Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
nodejs node.js vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerab...
Nodejs Node.js
Fedoraproject Fedora 37
Fedoraproject Fedora 38
Fedoraproject Fedora 39
6.5
CVSSv3
CVE-2022-32214
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
Llhttp Llhttp
Nodejs Node.js
Debian Debian Linux 11.0
Stormshield Stormshield Management Center
9.1
CVSSv3
CVE-2022-35255
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() alwa...
Nodejs Node.js
Siemens Sinec Ins 1.0
Siemens Sinec Ins
Debian Debian Linux 11.0
6.5
CVSSv3
CVE-2015-2927
node 0.3.2 and URONode prior to 1.0.5r3 allows remote malicious users to cause a denial of service (bandwidth consumption).
Uronode Uro Node
Nodejs Node.js 0.3.2
Debian Debian Linux 8.0
Debian Debian Linux 9.0
9.8
CVSSv3
CVE-2021-22930
Node.js prior to 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Nodejs Node.js
Netapp Nextgen Api -
Siemens Sinec Infrastructure Network Services
Debian Debian Linux 10.0
6.5
CVSSv3
CVE-2022-35256
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
Nodejs Node.js
Llhttp Llhttp
Siemens Sinec Ins 1.0
Siemens Sinec Ins
Debian Debian Linux 11.0
NA
CVE-2014-5256
Node.js 0.8 prior to 0.8.28 and 0.10 prior to 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote malicious users to cause a denial of service (memory corruption and applicat...
Nodejs Nodejs 0.8.6
Nodejs Nodejs 0.8.2
Nodejs Nodejs 0.8.3
Nodejs Nodejs 0.8.11
Nodejs Nodejs 0.8.12
Nodejs Nodejs 0.8.19
Nodejs Nodejs 0.8.20
Nodejs Nodejs 0.8.27
Nodejs Nodejs 0.10.0
Nodejs Nodejs 0.10.8
Nodejs Nodejs 0.10.9
Nodejs Nodejs 0.10.16
Nodejs Nodejs 0.10.17
Nodejs Nodejs 0.10.24
Nodejs Nodejs 0.10.25
Nodejs Nodejs 0.8.7
Nodejs Nodejs 0.8.8
Nodejs Nodejs 0.8.15
Nodejs Nodejs 0.8.16
Nodejs Nodejs 0.8.23
Nodejs Nodejs 0.8.24
Nodejs Nodejs 0.10.3
1 Github repository
NA
CVE-2012-2330
The Update method in src/node_http_parser.cc in Node.js prior to 0.6.17 and 0.7 prior to 0.7.8 does not properly check the length of a string, which allows remote malicious users to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero ...
Nodejs Nodejs
Nodejs Nodejs 0.7.6
Nodejs Nodejs 0.7.4
Nodejs Nodejs 0.7.5
Nodejs Nodejs 0.7.3
Nodejs Nodejs 0.7.0
Nodejs Nodejs 0.7.2
Nodejs Nodejs 0.7.7
Nodejs Nodejs 0.7.1
8.1
CVSSv3
CVE-2020-8265
Node.js versions prior to 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If...
Nodejs Node.js
Debian Debian Linux 10.0
Fedoraproject Fedora 32
Fedoraproject Fedora 33
Oracle Graalvm 19.3.4
Oracle Graalvm 20.3.0
Siemens Sinec Infrastructure Network Services
6.5
CVSSv3
CVE-2020-8287
Node.js versions prior to 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smug...
Nodejs Node.js
Debian Debian Linux 10.0
Fedoraproject Fedora 32
Fedoraproject Fedora 33
Oracle Graalvm 19.3.4
Oracle Graalvm 20.3.0
Siemens Sinec Infrastructure Network Services
1 Github repository
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7028
memory leak
log injection
CVE-2024-3400
CVE-2022-48695
CVE-2022-48675
CVE-2024-34487
CVE-2024-33792
spoof
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
2
3
4
5
6
7
8
9
10
NEXT »