43 matches found
SUSE CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DN...
Important: nodejs20
Issue Overview: A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called ...
BIT-NODE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...
CVE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...
Node.js 安全漏洞
Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Security vulnerabilities exist in Node.js versions 20.x, 22.x, 24.x, and 25.x. These vulnerabilities stem from issues with the V8 string hashing mechanism, which may lead to predictable ha...
nodejs: Nodejs file permissions bypass
A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...
Unity Linux 20.1070e Security Update: nodejs (UTSA-2025-680626)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-680626 advisory. Due to the formatting logic of the console.table function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneousl...
Linux Distros Unpatched Vulnerability : CVE-2021-22930
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change...
PT-2025-30345 · Unknown · Haxcms-Nodejs
Name of the Vulnerable Software and Affected Versions: HAX CMS NodeJs versions 11.0.7 and below Description: HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. The NodeJS version of HAX CMS has a disabled Content Security Policy CSP in versions 11.0.7 and below...
GHSA-V62P-RQ8G-8H59 pbkdf2 silently disregards Uint8Array input, returning static keys
Summary On historic but declared as supported Node.js versions 0.12-2.x, pbkdf2 silently disregards Uint8Array input This only affects Node.js = 0.12 and there seems to be ongoing effort in this repo to maintain that Support Uint8Array input input is typechecked against Uint8Array, and the error...
AZL-69692 CVE-2025-5222 affecting package nodejs for versions less than 20.14.0-10
A stack buffer overflow was found in Internationl components for unicode ICU . While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution...
DEBIAN-CVE-2025-23085
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory...
Node.js 安全漏洞
Node.js is an open source, cross-platform JavaScript runtime environment from the Node.js open source. A security vulnerability exists in Node.js versions v18.x, v20.x, v22.x, and v23.x. The vulnerability stems from a memory leak that may occur when a remote peer suddenly closes a socket without...
AZL-55922 CVE-2025-23083 affecting package nodejs for versions less than 20.14.0-4
With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage...
AZL-55950 CVE-2025-22150 affecting package nodejs for versions less than 20.14.0-5
Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If...
CBL Mariner 2.0 Security Update: nodejs / nodejs18 / reaper (CVE-2024-21538)
The version of nodejs / nodejs18 / reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-21538 advisory. - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are...
PT-2024-5124 · Node.Js +5 · Node.Js +5
Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21 Description: A flaw in the experimental permission model of Node.js allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used. This issue...
PT-2024-5241 · Node.Js +1 · Node.Js +1
Name of the Vulnerable Software and Affected Versions: Node.js versions 18.x, 20.x, and 21.x Description: The issue is related to the improper handling of batch files in child process.spawn and child process.spawnSync on Windows platforms. This allows a malicious command line argument to inject...
AZL-35044 CVE-2023-6129 affecting package nodejs for versions less than 20.14.0-1
Issue summary: The POLY1305 MAC message authentication code implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC...
DEBIAN-CVE-2023-30588
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key inf...