nodejs · threatengine.sh

CVE-2026-2581

>= 7.17.0 and < 7.24.0

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undi

5.9MEDIUM

CVE-2026-2229

< 6.24.0

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window

7.5HIGH

CVE-2026-1528

< 6.24.0

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser ov

7.5HIGH

CVE-2026-1527

< 6.24.0

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF s

4.6MEDIUM

CVE-2026-1526

< 6.24.0

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate

7.5HIGH

CVE-2026-1525

< 6.24.0

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-L

6.5MEDIUM

CVE-2026-21637

>= 4.0.0 and < 20.20.0

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or `

7.5HIGH

CVE-2026-21636

>= 25.0.0 and < 25.3.0

A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission

10.0CRITICAL

CVE-2025-59466

>= 20.0.0 and < 20.20.0

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_

7.5HIGH

CVE-2025-59465

>= 20.0.0 and < 20.20.0

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled `TLS

7.5HIGH

CVE-2025-59464

>= 24.0.0 and < 24.12.0

A memory leak in Node.js’s OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the al

7.5HIGH

CVE-2025-55132

>= 20.0.0 and < 20.20.0

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when th

5.3MEDIUM

CVE-2025-55130

>= 20.0.0 and < 20.20.0

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using cra

9.1CRITICAL

CVE-2026-22036

< 6.23.0

Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded

5.9MEDIUM

CVE-2025-23084

>= 18.0 and < 18.20.6

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Cer

5.5MEDIUM

CVE-2024-3566

< 18.20.2

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on t

9.8CRITICAL

CVE-2024-30260

< 5.28.4

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `

3.9LOW

CVE-2024-30261

< 5.28.4

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(),

2.6LOW

CVE-2024-22019

>= 20.0.0 and < 20.11.1

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading

7.5HIGH

CVE-2024-21896

>= 20.0.0 and < 20.11.1

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If t

9.8CRITICAL

CVE-2024-21892

>= 18.0.0 and < 18.19.1

On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is ru

7.8HIGH

CVE-2024-21891

>= 20.0.0 and < 20.11.1

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten w

8.8HIGH

CVE-2024-21890

>= 20.0.0 and < 20.11.1

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a f

6.5MEDIUM

CVE-2024-24758

< 5.28.3

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redir

3.9LOW

CVE-2024-24750

>= 6.0.0 and < 6.6.1

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the in

6.5MEDIUM

CVE-2023-30590

>= 16.0.0 and < 16.20.1

The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it

7.5HIGH

CVE-2023-30588

>= 16.0.0 and < 16.20.1

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination o

5.3MEDIUM

CVE-2023-30585

>= 16.0.0 and < 16.20.1

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who i

7.5HIGH

CVE-2023-30581

>= 16.0.0 and < 16.20.1

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the

7.5HIGH

CVE-2023-39332

>= 20.0.0 and < 20.8.0

Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the `Buffer

9.8CRITICAL

CVE-2023-39331

>= 20.0.0 and < 20.8.1

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnera

7.5HIGH

CVE-2023-38552

>= 18.0.0 and <= 18.18.1

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the o

7.5HIGH

CVE-2023-45143

< 5.26.2

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization heade

3.9LOW

CVE-2023-44487

>= 18.0.0 and < 18.18.2

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q

7.5HIGH

CVE-2023-32558

>= 20.0.0 and < 20.5.1

The use of the deprecated API process.binding() can bypass the permission model through path traversal. This vulnerability aff

7.5HIGH

CVE-2023-32005

>= 20.0.0 and < 20.5.1

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-f

5.3MEDIUM

CVE-2021-32050

>= 3.6 and < 3.6.10

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an

4.2MEDIUM

CVE-2023-32559

>= 16.0.0 and <= 16.20.1

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x

7.5HIGH

CVE-2023-32002

>= 16.0.0 and <= 16.20.1

The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given

9.8CRITICAL

CVE-2023-40340

<= 1.6.0

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm con

7.5HIGH

CVE-2023-32006

>= 16.0.0 and <= 16.20.1

The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json def

8.8HIGH

CVE-2023-32004

>= 20.0.0 and <= 20.5.0

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relate

8.8HIGH

CVE-2023-32003

>= 20.0.0 and <= 20.5.0

fs.mkdtemp() and fs.mkdtempSync() can be used to bypass the permission model check using a path traversal attack. This flaw ar

