Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
node.js vulnerabilities and exploits
(subscribe to this query)
10
CVSSv3
CVE-2023-37903
vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows malicious users to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code ex...
Vm2 Project Vm2
1 Github repository
10
CVSSv3
CVE-2023-37466
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@speci...
Vm2 Project Vm2
10
CVSSv3
CVE-2020-26301
ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method...
Ssh2 Project Ssh2
9.8
CVSSv3
CVE-2023-42282
The ip package prior to 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Fedorindutny Ip
Fedorindutny Ip 2.0.0
9.8
CVSSv3
CVE-2023-49583
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Sap \\@sap\\/xssec
1 Article
9.8
CVSSv3
CVE-2023-39332
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004)...
Nodejs Node.js
Fedoraproject Fedora 39
9.8
CVSSv3
CVE-2023-42810
systeminformation is a System Information Library for Node.JS. Versions 5.0.0 up to and including 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are pass...
Systeminformation Systeminformation
9.8
CVSSv3
CVE-2023-32002
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note th...
Nodejs Node.js
9.8
CVSSv3
CVE-2023-39532
SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. In version 0.18.0 before 0.18.7, 0.17.0 before 0.17.1, 0.16.0 before 0.16.1, 0.15.0 before 0.15.24, 0.14.0 before 0.14.5, an 0.13.0 before 0.13.5, there is a hole in the confinement ...
Agoric Ses
Agoric Ses 0.17.0
Agoric Ses 0.16.0
9.8
CVSSv3
CVE-2023-38690
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge b...
Matrix Matrix Irc Bridge
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675
CVE-2024-3400
CVE-2024-23557
mass assignment
CVE-2023-1389
local file inclusion
CVE-2024-32596
file upload
CVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »