node.js vulnerabilities and exploits

(subscribe to this query)

vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows malicious users to escape the sandbox and run arbitrary code. This may result in Remote Code Execution, assuming the attacker has arbitrary code ex...

Vm2 Project Vm2

1 Github repository

vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@speci...

Vm2 Project Vm2

ssh2 is client and server modules written in pure JavaScript for node.js. In ssh2 before version 1.4.0 there is a command injection vulnerability. The issue only exists on Windows. This issue may lead to remote code execution if a client of the library calls the vulnerable method...

Ssh2 Project Ssh2

The ip package prior to 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

Fedorindutny Ip Fedorindutny Ip 2.0.0

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.

Sap \\@sap\\/xssec

1 Article

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004)...

Nodejs Node.js Fedoraproject Fedora 39

systeminformation is a System Information Library for Node.JS. Versions 5.0.0 up to and including 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are pass...

Systeminformation Systeminformation

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note th...

SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. In version 0.18.0 before 0.18.7, 0.17.0 before 0.17.1, 0.16.0 before 0.16.1, 0.15.0 before 0.15.24, 0.14.0 before 0.14.5, an 0.13.0 before 0.13.5, there is a hole in the confinement ...

Agoric Ses Agoric Ses 0.17.0 Agoric Ses 0.16.0

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge b...

Matrix Matrix Irc Bridge

1 2 3 4 5 6 NEXT »

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook