VYPR

Node.js

by Node.js

Source repositories

CVEs (170)

  • CVE-2014-3744HigOct 23, 2017
    risk 0.51cvss 7.5epss 0.34

    Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.

  • CVE-2016-0797HigMar 3, 2016
    risk 0.51cvss 7.5epss 0.27

    Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the…

  • CVE-2015-3193HigDec 6, 2015
    risk 0.51cvss 7.5epss 0.25

    The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain…

  • CVE-2025-23083HigJan 22, 2025
    risk 0.50cvss 7.7epss 0.00

    With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated…

  • CVE-2023-30584HigSep 7, 2024
    risk 0.50cvss 7.7epss 0.00

    A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission…

  • CVE-2025-27209HigJul 18, 2025
    risk 0.49cvss 7.5epss 0.01

    The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate…

  • CVE-2025-23166HigMay 19, 2025
    risk 0.49cvss 7.5epss 0.01

    The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism…

  • CVE-2023-30587HigSep 7, 2024
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers…

  • CVE-2023-30583HigSep 7, 2024
    risk 0.49cvss 7.5epss 0.01

    fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the…

  • CVE-2022-3786HigNov 1, 2022
    risk 0.49cvss 7.5epss 0.91

    A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue…

  • CVE-2022-3602HigNov 1, 2022
    risk 0.49cvss 7.5epss 0.90

    A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to…

  • CVE-2018-7166HigAug 21, 2018
    risk 0.49cvss 7.5epss 0.03

    In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a…

  • CVE-2018-12115HigAug 21, 2018
    risk 0.49cvss 7.5epss 0.08

    In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that…

  • CVE-2018-7167HigJun 13, 2018
    risk 0.49cvss 7.5epss 0.07

    Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in…

  • CVE-2018-7164HigJun 13, 2018
    risk 0.49cvss 7.5epss 0.06

    Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial…

  • CVE-2018-7162HigJun 13, 2018
    risk 0.49cvss 7.5epss 0.07

    All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages…

  • CVE-2018-7161HigJun 13, 2018
    risk 0.49cvss 7.5epss 0.08

    All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that…

  • CVE-2018-7158HigMay 17, 2018
    risk 0.49cvss 7.5epss 0.03

    The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression,…

  • CVE-2017-14919HigOct 30, 2017
    risk 0.49cvss 7.5epss 0.08

    Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

  • CVE-2015-7384HigOct 10, 2017
    risk 0.49cvss 7.5epss 0.08

    Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.

Page 2 of 9