Vulnerabilities (CVE)

Filtered by vendor Nodejs Subscribe
Total 172 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-9840 9 Apple, Boost, Canonical and 6 more 20 Iphone Os, Mac Os X, Tvos and 17 more 2025-04-20 6.8 MEDIUM 8.8 HIGH
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2017-3731 2 Nodejs, Openssl 2 Node.js, Openssl 2025-04-20 5.0 MEDIUM 7.5 HIGH
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
CVE-2016-6304 3 Nodejs, Novell, Openssl 3 Node.js, Suse Linux Enterprise Module For Web Scripting, Openssl 2025-04-12 7.8 HIGH 7.5 HIGH
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
CVE-2015-3193 3 Canonical, Nodejs, Openssl 3 Ubuntu Linux, Node.js, Openssl 2025-04-12 5.0 MEDIUM 7.5 HIGH
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
CVE-2016-2178 6 Canonical, Debian, Nodejs and 3 more 7 Ubuntu Linux, Debian Linux, Node.js and 4 more 2025-04-12 2.1 LOW 5.5 MEDIUM
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
CVE-2016-2105 8 Apple, Canonical, Debian and 5 more 15 Mac Os X, Ubuntu Linux, Debian Linux and 12 more 2025-04-12 5.0 MEDIUM 7.5 HIGH
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
CVE-2014-7191 1 Nodejs 1 Node.js 2025-04-12 5.0 MEDIUM N/A
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
CVE-2013-6668 3 Debian, Google, Nodejs 4 Debian Linux, Chrome, V8 and 1 more 2025-04-12 7.5 HIGH N/A
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
CVE-2016-2107 8 Canonical, Debian, Google and 5 more 15 Ubuntu Linux, Debian Linux, Android and 12 more 2025-04-12 2.6 LOW 5.9 MEDIUM
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVE-2016-0797 4 Canonical, Debian, Nodejs and 1 more 4 Ubuntu Linux, Debian Linux, Node.js and 1 more 2025-04-12 5.0 MEDIUM 7.5 HIGH
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
CVE-2015-0278 3 Fedoraproject, Libuv Project, Nodejs 3 Fedora, Libuv, Node.js 2025-04-12 10.0 HIGH N/A
libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.
CVE-2015-6764 3 Debian, Google, Nodejs 3 Debian Linux, Chrome, Node.js 2025-04-12 7.5 HIGH 9.8 CRITICAL
The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code.
CVE-2016-2216 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2025-04-12 4.3 MEDIUM 7.5 HIGH
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
CVE-2014-5256 1 Nodejs 1 Nodejs 2025-04-12 5.0 MEDIUM N/A
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
CVE-2016-0702 4 Canonical, Debian, Nodejs and 1 more 4 Ubuntu Linux, Debian Linux, Node.js and 1 more 2025-04-12 1.9 LOW 5.1 MEDIUM
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
CVE-2014-0224 9 Fedoraproject, Filezilla-project, Mariadb and 6 more 20 Fedora, Filezilla Server, Mariadb and 17 more 2025-04-12 5.8 MEDIUM 7.4 HIGH
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVE-2016-2086 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2025-04-12 5.0 MEDIUM 7.5 HIGH
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
CVE-2016-6306 6 Canonical, Debian, Hp and 3 more 9 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 6 more 2025-04-12 4.3 MEDIUM 5.9 MEDIUM
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
CVE-2016-7099 2 Nodejs, Suse 2 Node.js, Linux Enterprise 2025-04-12 4.3 MEDIUM 5.9 MEDIUM
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVE-2016-6303 2 Nodejs, Openssl 2 Node.js, Openssl 2025-04-12 7.5 HIGH 9.8 CRITICAL
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.