4327 matches found
CVE-2021-21421
node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later...
CVE-2021-3777
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity...
CVE-2019-4001
Improper input validation in Druva inSync Client 6.5.0 allows a local, authenticated attacker to execute arbitrary NodeJS code...
Oracle Linux 9 : nodejs:20 (ELSA-2025-7426)
The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2025-7426 advisory. nodejs 1:20.19.1-1 - Update to version 20.19.1 Resolves: RHEL-78764 1:20.18.2-3 - Update c-ares to 1.34.5 to address CVE-2025-31498 nodejs-nodemon...
AlmaLinux 9 : nodejs:22 (ALSA-2025:7433)
The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:7433 advisory. c-ares: c-ares has a use-after-free in readanswers CVE-2025-31498 SQLite: integer overflow in SQLite CVE-2025-3277 Tenable has extracted the preceding...
Photon OS 4.0: Nodejs PHSA-2025-4.0-0801
An update of the nodejs package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-4.0-0801. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...
Critical Photon OS Security Update - PHSA-2025-4.0-0801
Updates of 'nodejs', 'linux' packages of Photon OS have been released...
ALPINE-CVE-2025-23166
The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...
AZL-61914 CVE-2025-23167 affecting package nodejs 20.14.0-13
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
DEBIAN-CVE-2025-23165
In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uvfss.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory...
DEBIAN-CVE-2025-23167
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
AZL-61913 CVE-2025-23165 affecting package nodejs for versions less than 20.14.0-9
In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uvfss.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory...
AZL-65063 CVE-2025-23167 affecting package nodejs18 18.20.3-11
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using \r\n\rX instead of the required \r\n\r\n. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by...
UBUNTU-CVE-2025-23166
The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...
[ASA-202505-8] nodejs-lts-iron: multiple issues
Arch Linux Security Advisory ASA-202505-8 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 Package : nodejs-lts-iron Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2873 Summary ======= T...
[ASA-202505-6] nodejs: denial of service
Arch Linux Security Advisory ASA-202505-6 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23166 Package : nodejs Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2871 Summary ======= The package nodejs before version...
[ASA-202505-7] nodejs-lts-jod: denial of service
Arch Linux Security Advisory ASA-202505-7 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 Package : nodejs-lts-jod Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2872 Summary ======= The package...
MAL-2025-3910 Malicious code in nodejs-fetch-proxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80749ffba9365d62c589ea0137cde9db701626ae4ba97fc9f9149b61809ac107 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in nodejs-fetch-proxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80749ffba9365d62c589ea0137cde9db701626ae4ba97fc9f9149b61809ac107 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2025-23166
The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...