Node.js@16.13.0 Security Vulnerabilities and Issues — Node.js@16.13.0 CVE List

NodejsNode.js16.13.0

9 matches found

CVE•added 2022/03/15 5:5 p.m.•1343 views

CVE-2022-0778

CVE-2022-0778 describes an infinite loop in BN_mod_sqrt() when parsing certain ASN.1 elliptic-curve parameters, enabling DoS during certificate or key processing. Affected OpenSSL versions include 1.0.2, 1.1.1, and 3.0 (specific ranges: 1.0.2 (1.0.2–1.0.2zc), 1.1.1 (1.1.1–1.1.1m), 3.0 (3.0.0–3.0....

7.5CVSS7.8AI score0.70561EPSS

In wildWeb

CVE•added 2022/12/05 12:0 a.m.•509 views

CVE-2022-43548

CVE-2022-43548 affects Node.js and is caused by an insufficient IsAllowedHost check, allowing rebinding attacks via invalid IP addresses (notably octal formats) when using --inspect. Impact is DNS rebinding leading to potential code execution in affected environments. Affected versions include No...

8.1CVSS8.4AI score0.14024EPSS

CVE•added 2022/12/05 12:0 a.m.•433 views

CVE-2022-35256

CVE-2022-35256 concerns the llhttp parser used by Node.js (http module) where header fields not terminated with CRLF can enable HTTP Request Smuggling. The issue is present in Node.js builds that include the llhttp version affected and has been addressed by package updates in multiple distributio...

6.5CVSS7.9AI score0.02587EPSS

CVE•added 2022/07/14 12:0 a.m.•324 views

CVE-2022-32212

CVE-2022-32212 is a Node.js OS Command Injection due to an insufficient IsAllowedHost validation, enabling rebinding attacks. Affected versions are Node.js <14.20.0, <16.20.0, and

8.1CVSS8.3AI score0.05614EPSS

CVE•added 2022/12/05 12:0 a.m.•286 views

CVE-2022-35255

CVE-2022-35255 describes a weakness in Node.js 18 WebCrypto key generation where EntropySource() is invoked but its return value is not checked, and the data returned may not be cryptographically strong. The underlying issue occurs in SecretKeyGenTraits::DoKeyGen() and can lead to weaker key mate...

9.1CVSS8.9AI score0.0187EPSS

CVE•added 2022/07/14 12:0 a.m.•254 views

CVE-2022-32215

CVE-2022-32215 concerns the llhttp parser used by Node.js. The http module can mis-handle multi-line Transfer-Encoding headers in vulnerable builds, enabling HTTP Request Smuggling (HRS). Affected are Node.js ships with llhttp < v14.20.1, < v16.17.1, and

6.5CVSS7.1AI score0.68796EPSS

CVE•added 2022/07/14 12:0 a.m.•251 views

CVE-2022-32213

CVE-2022-32213 concerns the llhttp parser in Node.js’ http module, where the parser may incorrectly parse and validate Transfer-Encoding headers, enabling HTTP Request Smuggling (HRS). The vulnerability is cited in multiple advisories (Debian, Red Hat, and Amazon Linux family) as part of a set in...

6.5CVSS7.2AI score0.35079EPSS

CVE•added 2022/07/14 12:0 a.m.•219 views

CVE-2022-32214

CVE-2022-32214 affects the Node.js http module via the llhttp parser, where versions <14.20.1, <16.17.1, and =14.20.1, >=16.17.1, >=18.9.1 or newer Node.js releases that bundle these llhttp versions). If exploitation details or CVSS changes are needed, refer to the linked advisories i...

6.5CVSS7AI score0.77278EPSS

CVE•added 2022/07/14 2:51 p.m.•141 views

CVE-2022-32223

CVE-2022-32223 is a Node.js DLL hijacking issue on Windows. When the system has OpenSSL and an openssl.cnf at C:\Program Files\Common Files\SSL\openssl.cnf, node.exe may search for providers.dll in the user directory and via the Windows DLL search order, enabling a local attacker to place a malic...

7.3CVSS7AI score0.01596EPSS