Node.js@4.2.1 Security Vulnerabilities and Issues — Node.js@4.2.1 CVE List

Lucene search

NodejsNode.js4.2.1

7 matches found

CVE•added 2016/04/07 9:59 p.m.•73 views

CVE-2016-2216

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstr...

7.5CVSS7.5AI score0.02105EPSS

CVE•added 2016/04/07 9:59 p.m.•71 views

CVE-2016-2086

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

7.5CVSS7.2AI score0.00451EPSS

CVE•added 2016/10/10 4:59 p.m.•59 views

CVE-2016-5325

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

6.1CVSS6.7AI score0.00327EPSS

CVE•added 2016/07/02 2:59 p.m.•58 views

CVE-2016-3956

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

7.5CVSS7.2AI score0.02387EPSS

CVE•added 2016/01/02 9:59 p.m.•54 views

CVE-2015-8027

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.

7.5CVSS8AI score0.015EPSS

CVE•added 2016/10/10 4:59 p.m.•53 views

CVE-2016-7099

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

5.9CVSS6AI score0.00703EPSS

CVE•added 2017/07/25 1:29 p.m.•51 views

CVE-2017-11499

Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots e...

7.5CVSS7.3AI score0.00605EPSS