Vulnerabilities (CVE)

Filtered by vendor Nodejs Subscribe
Filtered by product Node.js
Total 111 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-22921 3 Microsoft, Nodejs, Siemens 3 Windows, Node.js, Sinec Infrastructure Network Services 2022-04-06 4.4 MEDIUM 7.8 HIGH
Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
CVE-2021-22930 3 Netapp, Nodejs, Siemens 3 Nextgen Api, Node.js, Sinec Infrastructure Network Services 2022-04-06 7.5 HIGH 9.8 CRITICAL
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-43803 2 Nodejs, Vercel 2 Node.js, Next.js 2022-02-17 4.3 MEDIUM 7.5 HIGH
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.
CVE-2016-6306 4 Hp, Nodejs, Novell and 1 more 7 Icewall Federation Agent, Icewall Mcrp, Icewall Sso and 4 more 2021-11-17 4.3 MEDIUM 5.9 MEDIUM
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
CVE-2019-15605 1 Nodejs 1 Node.js 2021-07-20 7.5 HIGH 9.8 CRITICAL
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
CVE-2019-15604 1 Nodejs 1 Node.js 2021-07-20 5.0 MEDIUM 7.5 HIGH
Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
CVE-2019-15606 5 Debian, Nodejs, Opensuse and 2 more 6 Debian Linux, Node.js, Leap and 3 more 2021-07-20 7.5 HIGH 9.8 CRITICAL
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
CVE-2016-3956 3 Ibm, Nodejs, Npmjs 3 Sdk, Node.js, Npm 2021-06-15 5.0 MEDIUM 7.5 HIGH
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
CVE-2018-21270 1 Nodejs 1 Node.js 2021-02-16 5.8 MEDIUM 6.5 MEDIUM
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2019-5737 2 Nodejs, Opensuse 2 Node.js, Leap 2020-10-16 5.0 MEDIUM 7.5 HIGH
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
CVE-2019-5739 2 Nodejs, Opensuse 2 Node.js, Leap 2020-10-16 5.0 MEDIUM 7.5 HIGH
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
CVE-2018-7166 1 Nodejs 1 Node.js 2020-09-22 5.0 MEDIUM 7.5 HIGH
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information.
CVE-2018-5407 7 Canonical, Debian, Nodejs and 4 more 20 Ubuntu Linux, Debian Linux, Node.js and 17 more 2020-09-18 1.9 LOW 4.7 MEDIUM
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-0734 6 Canonical, Debian, Netapp and 3 more 20 Ubuntu Linux, Debian Linux, Cloud Backup and 17 more 2020-08-24 4.3 MEDIUM 5.9 MEDIUM
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVE-2018-0735 6 Canonical, Debian, Netapp and 3 more 23 Ubuntu Linux, Debian Linux, Cloud Backup and 20 more 2020-08-24 4.3 MEDIUM 5.9 MEDIUM
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
CVE-2015-8854 1 Nodejs 1 Node.js 2020-05-31 7.8 HIGH 7.5 HIGH
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
CVE-2018-12115 2 Nodejs, Redhat 2 Node.js, Openshift Container Platform 2020-03-20 5.0 MEDIUM 7.5 HIGH
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.
CVE-2018-7164 1 Nodejs 1 Node.js 2020-03-20 5.0 MEDIUM 7.5 HIGH
Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.
CVE-2018-12116 3 Joyent, Nodejs, Suse 5 Node.js, Node.js, Suse Enterprise Storage and 2 more 2020-03-20 5.0 MEDIUM 7.5 HIGH
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.
CVE-2018-12123 1 Nodejs 1 Node.js 2020-03-20 4.3 MEDIUM 4.3 MEDIUM
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.