Denial Of Service (DoS)

nodejs is vulnerable to denial of service. An attacker is able to crash the application by requesting for large response, which causes the server to consume excessive memoty that leads to a denial of service condition...

Denial Of Service (DoS)

nodejs is vulnerable to denial of service. A remote attacker is able to crash the application by flooding the server with empty frames which results in excessive resource consumption...

RHEL 8 : nodejs:10 (RHSA-2019:2925)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2925 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass

It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of...

Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host

Update 09/27/2019: Additional information regarding the malware interaction with various online advertisements has been included to highlight the click-fraud related network communications associated with Divergent. Executive summary Cisco Talos recently discovered a new malware loader being used...

nodejs:10 security update

nodejs-packaging 17-3 - Change Requires to Recommends on nodejs dependency, so it is usable for building nodejs...

Node.js third-party modules: [treekill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the treekill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: treekill version: 1.0.0 npm page: https://www.npmjs.com/package/treekill Module Description treekill process and it's all children and child...

MGASA-2019-0277 Updated nodejs packages fix security vulnerabilities

This update provides nodejs v6.17.1 fixing at least the following security issues: The c-ares function aresparsenaptrreply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer CVE-2017-1000381 Fix for 'path' module regular expression deni...

Updated nodejs packages fix security vulnerabilities

This update provides nodejs v6.17.1 fixing at least the following security issues: The c-ares function aresparsenaptrreply, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer CVE-2017-1000381 Fix for 'path' module regular expression deni...

Node.js third-party modules: [expressjs-ip-control] Whitelist IP bypass leads to authorization bypass and sensitive info disclosure

I would like to report a unauthenticated access/authorization bypass issue in the expressjs-ip-control module. It allows to bypass the whitelist IP check in order to bypass the authorization check and possibly expose sensitive datas. Module module name: MODULE NAME version: MODULE VERSION npm pag...

OPENSUSE-SU-2019:2114-1 Security update for nodejs10

This update for nodejs10 to version 10.16.3 fixes the following issues: Security issues fixed: - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service bsc1146091. -...

CVE-2019-6644

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the...

CVE-2019-6644

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the...

CVE-2019-6644

CVE-2019-6644 describes a vulnerability in F5 BIG-IP iRulesLX: when configured with a workspace that includes the --debug flag, the system binds a debug NodeJS process to all interfaces. This can expose the debug port to unauthorized users and allow remote JavaScript execution. Affected versions ...

CVE-2019-6644

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the...

Status Board Cross-Site Scripting Vulnerability

Status Board is a Nodejs-based dashboard framework. A cross-site scripting vulnerability exists in Status Board version 1.1.81, which can be exploited by an attacker to execute client-side code...

Status Board Cross-Site Scripting Vulnerability

Status Board is a dashboard framework written in nodejs. A cross-site scripting vulnerability exists in Status Board 1.1.81. An attacker can exploit this vulnerability via dashboard.ts to conduct cross-site scripting attacks...

Fedora Update for nodejs FEDORA-2019-5a6a7bc12c

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Security update for neovim (important)

openSUSE Security Update: Security update for neovim Announcement ID: openSUSE-SU-2019:1997-1 Rating: important References: 1137443 Cross-References: CVE-2019-12735 Affected Products: openSUSE Backports SLE-15-SP1 An update that fixes one vulnerability is now available. Description: This update f...

CVE-2019-9511

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority ...