CVE-2023-34109

CVE-2023-34109 — zxcvbn-ts (core) resource exhaustion : Affects zxcvbn-ts on Node.js when using the second argument of the zxcvbn function, where the inputs array can grow unbounded with each call, leading to potential DoS. Public advisories indicate the issue impacts both Node.js and browsers, a...

CVE-2023-34109 User input results in Unbounded resource consumption in @zxcvbn-ts/core

zxcvbn-ts is an open source password strength estimator written in typescript. This vulnerability affects users running on the nodeJS platform which are using the second argument of the zxcvbn function. It can result in an unbounded resource consumption as the user inputs array is extended with...

CVE-2023-34109 User input results in Unbounded resource consumption in @zxcvbn-ts/core

zxcvbn-ts is an open source password strength estimator written in typescript. This vulnerability affects users running on the nodeJS platform which are using the second argument of the zxcvbn function. It can result in an unbounded resource consumption as the user inputs array is extended with...

SUSE CVE-2023-26129

All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. Note: To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within t...

UBUNTU-CVE-2023-32695

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3...

PT-2023-20508 · Unknown · Keep-Module-Latest

Name of the Vulnerable Software and Affected Versions: keep-module-latest versions all Description: The issue arises due to missing input sanitization or other checks and sandboxes being employed to the installModule function, leading to Command Injection. To potentially exploit this, an attacker...

AZL-26939 CVE-2023-32067 affecting package nodejs18 for versions less than 18.17.1-2

c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful...

AZL-26874 CVE-2023-31147 affecting package nodejs for versions less than 16.20.1-2

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

AZL-26875 CVE-2023-31147 affecting package nodejs18 for versions less than 18.17.1-2

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom are unavailable, c-ares uses rand to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand so will generate predictable output. Input from the random number generator i...

AZL-26940 CVE-2023-31130 affecting package nodejs18 for versions less than 18.17.1-2

c-ares is an asynchronous resolver library. aresinetnetpton is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to...

Critical Photon OS Security Update - PHSA-2023-5.0-0011

Updates of 'gnupg', 'nodejs' packages of Photon OS have been released...

Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware

Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat. The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were availabl...

2broke2wait (=0.1.0), 2ch-fetcher-with-proxy (>=1.0.0 <=1.0.1) +4078 more potentially affected by CVE-2023-32313 via vm2 (>=1.0.1 <=3.9.17)

vm2 NPM version =1.0.1, =1.0.0, =15.0.0, =5.1.3, =1.0.2, =1.0.1, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.2.48, =0.12.5-20190619040852, =0.24.1-20230627140514 and more Source cves: CVE-2023-32313 Source advisory: OSV:GHSA-P5GC-C584-JJ6V...

nodejs and nodejs-nodemon security, bug fix, and enhancement update

nodejs 1:16.19.1-1 - Rebase to 16.19.1 - Resolves: rhbz2153714 - Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920 - Resolves: CVE-2022-25881 CVE-2022-4904 nodejs-nodemon 2.0.20-3 - Patch bundled glob-parent - Resolves: CVE-2021-35065...

RHEL 9 : nodejs:18 (RHSA-2023:2654)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2654 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

ALSA-2023:2655 Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16.19.1, nodejs-nodemon 2.0.20. Security Fixes: c-ares: buffer overflow in...

Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 16.19.1, nodejs-nodemon 2.0.20. Security Fixes: c-ares: buffer overflow in...

@karmalicious/nodejs-drivers (>=2.0.0 <=8.0.0), azupck (>=1.1.72 <=1.4.4) +13 more potentially affected by CVE-2023-2583 via jsreport (>=1.10.0 <=2.11.0)

jsreport NPM version =1.10.0, =2.0.0, =1.1.72, =1.0.28, =1.8.1, =1.0.1, =0.0.1, =1.0.0, =1.0.80, =1.1.36, =2.14.0, =2.30.0 Source cves: CVE-2023-2583 Source advisory: OSV:GHSA-G7RJ-Q722-245G...

Debian: Security Advisory (DSA-5395-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...