Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
nodejs node.js vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process...
Nodejs Node.js
7.5
CVSSv3
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that...
Nodejs Node.js
7.5
CVSSv3
CVE-2023-30581
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. P...
Nodejs Node.js
1 Github repository
7.5
CVSSv3
CVE-2023-30585
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running un...
Nodejs Node.js
7.5
CVSSv3
CVE-2023-30586
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can...
Nodejs Node.js
5.3
CVSSv3
CVE-2023-30588
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when acces...
Nodejs Node.js
7.5
CVSSv3
CVE-2023-30590
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat...
Nodejs Node.js
6.1
CVSSv3
CVE-2014-9772
The validator package prior to 2.0.0 for Node.js allows remote malicious users to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
Nodejs Node.js
7.5
CVSSv3
CVE-2015-8860
The tar package prior to 2.0.0 for Node.js allows remote malicious users to write to arbitrary files via a symlink attack in an archive.
Nodejs Node.js
6.1
CVSSv3
CVE-2013-7453
The validator module prior to 1.1.0 for Node.js allows remote malicious users to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
Nodejs Node.js
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserialization
CVE-2024-4040
cross-site scripting
CVE-2023-25790
CVE-2024-2961
XML external entity
CVE-2024-26926
CVE-2024-32806
CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
NEXT »