apk package
wolfi/nodejs-16-doc
pkg:apk/wolfi/nodejs-16-doc
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-23167 | Med | 6.5 | < 16.20.2-r15 | 16.20.2-r15 | May 19, 2025 | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue | |
| CVE-2025-23166 | Hig | 7.5 | < 16.20.2-r15 | 16.20.2-r15 | May 19, 2025 | The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall | |
| CVE-2025-23165 | Low | 3.7 | < 16.20.2-r15 | 16.20.2-r15 | May 19, 2025 | In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can | |
| CVE-2025-23084 | — | < 16.20.2-r16 | 16.20.2-r16 | Jan 28, 2025 | A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to th | ||
| CVE-2024-27980 | Hig | 8.1 | < 16.20.2-r16 | 16.20.2-r16 | Jan 9, 2025 | Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | |
| CVE-2024-36138 | Hig | 8.1 | < 16.20.2-r16 | 16.20.2-r16 | Sep 7, 2024 | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if | |
| CVE-2023-46809 | Hig | 7.4 | < 16.20.2-r15 | 16.20.2-r15 | Sep 7, 2024 | Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp | |
| CVE-2023-39333 | Med | 5.3 | < 16.20.2-r15 | 16.20.2-r15 | Sep 7, 2024 | Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. | |
| CVE-2024-27982 | Med | 6.5 | < 16.20.2-r15 | 16.20.2-r15 | May 7, 2024 | The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke | |
| CVE-2024-27983 | Hig | 8.2 | < 16.20.2-r15 | 16.20.2-r15 | Apr 9, 2024 | An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se | |
| CVE-2024-22025 | Med | 6.5 | < 16.20.2-r15 | 16.20.2-r15 | Mar 19, 2024 | A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d | |
| CVE-2024-21890 | — | < 16.20.2-r11 | 16.20.2-r11 | Feb 20, 2024 | The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading | ||
| CVE-2024-22019 | — | < 16.20.2-r15 | 16.20.2-r15 | Feb 20, 2024 | A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li | ||
| CVE-2024-21892 | — | < 16.20.2-r15 | 16.20.2-r15 | Feb 20, 2024 | On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrec | ||
| CVE-2024-24806 | — | < 16.20.2-r4 | 16.20.2-r4 | Feb 7, 2024 | libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex | ||
| CVE-2023-30590 | — | < 16.20.1-r0 | 16.20.1-r0 | Nov 28, 2023 | The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat | ||
| CVE-2023-30588 | — | < 16.20.1-r0 | 16.20.1-r0 | Nov 28, 2023 | When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when acces | ||
| CVE-2023-30585 | — | < 16.20.1-r0 | 16.20.1-r0 | Nov 28, 2023 | A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT | ||
| CVE-2023-30581 | — | < 16.20.1-r0 | 16.20.1-r0 | Nov 22, 2023 | The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. | ||
| CVE-2023-39331 | — | < 0 | 0 | Oct 18, 2023 | A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl |
- affected < 16.20.2-r15fixed 16.20.2-r15
A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue
- affected < 16.20.2-r15fixed 16.20.2-r15
The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentiall
- affected < 16.20.2-r15fixed 16.20.2-r15
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can
- CVE-2025-23084Jan 28, 2025affected < 16.20.2-r16fixed 16.20.2-r16
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to th
- affected < 16.20.2-r16fixed 16.20.2-r16
Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
- affected < 16.20.2-r16fixed 16.20.2-r16
Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if
- affected < 16.20.2-r15fixed 16.20.2-r15
Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryp
- affected < 16.20.2-r15fixed 16.20.2-r15
Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module.
- affected < 16.20.2-r15fixed 16.20.2-r15
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attacke
- affected < 16.20.2-r15fixed 16.20.2-r15
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the se
- affected < 16.20.2-r15fixed 16.20.2-r15
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always d
- CVE-2024-21890Feb 20, 2024affected < 16.20.2-r11fixed 16.20.2-r11
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading
- CVE-2024-22019Feb 20, 2024affected < 16.20.2-r15fixed 16.20.2-r15
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of li
- CVE-2024-21892Feb 20, 2024affected < 16.20.2-r15fixed 16.20.2-r15
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrec
- CVE-2024-24806Feb 7, 2024affected < 16.20.2-r4fixed 16.20.2-r4
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be ex
- CVE-2023-30590Nov 28, 2023affected < 16.20.1-r0fixed 16.20.1-r0
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivat
- CVE-2023-30588Nov 28, 2023affected < 16.20.1-r0fixed 16.20.1-r0
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when acces
- CVE-2023-30585Nov 28, 2023affected < 16.20.1-r0fixed 16.20.1-r0
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT
- CVE-2023-30581Nov 22, 2023affected < 16.20.1-r0fixed 16.20.1-r0
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20.
- CVE-2023-39331Oct 18, 2023affected < 0fixed 0
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined impl
Page 1 of 2