Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

Node.js: insecure loading of ICU data through ICU_DATA environment variable

An untrusted search path vulnerability exists in Node.js. 19.6.1, 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges...

nodejs-minimatch: ReDoS via the braceExpand function

A vulnerability was found in the nodejs-minimatch package. This flaw allows a Regular Expression Denial of Service ReDoS when calling the braceExpand function with specific arguments, resulting in a Denial of Service...

Mageia: Security Advisory (MGASA-2023-0053)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2023-0035)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CBL Mariner 2.0 Security Update: nodejs (CVE-2023-23918)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-23918 advisory. - A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it...

CVE-2023-24807 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-24807 affecting package nodejs for versions less than 16.19.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2023-23918 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-23918 affecting package nodejs for versions less than 16.19.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2023-23936 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-23936 affecting package nodejs for versions less than 16.19.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2023-23920 affecting package nodejs for versions less than 16.19.1-1

CVE-2023-23920 affecting package nodejs for versions less than 16.19.1-1. This CVE either no longer is or was never applicable...

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

...

Important: nodejs

Issue Overview: This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. CVE-2022-25881 Affected Packages: nodejs Issue...

Important: nodejs

Issue Overview: An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied such as proxy, reverse-proxy, load-balancer, an attacker can use this...

Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-084)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-084 advisory. An HTTP Request Smuggling HRS vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations a...

nodejs-handlebars: prototype pollution leading to remote code execution via crafted payloads

A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this...

nodejs-handlebars: lookup helper fails to properly validate templates allowing for arbitrary JavaScript execution

A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to arbitrary code execution. The package lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript into the system. This issue is used to...

nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option

A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system e.g. browser or server when the template is compiled with the...

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-32215)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-32215 advisory. - The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle...

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-43548)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-43548 advisory. - A OS Command Injection vulnerability exists in Node.js versions 14.21.1, 16.18.1, 18.12.1, 19.0.1 due to an...

CBL Mariner 2.0 Security Update: nodejs (CVE-2022-32214)

The version of nodejs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-32214 advisory. - The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not strictly use the CRL...