-in-the-middle vulnerability in npm. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and forma...

[SECURITY] Fedora 24 Update: nodejs-sqlite3-3.1.2-3.fc24

Asynchronous, non-blocking SQLite3 bindings for Node.js...

[SECURITY] Fedora 24 Update: nodejs-buffertools-2.1.3-12.fc24

Working with node.js buffers made easy...

[SECURITY] Fedora 24 Update: nodejs-gdal-0.9.0-1.fc24

Read and write raster and vector geospatial datasets straight from Node.js with this native GDAL binding...

[SECURITY] Fedora 24 Update: nodejs-fs-ext-0.5.0-9.fc24

Extensions to core 'fs' module for Node.js...

[SECURITY] Fedora 24 Update: nodejs-5.10.0-1.fc24

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

[SECURITY] Fedora 24 Update: nodejs-zipfile-0.5.9-7.fc24

Bindings to libzip for handling zipfile archives in Node.js...

[SECURITY] Fedora 24 Update: nodejs-node-expat-2.3.11-8.fc24

Fast libexpat XML SAX parser binding for Node.js...

[SECURITY] Fedora 24 Update: nodejs-i2c-0.2.1-6.fc24

Node.js native bindings for i2c-dev. Plays well with Raspberry Pi and Beaglebone...

Bitcoin/Altcoin Stratum Pool Mass Duplicate Shares

Bitcoin/Altcoin Stratum Pool Mass Duplicate Shares Exploit This particular vulnerability makes it possible to force a Stratum Mining Pool to accept "invalid" shares by the thousands for each mining pool round. It is possible to make pure money from this vulnerability. The exploit is real but...

Insecure Defaults Allow MITM Over TLS

Overview Affected versions of engine.io-client do not verify certificates by default, and as such may be vulnerable to Man-in-the-Middle attacks. The vulnerability is related to the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, such as...

npm security updates v2.15.1 and v3.8.3

npm security updates v2.15.1 and v3.8.3 This announcement is also covered on the npm blog:http://blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability. The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interfac...