VYPR

Vendor CVEs

Node.js

All CVEs

198 total · sorted by risk
  • CVE-2022-43548Dec 5, 2022
    risk 0.00cvss epss 0.14

    A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests…

  • CVE-2022-35255Dec 5, 2022
    risk 0.00cvss epss 0.02

    A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource()…

  • CVE-2022-35256Dec 5, 2022
    risk 0.00cvss epss 0.03

    The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

  • CVE-2022-39300Oct 13, 2022
    risk 0.00cvss epss 0.01

    node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML…

  • CVE-2022-39299Oct 12, 2022
    risk 0.00cvss epss 0.03

    Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP…

  • CVE-2022-35948Aug 13, 2022
    risk 0.00cvss epss 0.01

    undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from…

  • CVE-2022-35949Aug 12, 2022
    risk 0.00cvss epss 0.01

    undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or…

  • CVE-2022-31151Jul 20, 2022
    risk 0.00cvss epss 0.01

    Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a…

  • CVE-2022-31150Jul 19, 2022
    risk 0.00cvss epss 0.01

    undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a…

  • CVE-2022-32210Jul 14, 2022
    risk 0.00cvss epss 0.00

    `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are…

  • CVE-2022-32214Jul 14, 2022
    risk 0.00cvss epss 0.77

    The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

  • CVE-2022-32213Jul 14, 2022
    risk 0.00cvss epss 0.35

    The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).

  • CVE-2022-32222Jul 14, 2022
    risk 0.00cvss epss 0.02

    A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade…

  • CVE-2022-32212Jul 14, 2022
    risk 0.00cvss epss 0.06

    A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing…

  • CVE-2021-44533Feb 24, 2022
    risk 0.00cvss epss 0.09

    Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative…

  • CVE-2021-44532Feb 24, 2022
    risk 0.00cvss epss 0.10

    Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name…

  • CVE-2021-44531Feb 24, 2022
    risk 0.00cvss epss 0.08

    Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are…

  • CVE-2022-21824Feb 24, 2022
    risk 0.00cvss epss 0.22

    Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The…

  • CVE-2021-22959Nov 15, 2021
    risk 0.00cvss epss 0.03

    The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.

  • CVE-2021-22960Nov 3, 2021
    risk 0.00cvss epss 0.02

    The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

  • CVE-2021-22930Oct 7, 2021
    risk 0.00cvss epss 0.37

    Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

  • CVE-2021-39171Aug 27, 2021
    risk 0.00cvss epss 0.01

    Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Prior to version 3.1.0, a malicious SAML payload can require transforms that consume significant system resources to process, thereby resulting in reduced or denied service.…

  • CVE-2021-22931Aug 16, 2021
    risk 0.00cvss epss 0.22

    Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain…

  • CVE-2021-22939Aug 16, 2021
    risk 0.00cvss epss 0.15

    If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

  • CVE-2021-22940Aug 16, 2021
    risk 0.00cvss epss 0.14

    Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

  • CVE-2021-22921Jul 12, 2021
    risk 0.00cvss epss 0.07

    Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different…

  • CVE-2021-22918Jul 12, 2021
    risk 0.00cvss epss 0.23

    Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer.…

  • CVE-2021-22884Mar 3, 2021
    risk 0.00cvss epss 0.32

    Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the…

  • CVE-2020-8265Jan 6, 2021
    risk 0.00cvss epss 0.09

    Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If…

  • CVE-2020-8201Sep 18, 2020
    risk 0.00cvss epss 0.05

    Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks…

  • CVE-2020-8252Sep 18, 2020
    risk 0.00cvss epss 0.01

    The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

  • CVE-2020-8251Sep 18, 2020
    risk 0.00cvss epss 0.09

    Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.

  • CVE-2019-15606Feb 7, 2020
    risk 0.00cvss epss 0.20

    Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

  • CVE-2019-15604Feb 7, 2020
    risk 0.00cvss epss 0.20

    Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

  • CVE-2019-5739Mar 28, 2019
    risk 0.00cvss epss 0.05

    Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of…

  • CVE-2018-12123Nov 28, 2018
    risk 0.00cvss epss 0.04

    Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g.…

  • CVE-2018-12116Nov 28, 2018
    risk 0.00cvss epss 0.05

    Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and…

  • CVE-2018-12120Nov 28, 2018
    risk 0.00cvss epss 0.04

    Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug…

  • CVE-2018-12121Nov 28, 2018
    risk 0.00cvss epss 0.10

    Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible…

  • CVE-2018-12122Nov 28, 2018
    risk 0.00cvss epss 0.41

    Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

  • CVE-2015-5380Jul 9, 2015
    risk 0.00cvss epss 0.03

    The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote…

  • CVE-2015-0278May 18, 2015
    risk 0.00cvss epss 0.03

    libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.

  • CVE-2014-7191Oct 19, 2014
    risk 0.00cvss epss 0.08

    The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.

  • CVE-2014-5256Sep 5, 2014
    risk 0.00cvss epss 0.03

    Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application…

  • CVE-2013-6668Mar 5, 2014
    risk 0.00cvss epss 0.05

    Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

  • CVE-2013-4450Oct 21, 2013
    risk 0.00cvss epss 0.37

    The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.

  • CVE-2013-2882Jul 31, 2013
    risk 0.00cvss epss 0.02

    Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."

  • CVE-2012-2330Aug 13, 2012
    risk 0.00cvss epss 0.03

    The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length…

Page 4 of 4