nodejs: HTTP request smuggling due to incorrect parsing of multi-line Transfer-Encoding

A vulnerability was found in NodeJS due to the llhttp parser in the HTTP module incorrectly handling multi-line Transfer-Encoding headers. This issue can lead to HTTP Request Smuggling HRS. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle...

nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets

A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...

nodejs: DNS rebinding in --inspect via invalid IP addresses

A vulnerability was found in NodeJS, where the IsAllowedHost check can be easily bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided for instance, 10.0.2.555 is provided, browsers such as Firefox will make DNS requests ...

RHEL 7 : rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2022:6389)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6389 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Important Photon OS Security Update - PHSA-2022-0515

Updates of 'nodejs' packages of Photon OS have been released...

MAL-2022-3411 Malicious code in google-auth-library-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cba35f5d5ad2abbe0f380ecedf252a58857f3f01eb94ccd979f4ebcb752adef7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in google-auth-library-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cba35f5d5ad2abbe0f380ecedf252a58857f3f01eb94ccd979f4ebcb752adef7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-32214 affecting package nodejs for versions less than 16.16.0-1

CVE-2022-32214 affecting package nodejs for versions less than 16.16.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1

CVE-2022-32215 affecting package nodejs for versions less than 16.16.0-1. An upgraded version of the package is available that resolves this issue...

CVE-2022-32213 affecting package nodejs for versions less than 16.20.2-4

CVE-2022-32213 affecting package nodejs for versions less than 16.20.2-4. An upgraded version of the package is available that resolves this issue...

CVE-2022-32212 affecting package nodejs for versions less than 16.20.2-4

CVE-2022-32212 affecting package nodejs for versions less than 16.20.2-4. An upgraded version of the package is available that resolves this issue...

@abramltd/jwt-oauth2-middleware (=0.1.0), @aerocorp/cli (=7.0.5) +172 more potentially affected by CVE-2020-26938 via oauth2-server (>=2.2.2 <=3.1.1)

oauth2-server NPM version =2.2.2, =1.0.0, =0.0.1, =2.1.0, =3.0.0, =0.4.1, =0.1.0, =3.0.0, =3.0.0, =3.5.8 and more Source cves: CVE-2020-26938 Source advisory: OSV:GHSA-4RG6-FM25-GC34...

Mageia: Security Advisory (MGASA-2022-0294)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MGASA-2022-0294 Updated nodejs packages fix security vulnerability

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...

Malicious code in babelpluginmodulexresjzlver (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4b6fa027913105f15b5180aa2048fa3afa2a352f60500efb766c709ff16d9362 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Impact = [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await...

`undici.request` vulnerable to SSRF using absolute URL on `pathname`

Impact undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require"undici" undici.requestorigin: "http://example.com",...

CVE-2022-35948 CRLF Injection in Nodejs ‘undici’ via Content-Type

undici is an HTTP/1.1 client, written from scratch for Node.js.= [email protected] users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header. Example: import request from 'undici' const unsanitizedContentTypeInp...

DEBIAN-CVE-2022-35949

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici =...

CVE-2022-32215 affecting package nodejs 14.18.3-1

CVE-2022-32215 affecting package nodejs 14.18.3-1. An upgraded version of the package is available that resolves this issue...