GHSA-V62P-RQ8G-8H59 pbkdf2 silently disregards Uint8Array input, returning static keys

Summary On historic but declared as supported Node.js versions 0.12-2.x, pbkdf2 silently disregards Uint8Array input This only affects Node.js = 0.12 and there seems to be ongoing effort in this repo to maintain that Support Uint8Array input input is typechecked against Uint8Array, and the error...

AZL-69692 CVE-2025-5222 affecting package nodejs for versions less than 20.14.0-10

A stack buffer overflow was found in Internationl components for unicode ICU . While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution...

SUSE CVE-2022-32212

A OS Command Injection vulnerability exists in Node.js versions 14.20.0, 16.20.0, 18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks...

AZL-10150 CVE-2022-32213 affecting package nodejs for versions less than 16.20.2-4

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...