apk package
chainguard/nodejs-14
pkg:apk/chainguard/nodejs-14
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-28863 | — | < 14.21.3-r1 | 14.21.3-r1 | Mar 21, 2024 | node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js cl | ||
| CVE-2023-42282 | — | < 14.21.3-r1 | 14.21.3-r1 | Feb 8, 2024 | The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. | ||
| CVE-2023-26136 | — | < 14.21.3-r1 | 14.21.3-r1 | Jul 1, 2023 | Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. | ||
| CVE-2022-25883 | — | < 14.21.3-r1 | 14.21.3-r1 | Jun 21, 2023 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | ||
| CVE-2023-28155 | — | < 14.21.3-r1 | 14.21.3-r1 | Mar 16, 2023 | The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintaine | ||
| CVE-2022-25881 | — | < 14.21.3-r1 | 14.21.3-r1 | Jan 31, 2023 | This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. | ||
| CVE-2022-33987 | — | < 14.21.3-r1 | 14.21.3-r1 | Jun 18, 2022 | The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. | ||
| CVE-2021-3807 | — | < 14.21.3-r1 | 14.21.3-r1 | Sep 17, 2021 | ansi-regex is vulnerable to Inefficient Regular Expression Complexity |
- CVE-2024-28863Mar 21, 2024affected < 14.21.3-r1fixed 14.21.3-r1
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js cl
- CVE-2023-42282Feb 8, 2024affected < 14.21.3-r1fixed 14.21.3-r1
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
- CVE-2023-26136Jul 1, 2023affected < 14.21.3-r1fixed 14.21.3-r1
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
- CVE-2022-25883Jun 21, 2023affected < 14.21.3-r1fixed 14.21.3-r1
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
- CVE-2023-28155Mar 16, 2023affected < 14.21.3-r1fixed 14.21.3-r1
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintaine
- CVE-2022-25881Jan 31, 2023affected < 14.21.3-r1fixed 14.21.3-r1
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
- CVE-2022-33987Jun 18, 2022affected < 14.21.3-r1fixed 14.21.3-r1
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
- CVE-2021-3807Sep 17, 2021affected < 14.21.3-r1fixed 14.21.3-r1
ansi-regex is vulnerable to Inefficient Regular Expression Complexity