Node.js@14.0.0 Security Vulnerabilities and Issues — Node.js@14.0.0 CVE List

Lucene search

NodejsNode.js14.0.0

35 matches found

CVE•added 2020/12/08 4:15 p.m.•1069 views

CVE-2020-1971

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrec...

5.9CVSS5.7AI score0.0031EPSS

CVE•added 2021/03/25 3:15 p.m.•756 views

CVE-2021-3449

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a...

5.9CVSS6.7AI score0.09906EPSS

CVE•added 2021/02/16 5:15 p.m.•742 views

CVE-2021-23840

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating succ...

7.5CVSS8AI score0.00891EPSS

CVE•added 2020/06/03 11:15 p.m.•696 views

CVE-2020-11080

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes th...

7.5CVSS6.5AI score0.00566EPSS

CVE•added 2021/03/25 3:15 p.m.•523 views

CVE-2021-3450

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an...

7.4CVSS7.6AI score0.00547EPSS

CVE•added 2022/12/05 10:15 p.m.•486 views

CVE-2022-43548

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1,

8.1CVSS8.4AI score0.00639EPSS

CVE•added 2021/11/23 7:15 p.m.•480 views

CVE-2021-3672

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as we...

6.8CVSS5.9AI score0.00113EPSS

CVE•added 2021/08/16 7:15 p.m.•412 views

CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection v...

9.8CVSS9.9AI score0.00738EPSS

CVE•added 2022/12/05 10:15 p.m.•387 views

CVE-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

6.5CVSS7.9AI score0.04594EPSS

CVE•added 2021/07/12 11:15 a.m.•382 views

CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to info...

5.3CVSS6.3AI score0.00718EPSS

CVE•added 2020/07/24 10:15 p.m.•370 views

CVE-2020-8174

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and

9.3CVSS8.1AI score0.01491EPSS

CVE•added 2021/01/06 9:15 p.m.•362 views

CVE-2020-8287

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

6.5CVSS7.1AI score0.11163EPSS

CVE•added 2023/02/23 8:15 p.m.•350 views

CVE-2023-23920

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and

4.2CVSS6.1AI score0.00121EPSS

CVE•added 2023/02/23 8:15 p.m.•349 views

CVE-2023-23918

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and

7.5CVSS8AI score0.00023EPSS

CVE•added 2023/02/23 8:15 p.m.•329 views

CVE-2023-23919

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1,

7.5CVSS7AI score0.00746EPSS

CVE•added 2021/03/03 6:15 p.m.•315 views

CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS ...

7.5CVSS7.5AI score0.01471EPSS

CVE•added 2021/03/03 6:15 p.m.•312 views

CVE-2021-22883

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable ...

7.8CVSS7.4AI score0.87361EPSS

CVE•added 2021/01/06 9:15 p.m.•300 views

CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method d...

8.1CVSS8AI score0.00803EPSS

CVE•added 2021/08/16 7:15 p.m.•294 views

CVE-2021-22939

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

5.3CVSS7.4AI score0.00138EPSS

CVE•added 2021/08/16 7:15 p.m.•290 views

CVE-2021-22940

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

7.5CVSS8.4AI score0.00349EPSS

CVE•added 2022/07/14 3:15 p.m.•288 views

CVE-2022-32212

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0,

8.1CVSS8.3AI score0.00082EPSS

CVE•added 2022/02/24 7:15 p.m.•287 views

CVE-2022-21824

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto ". The prototype pollution has...

8.2CVSS8.1AI score0.00335EPSS

CVE•added 2020/09/18 9:15 p.m.•278 views

CVE-2020-8252

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and

7.8CVSS7.9AI score0.00161EPSS

CVE•added 2022/02/24 7:15 p.m.•257 views

CVE-2021-44531

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and

7.4CVSS7.5AI score0.00076EPSS

CVE•added 2021/10/07 2:15 p.m.•254 views

CVE-2021-22930

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

9.8CVSS9.4AI score0.00359EPSS

CVE•added 2022/02/24 7:15 p.m.•248 views

CVE-2021-44533

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and

5.3CVSS6.3AI score0.00364EPSS

CVE•added 2022/02/24 7:15 p.m.•238 views

CVE-2021-44532

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and

5.3CVSS6.6AI score0.00132EPSS

CVE•added 2020/09/18 9:15 p.m.•236 views

CVE-2020-8201

Node.js < 12.18.4 and

7.4CVSS7.1AI score0.00643EPSS

CVE•added 2022/07/14 3:15 p.m.•229 views

CVE-2022-32215

The llhttp parser <v14.20.1, <v16.17.1 and

6.5CVSS7.1AI score0.88045EPSS

CVE•added 2022/07/14 3:15 p.m.•222 views

CVE-2022-32213

The llhttp parser <v14.20.1, <v16.17.1 and

6.5CVSS7.2AI score0.89015EPSS

CVE•added 2022/07/14 3:15 p.m.•199 views

CVE-2022-32214

The llhttp parser <v14.20.1, <v16.17.1 and

6.5CVSS7AI score0.64855EPSS

CVE•added 2020/06/08 2:15 p.m.•176 views

CVE-2020-8172

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and

7.4CVSS7.4AI score0.01183EPSS

CVE•added 2022/07/14 3:15 p.m.•117 views

CVE-2022-32223

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.W...

7.3CVSS7AI score0.1041EPSS

CVE•added 2020/09/18 9:15 p.m.•111 views

CVE-2020-8251

Node.js

7.5CVSS7.1AI score0.03055EPSS

CVE•added 2021/07/12 11:15 a.m.•105 views

CVE-2021-22921

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH ...

7.8CVSS7.6AI score0.0052EPSS