Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
node.js vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2019-1234567
HelloWeb 🚀本文档面向初次踏入 The Web World 的新生,希望为你们提供一个可供参考的学习路线。 ✨该文档最早公开于 ma5hr00m/HelloWeb,计划用于 Vidar-Team2024 届招新。 0x00 前言 Web 安全与 Web 开发往往是绑定在一起的,所以本文档会同时介绍 安全&开发,还会有一些零零散散的其他想要告诉新生的东西,所以内容会略多,希望多点耐心看完。 在开始之前,你们需要准备一些东西,要求不高,相信大家都有: 🧠能独立思考的大脑 💻可以使用的电脑 🔮流畅的网络 ❤️积极好学的心 此...
1 Github repository
NA
CVE-2024-34347
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. before 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because...
NA
CVE-2024-32962
xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, with...
NA
CVE-2024-33883
The ejs (aka Embedded JavaScript templates) package prior to 3.1.10 for Node.js lacks certain pollution protection.
NA
CVE-2024-32652
The adapter @hono/node-server allows you to run your Hono application on Node.js. before 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those that cannot be parsed by the `URL` as a hostn...
NA
CVE-2023-40000
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a up to and including 5.7.
5 Github repositories
1 Article
NA
CVE-2024-32000
matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Matrix reply to an event ID they don't have access to. As a precon...
NA
CVE-2024-27980
Description<!---->A command injection flaw was found in Node.js exclusive to Windows environments. This flaw allows an attacker to perform command injection via the args parameter of child_process.spawn without the shell option enabled on Windows. This behavior is caused by...
NA
CVE-2024-27983
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se...
1 Github repository
1 Article
NA
CVE-2024-30260
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
man-in-the-middle
CVE-2024-34558
CVE-2024-32674
CVE-2024-34351
XPath injection
CVE-2023-45866
CVE-2024-25528
CVE-2024-25517
path traversal
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »