Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
nodejs nodejs vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2014-3744
Directory traversal vulnerability in the st module prior to 0.2.5 for Node.js allows remote malicious users to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
Nodejs Node.js
6.1
CVSSv3
CVE-2014-9772
The validator package prior to 2.0.0 for Node.js allows remote malicious users to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
Nodejs Node.js
7.5
CVSSv3
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that...
Nodejs Node.js
4.3
CVSSv3
CVE-2018-12123
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:&qu...
Nodejs Node.js
NA
CVE-2014-7191
The qs module prior to 1.0.0 in Node.js does not call the compact function for array data, which allows remote malicious users to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Nodejs Node.js
6.5
CVSSv3
CVE-2018-21270
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Nodejs Node.js
5.3
CVSSv3
CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from '...
Nodejs Undici
9.8
CVSSv3
CVE-2022-35949
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//...
Nodejs Undici
7.5
CVSSv3
CVE-2023-39331
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl...
Nodejs Node.js
6.5
CVSSv3
CVE-2022-31150
undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a wor...
Nodejs Undici
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-5248
CVE-2024-3110
CVE-2024-5552
CVE-2024-29415
HTML injection
CVE-2024-3095
TCP
type confusion
CVE-2024-1800
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »