nodejs-dot-prop: prototype pollution

A prototype pollution flaw was found in nodejs-dot-prop. The function set could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or proto paths. The highest threat from this vulnerability is to data confidentiality and integrity as well a...

nodejs-deep-extend: Prototype pollution can allow attackers to modify object properties

The utilities function in all versions = 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all object...

nodejs: use-after-free in the TLS implementation

A flaw was found in nodejs. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResu...

nodejs-set-value: prototype pollution in function set-value

A flaw was found in nodejs-set-value. The function mixin-deep can be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype, or proto payloads. The highest threat from this vulnerability is to data confidentiality and integrity...

nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS

This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters...

nodejs-ini: Prototype pollution via malicious INI file

A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context...

CVE-2020-26296

A flaw was found in nodejs-vega. An attacker, using a specially crafted Vega expression, could execute a cross-side scripting attack on a victim's machine allowing them to execute arbitrary JavaScript. The highest threat from this vulnerability is to data confidentiality and integrity. Mitigation...

Node.js samba-client Command Command Injection Vulnerability

Node.js is an open source, cross-platform JavaScript runtime environment. A command injection vulnerability exists in samba-client for Node.js before version 4.0.0, which stems from the use of process.exec...

@glossgenius/eslint-config (>=1.0.2 <=1.0.7), @halonext/nestjs-express-cassandra (>=7.0.0 <=7.1.0) +7 more potentially affected by CVE-2021-26707 via merge-deep (>=3.0.0 <=3.0.2)

merge-deep NPM version =3.0.0, =1.0.2, =7.0.0, =5.2.0, =6.0.1, =0.0.1, =0.1.0, =0.0.11, =1.0.0, =1.2.4 Source cves: CVE-2021-26707 Source advisory: SNYK:JS-MERGEDEEP-1070277...

Updated nodejs-ini package fixes a security vulnerability

It was discovered that there was an issue in nodejs-ini, where an application could be exploited by a malicious input file. This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on th...

MGASA-2021-0068 Updated nodejs-ini package fixes a security vulnerability

It was discovered that there was an issue in nodejs-ini, where an application could be exploited by a malicious input file. This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on th...

Security fix for the ALT Linux 10 package node version 14.15.4-alt1

Feb. 5, 2021 Vitaly Lipatov 14.15.4-alt1 - new version 14.15.4 with rpmrb script - CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference High - CVE-2020-8265: use-after-free in TLSWrap High - CVE-2020-8287: HTTP Request Smuggling in nodejs Low...

nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function

A flaw was found in nodejs-ajv. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code...

nodejs-angular: XSS due to regex-based HTML replacement

A XSS flaw was found in nodejs-angular. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping "" elements in "" ones changes parsing behavior, leading to possibly unsanitizing code...

AZL-75813 CVE-2020-28493 affecting package nodejs24 for versions less than 24.13.0-1

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the punctuationre regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to...

AZL-40857 CVE-2020-28493 affecting package nodejs for versions less than 20.14.0-1

This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the punctuationre regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to...

CentOS 8 : nodejs:12 (CESA-2020:1293)

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2020:1293 advisory. - ICU: Integer overflow in UnicodeString::doAppend CVE-2020-10531 Note that Nessus has not tested for this issue but has instead relied only on the application'...

CentOS 8 : nodejs:10 (CESA-2020:2848)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:2848 advisory. - nghttp2: overly large SETTINGS frames can lead to DoS CVE-2020-11080 - nodejs-minimist: prototype pollution allows adding or modifying properties of...

CentOS 8 : nodejs:12 (CESA-2020:4272)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4272 advisory. - npm: sensitive information exposure through logs CVE-2020-15095 - nodejs-dot-prop: prototype pollution CVE-2020-8116 - nodejs: HTTP request smuggling...

CentOS 8 : nodejs:10 (CESA-2020:0579)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:0579 advisory. - nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string CVE-2019-15604 - nodejs: HTTP request smuggling using...