RHEL 9 : nodejs:18 (RHSA-2024:1932)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1932 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

PT-2024-5124 · Node.Js +5 · Node.Js +5

Name of the Vulnerable Software and Affected Versions: Node.js versions 20 through 21 Description: A flaw in the experimental permission model of Node.js allows malicious actors to retrieve stats from files they do not have explicit read access to when the --allow-fs-read flag is used. This issue...

Ubuntu: Security Advisory (USN-6735-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2024:1309-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...

SUSE-SU-2024:1307-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: Update to 18.20.1 Security fixes: - CVE-2024-27983: Fixed failed assertion in node::http2::Http2Session::Http2Session that could lead to HTTP/2 server crash bsc1222244 - CVE-2024-27982: Fixed HTTP Request Smuggling via Content Length Obfuscatio...

Exploit for CVE-2024-27983

This repository builds up a vulnerable HTTP2 Node.js server se...

OESA-2024-1400 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

OESA-2024-1403 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

OESA-2024-1402 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

Fedora 38 : nodejs-undici (2024-6d9c1da54f)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-6d9c1da54f advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Fedora 39 : nodejs-undici (2024-ad51aa23c3)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-ad51aa23c3 advisory. Update to version 6.11.1. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Important Photon OS Security Update - PHSA-2024-5.0-0243

Updates of 'nodejs', 'openssl' packages of Photon OS have been released...

The vulnerability of the PrivateDecrypt() function in the cryptographic library of the Node.js software platform, which allows a attacker to execute the Bleichenbacher attack or the Marvin attack.

The vulnerability of the PrivateDecrypt function in the Node.js software library is related to the use of hidden auxiliary channels due to a discrepancy in the timing of decrypting valid and invalid encrypted texts based on the PKCS1 v1.5 cryptographic standard. Exploiting this vulnerability allo...

MySQL2 安全漏洞

MySQL2 is a MySQL client for Node.js by the individual developer Andrey Sidorov. A security vulnerability exists in MySQL2 versions prior to 3.9.4 that stems from improper cleaning of user input...

CVE-2024-22025 affecting package nodejs for versions less than 16.20.2-4

CVE-2024-22025 affecting package nodejs for versions less than 16.20.2-4. A patched version of the package is available...

ALPINE-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

AZL-39584 CVE-2024-27983 affecting package nodejs for versions less than 20.14.0-1

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

AZL-39587 CVE-2024-27983 affecting package nodejs18 for versions less than 18.18.2-7

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

Mageia: Security Advisory (MGASA-2024-0110)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization

A flaw was found in Node.js. Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwritten with user-defined implementations, leading to a filesystem permission model bypass through a path traversal attack...