Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Nodejs Subscribe
Filtered by product Node.js
Total 137 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-23920 2 Debian, Nodejs 2 Debian Linux, Node.js 2023-03-16 N/A 4.2 MEDIUM
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2023-23919 1 Nodejs 1 Node.js 2023-03-16 N/A 7.5 HIGH
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
CVE-2023-23918 1 Nodejs 1 Node.js 2023-03-16 N/A 7.5 HIGH
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.
CVE-2022-43548 2 Debian, Nodejs 2 Debian Linux, Node.js 2023-03-01 N/A 8.1 HIGH
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
CVE-2022-35256 4 Debian, Llhttp, Nodejs and 1 more 4 Debian Linux, Llhttp, Node.js and 1 more 2023-03-01 N/A 6.5 MEDIUM
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVE-2022-35255 3 Debian, Nodejs, Siemens 3 Debian Linux, Node.js, Sinec Ins 2023-03-01 N/A 9.1 CRITICAL
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
CVE-2023-23936 1 Nodejs 2 Node.js, Undici 2023-02-24 N/A 5.4 MEDIUM
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
CVE-2022-32222 2 Nodejs, Siemens 2 Node.js, Sinec Ins 2023-02-23 N/A 5.3 MEDIUM
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
CVE-2022-32212 4 Debian, Fedoraproject, Nodejs and 1 more 4 Debian Linux, Fedora, Node.js and 1 more 2023-02-23 N/A 8.1 HIGH
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
CVE-2022-32213 5 Debian, Fedoraproject, Llhttp and 2 more 5 Debian Linux, Fedora, Llhttp and 2 more 2023-02-23 N/A 6.5 MEDIUM
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
CVE-2022-32214 3 Debian, Llhttp, Nodejs 3 Debian Linux, Llhttp, Node.js 2023-02-23 N/A 6.5 MEDIUM
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
CVE-2022-32215 5 Debian, Fedoraproject, Llhttp and 2 more 5 Debian Linux, Fedora, Llhttp and 2 more 2023-02-23 N/A 6.5 MEDIUM
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
CVE-2015-3193 3 Canonical, Nodejs, Openssl 3 Ubuntu Linux, Node.js, Openssl 2023-02-12 5.0 MEDIUM 7.5 HIGH
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
CVE-2016-6303 2 Nodejs, Openssl 2 Node.js, Openssl 2023-02-12 7.5 HIGH 9.8 CRITICAL
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
CVE-2016-2183 6 Cisco, Nodejs, Openssl and 3 more 9 Content Security Management Appliance, Node.js, Openssl and 6 more 2023-02-12 5.0 MEDIUM 7.5 HIGH
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVE-2015-0278 3 Fedoraproject, Libuv Project, Nodejs 3 Fedora, Libuv, Node.js 2023-02-12 10.0 HIGH N/A
libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.
CVE-2020-8287 5 Debian, Fedoraproject, Nodejs and 2 more 5 Debian Linux, Fedora, Node.js and 2 more 2023-02-03 6.4 MEDIUM 6.5 MEDIUM
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
CVE-2019-9517 12 Apache, Apple, Canonical and 9 more 25 Http Server, Traffic Server, Mac Os X and 22 more 2023-01-19 7.8 HIGH 7.5 HIGH
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2016-1669 5 Canonical, Debian, Google and 2 more 6 Ubuntu Linux, Debian Linux, Chrome and 3 more 2023-01-19 9.3 HIGH 8.8 HIGH
The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code.
CVE-2022-3602 4 Fedoraproject, Netapp, Nodejs and 1 more 4 Fedora, Clustered Data Ontap, Node.js and 1 more 2023-01-19 N/A 7.5 HIGH
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6).