K64462543: NodeJS vulnerability CVE-2015-2927

Security Advisory Description node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service bandwidth consumption. CVE-2015-2927 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluate...

K63025104: NodeJS vulnerability CVE-2018-7160

Security Advisory Description The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network acces...

K99038439: NodeJS vulnerability CVE-2012-2330

Security Advisory Description The Update method in src/nodehttpparser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information request header contents and possibly spoof HTTP headers via a zero...

K46337613: NodeJS vulnerability CVE-2015-8315

Security Advisory Description The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS. CVE-2015-8315 Impact There is no impact; F5 products are not affected by this...

K05052081: NodeJS vulnerability CVE-2015-8854

Security Advisory Description The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service CPU consumption via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service ReDoS." CVE-2015-885...

K35655050: NodeJS vulnerability CVE-2016-1669

Security Advisory Description The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service buffer overflow or possib...

K37111863: NodeJS vulnerability CVE-2018-12120

Security Advisory Description Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the...

K17011311: NodeJS vulnerability CVE-2022-35256

Security Advisory Description The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. CVE-2022-35256 Impact There is no impact; F5 products are not affected by this vulnerability...

CRLF Injection in Nodejs ‘undici’ via host

...

SUSE CVE-2023-23919

A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...

Updated nodejs-qs packages fix security vulnerability

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query...

MGASA-2023-0053 Updated nodejs-qs packages fix security vulnerability

nodejs qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query...

Internet Bug Bounty: CRLF Injection in Nodejs ‘undici’ via host

A vulnerability was discovered in the fetch API of Node.js versions 16.x, 18.x, and 19.x that allowed for CRLF injection in the 'host' header, potentially leading to attacks such as HTTP response splitting and HTTP header injection. The vulnerability was fixed in security releases...

Improper Access Control

nodejs is vulnerable to Improper Access Control. A remote attacker is able to bypass permissions and access non authorized modules by using process.mainModule.require function...

Denial Of Service (DoS)

nodejs is vulnerable to Denial of Service DoS attacks. Failing to clear the OpenSSL error stack after operations may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...

Improper Access Control

nodejs is vulnerable to Improper Access Control. A remote authenticated attacker is able to bypass security restrictions by sending a specially-crafted request using ICUDATA environment variable, An attacker could exploit this vulnerability to search and potentially load ICU data...

SUSE CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set and Headers.append methods are vulnerable to Regular Expression Denial of Service ReDoS attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normali...

Internet Bug Bounty: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library

Multiple OpenSSL error handling issues were found in the Node.js crypto library. In some cases, Node.js did not clear the OpenSSL error stack after operations that may have set it, which could lead to false positive errors during subsequent cryptographic operations on the same thread and...

GHSA-5R9G-QH6M-JXFF CRLF Injection in Nodejs ‘undici’ via host

Impact undici library does not protect host HTTP header from CRLF injection vulnerabilities. Patches This issue was patched in Undici v5.19.1. Workarounds Sanitize the headers.host string before passing to undici. References Reported at https://hackerone.com/reports/1820955. Credits Thank you to...

CRLF Injection in Nodejs ‘undici’ via host

Impact undici library does not protect host HTTP header from CRLF injection vulnerabilities. Patches This issue was patched in Undici v5.19.1. Workarounds Sanitize the headers.host string before passing to undici. References Reported at https://hackerone.com/reports/1820955. Credits Thank you to...