Nim Security Vulnerabilities and Issues — Nim CVE List

Lucene search

Nim-langNim

9 matches found

CVE•added 2021/03/26 10:15 p.m.•189 views

CVE-2021-21374

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS without full verification of the SSL/TLS certificate due to the default setting of httpClient. An attacker able to pe...

8.1CVSS8.4AI score0.00274EPSS

CVE•added 2021/03/26 10:15 p.m.•175 views

CVE-2021-21372

Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger co...

8.8CVSS8.8AI score0.01119EPSS

CVE•added 2021/03/26 10:15 p.m.•167 views

CVE-2021-21373

Nimble is a package manager for the Nim programming language. In Nim release versions before versions 1.2.10 and 1.4.4, "nimble refresh" fetches a list of Nimble packages over HTTPS by default. In case of error it falls back to a non-TLS URL http://irclogs.nim-lang.org/packages.json. An attacker ab...

7.5CVSS7.2AI score0.0016EPSS

CVE•added 2021/01/30 6:15 a.m.•99 views

CVE-2020-15690

In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character.

9.8CVSS9.3AI score0.00905EPSS

CVE•added 2020/08/14 7:15 p.m.•65 views

CVE-2020-15692

In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system command...

10CVSS9.3AI score0.01048EPSS

CVE•added 2020/08/14 7:15 p.m.•59 views

CVE-2020-15693

In Nim 1.2.4, the standard library httpClient is vulnerable to a CR-LF injection in the target URL. An injection is possible if the attacker controls any part of the URL provided in a call (such as httpClient.get or httpClient.post), the User-Agent header value, or custom HTTP header names or value...

6.5CVSS6.6AI score0.00891EPSS

CVE•added 2020/08/14 7:15 p.m.•50 views

CVE-2020-15694

In Nim 1.2.4, the standard library httpClient fails to properly validate the server response. For example, httpClient.get().contentLength() does not raise any error if a malicious server provides a negative Content-Length.

7.5CVSS7.8AI score0.00664EPSS

CVE•added 2021/05/07 4:15 p.m.•42 views

CVE-2021-29495

Nim is a statically typed compiled systems programming language. In Nim standard library before 1.4.2, httpClient SSL/TLS certificate verification was disabled by default. Users can upgrade to version 1.4.2 to receive a patch or, as a workaround, set "verifyMode = CVerifyPeer" as documented.

7.5CVSS6.4AI score0.00066EPSS

CVE•added 2023/01/13 6:15 a.m.•27 views

CVE-2021-46872

An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlie...

6.1CVSS5.9AI score0.00505EPSS