Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
NodejsNode.js

17 matches found

CVE
CVEadded 2017/05/23 4:29 a.m.858 views

CVE-2016-9843

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

9.8CVSS9.9AI score0.09233EPSS
CVE
CVEadded 2023/10/18 4:15 a.m.702 views

CVE-2023-39332

Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer ...

9.8CVSS8.6AI score0.00375EPSS
CVE
CVEadded 2023/08/21 5:15 p.m.619 views

CVE-2023-32002

The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this C...

9.8CVSS9.3AI score0.00026EPSS
CVE
CVEadded 2017/05/23 4:29 a.m.510 views

CVE-2016-9841

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

9.8CVSS9.9AI score0.20848EPSS
CVE
CVEadded 2020/02/07 3:15 p.m.455 views

CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

9.8CVSS9.5AI score0.32252EPSS
CVE
CVEadded 2021/08/16 7:15 p.m.397 views

CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection v...

9.8CVSS9.9AI score0.00738EPSS
CVE
CVEadded 2020/07/24 10:15 p.m.359 views

CVE-2020-8174

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and

9.3CVSS8.1AI score0.01274EPSS
CVE
CVEadded 2020/02/07 3:15 p.m.274 views

CVE-2019-15606

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

9.8CVSS9.4AI score0.02287EPSS
CVE
CVEadded 2016/09/16 5:59 a.m.255 views

CVE-2016-6303

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

9.8CVSS8.6AI score0.32879EPSS
CVE
CVEadded 2022/12/05 10:15 p.m.241 views

CVE-2022-35255

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it...

9.1CVSS8.9AI score0.01258EPSS
CVE
CVEadded 2021/10/07 2:15 p.m.238 views

CVE-2021-22930

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

9.8CVSS9.4AI score0.00359EPSS
CVE
CVEadded 2016/10/03 3:59 p.m.143 views

CVE-2016-5180

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

9.8CVSS9.8AI score0.22414EPSS
CVE
CVEadded 2024/02/20 2:15 a.m.128 views

CVE-2024-21896

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, na...

9.8CVSS7AI score0.00757EPSS
CVE
CVEadded 2016/05/14 9:59 p.m.98 views

CVE-2016-1669

The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impa...

9.3CVSS8.8AI score0.05801EPSS
CVE
CVEadded 2017/12/11 9:29 p.m.95 views

CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption...

9.1CVSS6.5AI score0.3822EPSS
CVE
CVEadded 2015/12/06 1:59 a.m.78 views

CVE-2015-6764

The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have un...

9.8CVSS9.2AI score0.13726EPSS
CVE
CVEadded 2024/04/10 4:15 p.m.64 views

CVE-2024-3566

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

9.8CVSS9.6AI score0.0303EPSS