Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
nodejs vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-30589
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC72...
Nodejs Node.js
Fedoraproject Fedora 37
Fedoraproject Fedora 38
7.5
CVSSv3
CVE-2022-25883
Versions of the package semver prior to 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Npmjs Semver
3 Github repositories
7.5
CVSSv3
CVE-2023-34109
zxcvbn-ts is an open source password strength estimator written in typescript. This vulnerability affects users running on the nodeJS platform which are using the second argument of the zxcvbn function. It can result in an unbounded resource consumption as the user inputs array i...
Zxcvbn-ts Project Zxcvbn-ts
7.5
CVSSv3
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 lengt...
C-ares Project C-ares
Fedoraproject Fedora 37
Fedoraproject Fedora 38
Debian Debian Linux 10.0
Debian Debian Linux 11.0
7.5
CVSSv3
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process...
Nodejs Node.js
7.5
CVSSv3
CVE-2023-23919
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that...
Nodejs Node.js
7.5
CVSSv3
CVE-2023-24807
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular...
Nodejs Undici
7.5
CVSSv3
CVE-2022-25881
This affects versions of the package http-cache-semantics prior to 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Http-cache-semantics Project Http-cache-semantics
1 Github repository
7.5
CVSSv3
CVE-2021-35065
The glob-parent package prior to 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
Gulpjs Glob-parent
7.5
CVSSv3
CVE-2022-38900
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Decode-uri-component Project Decode-uri-component 0.2.0
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463
CVE-2024-3400
deserialization
CVE-2024-21788
CVE-2023-42433
CVE-2024-21841
CVE-2024-22095
local file inclusion
memory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
4
5
6
7
8
9
10
NEXT »