VYPR

apk package

chainguard/nodejs-18-doc

pkg:apk/chainguard/nodejs-18-doc

Vulnerabilities (19)

  • CVE-2025-23167MedMay 19, 2025
    affected < 0fixed 0

    A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue

  • CVE-2025-23165LowMay 19, 2025
    affected < 0fixed 0

    In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can

  • CVE-2024-27980HigJan 9, 2025
    affected < 18.20.2-r0fixed 18.20.2-r0

    Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.

  • CVE-2024-7592Aug 19, 2024
    affected < 18.20.8-r4fixed 18.20.8-r4

    There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in

  • CVE-2024-6923MedAug 1, 2024
    affected < 18.20.8-r4fixed 18.20.8-r4

    There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

  • CVE-2024-21890Feb 20, 2024
    affected < 0fixed 0

    The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading

  • CVE-2024-24806Feb 7, 2024
    affected < 18.19.0-r2fixed 18.19.0-r2

    libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex

  • CVE-2023-30590Nov 28, 2023
    affected < 18.16.1-r0fixed 18.16.1-r0

    The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat

  • CVE-2023-30588Nov 28, 2023
    affected < 18.16.1-r0fixed 18.16.1-r0

    When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when acces

  • CVE-2023-30585Nov 28, 2023
    affected < 18.16.1-r0fixed 18.16.1-r0

    A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT

  • CVE-2023-30581Nov 22, 2023
    affected < 18.16.1-r0fixed 18.16.1-r0

    The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.

  • CVE-2023-39331Oct 18, 2023
    affected < 0fixed 0

    A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl

  • CVE-2023-39332Oct 18, 2023
    affected < 0fixed 0

    Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004)

  • CVE-2023-32559Aug 24, 2023
    affected < 18.17.1-r0fixed 18.17.1-r0

    A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `pr

  • CVE-2023-32002Aug 21, 2023
    affected < 18.17.1-r0fixed 18.17.1-r0

    The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note

  • CVE-2023-32003Aug 15, 2023
    affected < 0fixed 0

    `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects

  • CVE-2023-32004Aug 15, 2023
    affected < 0fixed 0

    A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects

  • CVE-2023-32006Aug 15, 2023
    affected < 18.17.1-r0fixed 18.17.1-r0

    The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and

  • CVE-2023-30589Jun 30, 2023
    affected < 18.16.1-r0fixed 18.16.1-r0

    The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RF