Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
nodejs vulnerabilities and exploits
(subscribe to this query)
8.1
CVSSv3
CVE-2022-43548
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS reque...
Nodejs Node.js
Nodejs Node.js 19.0.0
Nodejs Node.js 18.12.0
Debian Debian Linux 10.0
Debian Debian Linux 11.0
1 Github repository
7.5
CVSSv3
CVE-2018-7158
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expressio...
Nodejs Node.js
6.5
CVSSv3
CVE-2018-21270
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
Nodejs Node.js
6.5
CVSSv3
CVE-2022-31151
Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a ...
Nodejs Undici
7.5
CVSSv3
CVE-2014-3744
Directory traversal vulnerability in the st module prior to 0.2.5 for Node.js allows remote malicious users to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
Nodejs Node.js
7.5
CVSSv3
CVE-2023-39331
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl...
Nodejs Node.js
NA
CVE-2014-7191
The qs module prior to 1.0.0 in Node.js does not call the compact function for array data, which allows remote malicious users to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Nodejs Node.js
8.1
CVSSv3
CVE-2018-12120
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug po...
Nodejs Node.js
5.3
CVSSv3
CVE-2022-35948
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from '...
Nodejs Undici
7.5
CVSSv3
CVE-2015-8855
The semver package prior to 4.3.2 for Node.js allows malicious users to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Nodejs Node.js
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
encryption
CVE-2024-4331
CVE-2024-26925
arbitrary code
CVE-2006-4304
CVE-2024-25458
CVE-2024-27077
reflected XSS
CVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »