Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
nodejs node.js vulnerabilities and exploits
(subscribe to this query)
5.8
CVSSv2
CVE-2020-8201
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an malicious user to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attac...
Nodejs Node.js
Opensuse Leap 15.2
Fedoraproject Fedora 33
1 Github repository
4.6
CVSSv2
CVE-2020-8252
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
Nodejs Node.js
Opensuse Leap 15.2
Fedoraproject Fedora 33
10
CVSSv2
CVE-2015-0278
libuv prior to 0.10.34 does not properly drop group privileges, which allows context-dependent malicious users to gain privileges via unspecified vectors.
Fedoraproject Fedora 21
Libuv Project Libuv
Nodejs Node.js
5
CVSSv2
CVE-2018-1000168
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerabil...
Nghttp2 Nghttp2
Nodejs Node.js
Debian Debian Linux 9.0
NA
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC72...
Nodejs Node.js
Fedoraproject Fedora 37
Fedoraproject Fedora 38
NA
CVE-2023-32003
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects ...
Nodejs Node.js
Fedoraproject Fedora 37
Fedoraproject Fedora 38
NA
CVE-2023-32004
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects a...
Nodejs Node.js
Fedoraproject Fedora 37
Fedoraproject Fedora 38
NA
CVE-2023-32006
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and,...
Nodejs Node.js
Fedoraproject Fedora 37
Fedoraproject Fedora 38
NA
CVE-2022-32222
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x before 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to O...
Nodejs Node.js
Siemens Sinec Ins 1.0
Siemens Sinec Ins
1 Github repository
7.8
CVSSv2
CVE-2019-9512
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum...
Apple Swiftnio
Apache Traffic Server
Debian Debian Linux 10.0
Nodejs Node.js
2 Github repositories
1 Article
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33228
CVE-2024-20361
log injection
bypass
CVE-2024-4985
CVE-2024-35223
CVE-2024-29849
CVE-2024-31893
IMAP
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »