CVE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

CVE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

UBUNTU-CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

Mageia: Security Advisory (MGASA-2026-0071)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Security vulnerabilities exist in Node.js versions 20.x, 22.x, 24.x, and 25.x. These vulnerabilities stem from improper handling of HTTP requests. When the request header contains the name...

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Version 25.x of Node.js contains a security vulnerability. This vulnerability stems from the lack of permission checks for Unix-domain socket servers during network execution, which may...

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Security vulnerabilities exist in Node.js versions 20.x, 22.x, 24.x, and 25.x. These vulnerabilities stem from issues with the V8 string hashing mechanism, which may lead to predictable ha...

Debian: Security Advisory (DSA-6183-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1483)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1483 advisory. node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that...

PT-2026-29099

Name of the Vulnerable Software and Affected Versions Node.js versions 25.x Description A flaw in the Node.js Permission Model’s network enforcement allows Unix Domain Socket UDS server operations to proceed without the necessary permission checks. All other network paths correctly enforce these...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1484)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1484 advisory. A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js...

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. There is a security vulnerability in Node.js, which stems from improper handling of URLs. When the url.format function is called with an internationalized domain name containing invalid...

[SECURITY] [DSA 6183-1] nodejs security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6183-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 29, 2026 https://www.debian.org/security/faq -...

Debian dsa-6183 : libnode-dev - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6183 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6183-1 [email protected] https://www.debian.org/securit...

MGASA-2026-0071 Updated nodejs packages fix security vulnerabilities

Incomplete fix for CVE-2026-21637: loadSNI in tlswrap.js lacks try/catch leading to Remote DoS. CVE-2026-21637 Denial of Service via proto header name in req.headersDistinct Uncaught TypeError crashes Node.js process. CVE-2026-21710 Timing side-channel in HMAC verification via memcmp in...

Updated nodejs packages fix security vulnerabilities

Incomplete fix for CVE-2026-21637: loadSNI in tlswrap.js lacks try/catch leading to Remote DoS. CVE-2026-21637 Denial of Service via proto header name in req.headersDistinct Uncaught TypeError crashes Node.js process. CVE-2026-21710 Timing side-channel in HMAC verification via memcmp in...

Linux Distros Unpatched Vulnerability : CVE-2026-21711

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all...

CVE-2026-33872

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response"...

CVE-2026-33872

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response"...