Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
node.js vulnerabilities and exploits
(subscribe to this query)
7.8
CVSSv2
CVE-2015-8858
The uglify-js package prior to 2.6.0 for Node.js allows malicious users to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Uglifyjs Project Uglifyjs
1 Github repository
7.8
CVSSv2
CVE-2016-4055
The duration function in the moment package prior to 2.11.2 for Node.js allows remote malicious users to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."
Momentjs Moment
Tenable Nessus
Oracle Primavera Unifier
2 Github repositories
7.8
CVSSv2
CVE-2015-8854
The marked package prior to 0.3.4 for Node.js allows malicious users to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)....
Marked Project Marked
Fedoraproject Fedora 31
Fedoraproject Fedora 32
7.8
CVSSv2
CVE-2015-8855
The semver package prior to 4.3.2 for Node.js allows malicious users to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Nodejs Node.js
7.8
CVSSv2
CVE-2015-8315
The ms package prior to 0.7.1 for Node.js allows malicious users to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Vercel Ms
1 Github repository
7.5
CVSSv2
CVE-2022-29078
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is exe...
Ejs Ejs 3.1.6
7 Github repositories
7.5
CVSSv2
CVE-2022-29080
The npm-dependency-versions package up to and including 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value.
Npm-dependency-versions Project Npm-dependency-versions
7.5
CVSSv2
CVE-2021-45459
lib/cmd.js in the node-windows package prior to 1.0.0-beta.6 for Node.js allows command injection via the PID parameter.
Node-windows Project Node-windows
Node-windows Project Node-windows 1.0.0
7.5
CVSSv2
CVE-2021-43571
The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows malicious users to forge signatures on arbitrary messages.
Starkbank Ecdsa-node 1.1.2
7.5
CVSSv2
CVE-2021-42740
The shell-quote package prior to 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command ...
Shell-quote Project Shell-quote
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463
CVE-2024-3400
deserialization
CVE-2024-21788
CVE-2023-42433
CVE-2024-21841
CVE-2024-22095
local file inclusion
memory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »