Vulnerabilities (CVE)

Filtered by vendor Nodejs Subscribe
Total 172 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-8027 1 Nodejs 1 Node.js 2025-04-12 5.0 MEDIUM 7.5 HIGH
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
CVE-2016-1669 5 Canonical, Debian, Google and 2 more 6 Ubuntu Linux, Debian Linux, Chrome and 3 more 2025-04-12 9.3 HIGH 8.8 HIGH
The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code.
CVE-2016-5180 5 C-ares, C-ares Project, Canonical and 2 more 5 C-ares, C-ares, Ubuntu Linux and 2 more 2025-04-12 7.5 HIGH 9.8 CRITICAL
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
CVE-2016-2183 6 Cisco, Nodejs, Openssl and 3 more 9 Content Security Management Appliance, Node.js, Openssl and 6 more 2025-04-12 5.0 MEDIUM 7.5 HIGH
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVE-2016-5325 2 Nodejs, Suse 2 Node.js, Linux Enterprise 2025-04-12 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
CVE-2016-7052 3 Nodejs, Novell, Openssl 3 Node.js, Suse Linux Enterprise Module For Web Scripting, Openssl 2025-04-12 5.0 MEDIUM 7.5 HIGH
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
CVE-2015-5380 3 Google, Iojs, Nodejs 3 V8, Io.js, Node.js 2025-04-12 7.5 HIGH N/A
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.
CVE-2015-3194 4 Canonical, Debian, Nodejs and 1 more 4 Ubuntu Linux, Debian Linux, Node.js and 1 more 2025-04-12 5.0 MEDIUM 7.5 HIGH
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
CVE-2016-3956 3 Ibm, Nodejs, Npmjs 3 Sdk, Node.js, Npm 2025-04-12 5.0 MEDIUM 7.5 HIGH
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
CVE-2016-5172 3 Debian, Google, Nodejs 3 Debian Linux, Chrome, Node.js 2025-04-12 4.3 MEDIUM 6.5 MEDIUM
The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code.
CVE-2013-4450 1 Nodejs 1 Nodejs 2025-04-11 5.0 MEDIUM N/A
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
CVE-2012-2330 1 Nodejs 1 Nodejs 2025-04-11 6.4 MEDIUM N/A
The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.
CVE-2013-2882 4 Debian, Google, Nodejs and 1 more 4 Debian Linux, Chrome, Node.js and 1 more 2025-04-11 7.5 HIGH N/A
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
CVE-2024-22019 2 Netapp, Nodejs 2 Astra Control Center, Node.js 2025-04-02 N/A 7.5 HIGH
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
CVE-2024-21896 1 Nodejs 1 Node.js 2025-04-02 N/A 9.8 CRITICAL
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21891 1 Nodejs 1 Node.js 2025-03-28 N/A 8.8 HIGH
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2023-23920 2 Debian, Nodejs 2 Debian Linux, Node.js 2025-03-17 N/A 4.2 MEDIUM
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
CVE-2024-21892 2 Linux, Nodejs 2 Linux Kernel, Node.js 2025-03-13 N/A 7.8 HIGH
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVE-2023-23919 1 Nodejs 1 Node.js 2025-03-12 N/A 7.5 HIGH
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.
CVE-2024-30260 2 Fedoraproject, Nodejs 2 Fedora, Undici 2025-02-13 N/A 3.9 LOW
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.