Vulnerabilities (CVE)

Filtered by vendor Nodejs Subscribe
Total 75 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-2216 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2017-07-01 4.3 MEDIUM 7.5 HIGH
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
CVE-2016-2086 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2017-07-01 5.0 MEDIUM 7.5 HIGH
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
CVE-2015-8027 1 Nodejs 1 Node.js 2017-07-01 5.0 MEDIUM 7.5 HIGH
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
CVE-2014-9772 1 Nodejs 1 Node.js 2017-03-29 4.3 MEDIUM 6.1 MEDIUM
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
CVE-2015-8859 1 Nodejs 1 Node.js 2017-03-02 5.0 MEDIUM 5.3 MEDIUM
The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
CVE-2015-8315 1 Nodejs 1 Node.js 2017-03-02 7.8 HIGH 7.5 HIGH
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
CVE-2015-8856 1 Nodejs 1 Node.js 2017-03-02 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.
CVE-2015-8855 1 Nodejs 1 Node.js 2017-01-26 7.8 HIGH 7.5 HIGH
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
CVE-2015-8860 1 Nodejs 1 Node.js 2017-01-24 5.0 MEDIUM 7.5 HIGH
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
CVE-2013-7453 1 Nodejs 1 Node.js 2017-01-24 4.3 MEDIUM 6.1 MEDIUM
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
CVE-2013-7454 1 Nodejs 1 Node.js 2017-01-24 4.3 MEDIUM 6.1 MEDIUM
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
CVE-2013-7452 1 Nodejs 1 Node.js 2017-01-24 4.3 MEDIUM 6.1 MEDIUM
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
CVE-2013-7451 1 Nodejs 1 Node.js 2017-01-24 4.3 MEDIUM 6.1 MEDIUM
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
CVE-2015-5380 3 Google, Iojs, Nodejs 3 V8, Io.js, Node.js 2016-11-28 7.5 HIGH N/A
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.
CVE-2014-5256 1 Nodejs 1 Nodejs 2015-05-12 5.0 MEDIUM N/A
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.