Vulnerabilities (CVE)

Filtered by vendor Nodejs Subscribe
Filtered by product Node.js
Total 72 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-7162 1 Nodejs 1 Node.js 2020-03-20 7.8 HIGH 7.5 HIGH
All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation.
CVE-2018-7164 1 Nodejs 1 Node.js 2020-03-20 5.0 MEDIUM 7.5 HIGH
Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.
CVE-2018-7158 1 Nodejs 1 Node.js 2020-02-13 5.0 MEDIUM 7.5 HIGH
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
CVE-2018-7159 1 Nodejs 1 Node.js 2020-02-13 5.0 MEDIUM 5.3 MEDIUM
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.
CVE-2015-2927 3 Debian, Nodejs, Uronode 3 Debian Linux, Node.js, Uro Node 2019-11-25 6.8 MEDIUM 6.5 MEDIUM
node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption).
CVE-2018-12120 1 Nodejs 1 Node.js 2019-10-09 6.8 MEDIUM 8.1 HIGH
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as `node --debug=localhost`. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.
CVE-2017-16024 2 Nodejs, Sync-exec Project 2 Node.js, Sync-exec 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.
CVE-2017-15896 1 Nodejs 1 Node.js 2019-10-03 6.4 MEDIUM 9.1 CRITICAL
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
CVE-2017-14849 1 Nodejs 1 Node.js 2019-10-03 5.0 MEDIUM 7.5 HIGH
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
CVE-2016-6303 2 Nodejs, Openssl 2 Node.js, Openssl 2018-04-20 7.5 HIGH 9.8 CRITICAL
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVE-2016-5325 2 Nodejs, Suse 2 Node.js, Linux Enterprise 2018-01-05 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
CVE-2016-7099 2 Nodejs, Suse 2 Node.js, Linux Enterprise 2018-01-05 4.3 MEDIUM 5.9 MEDIUM
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVE-2017-15897 1 Nodejs 1 Node.js 2017-12-29 4.3 MEDIUM 3.1 LOW
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
CVE-2017-11499 1 Nodejs 1 Node.js 2017-12-07 5.0 MEDIUM 7.5 HIGH
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
CVE-2017-14919 1 Nodejs 1 Node.js 2017-11-21 5.0 MEDIUM 7.5 HIGH
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
CVE-2014-3744 1 Nodejs 1 Node.js 2017-11-15 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
CVE-2015-7384 1 Nodejs 1 Node.js 2017-10-27 5.0 MEDIUM 7.5 HIGH
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
CVE-2014-7191 1 Nodejs 1 Node.js 2017-09-08 5.0 MEDIUM N/A
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
CVE-2015-8027 1 Nodejs 1 Node.js 2017-07-01 5.0 MEDIUM 7.5 HIGH
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
CVE-2016-2216 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2017-07-01 4.3 MEDIUM 7.5 HIGH
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.