5.3MEDIUM

CVE-2023-30589

>= 16.0.0 and < 16.20.1

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can le

7.5HIGH

CVE-2023-30586

>= 20.0.0 and < 20.3.1

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental per

7.5HIGH

CVE-2023-23920

>= 14.0.0 and <= 14.14.0

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker t

4.2MEDIUM

CVE-2023-23919

>= 14.0.0 and <= 14.14.0

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the Op

7.5HIGH

CVE-2023-23918

>= 14.0.0 and <= 14.14.0

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass th

7.5HIGH

CVE-2023-24807

< 5.19.1

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerab

7.5HIGH

CVE-2023-23936

>= 19.0.0 and < 19.6.1

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not pro

6.5MEDIUM

CVE-2022-43548

>= 14.0.0 and <= 14.14.0

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAll

8.1HIGH

CVE-2022-35256

>= 14.0.0 and <= 14.14.0

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Th

6.5MEDIUM

CVE-2022-35255

>= 15.0.0 and <= 15.14.0

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTrait

9.1CRITICAL

CVE-2022-3786

>= 18.0.0 and < 18.11.0

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occu

7.5HIGH

CVE-2022-3602

>= 18.0.0 and < 18.11.0

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occu

7.5HIGH

CVE-2022-35948

< 5.8.2

undici is an HTTP/1.1 client, written from scratch for Node.js.=< undici@5.8.0 users are vulnerable to _CRLF Injection_ on heade

5.3MEDIUM

CVE-2022-35949

<= 5.8.1

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when a

5.3MEDIUM

CVE-2022-31151

< 5.7.1

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official h

3.7LOW

CVE-2022-31150

< 5.8.0

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in un

5.3MEDIUM

CVE-2022-32223

>= 14.0.0 and <= 14.14.0

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can

7.3HIGH

CVE-2022-32222

>= 18.0.0 and < 18.5.0

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for ope

5.3MEDIUM

CVE-2022-32215

>= 14.0.0 and <= 14.14.0

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-En

6.5MEDIUM

CVE-2022-32214

>= 14.0.0 and <= 14.14.0

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delim

6.5MEDIUM

CVE-2022-32213

>= 14.0.0 and <= 14.14.0

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-E

6.5MEDIUM

CVE-2022-32212

>= 14.0.0 and <= 14.14.0

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost c

8.1HIGH

CVE-2022-32210

>= 4.8.2 and < 5.5.1

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. T

6.5MEDIUM

CVE-2022-0778

>= 12.0.0 and <= 12.12.0

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime m

7.5HIGH

CVE-2022-21824

>= 17.0.0 and < 17.3.1

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "

8.2HIGH

CVE-2021-44533

< 12.22.9

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers

5.3MEDIUM

CVE-2021-44532

< 12.22.9

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this s

5.3MEDIUM

CVE-2021-44531

< 12.22.9

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can r

7.4HIGH

CVE-2021-4044

>= 17.0.0 and < 17.3.0

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That functi

7.5HIGH

CVE-2021-3672

>= 12.0.0 and <= 12.12.0

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can

5.6MEDIUM

CVE-2021-22930

>= 16.0.0 and < 16.6.0

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit th

9.8CRITICAL

CVE-2021-22940

>= 16.0.0 and < 16.6.2

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit th

7.5HIGH

CVE-2021-22939

>= 16.0.0 and < 16.6.2

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was r

5.3MEDIUM

CVE-2021-22931

>= 12.0.0 and <= 12.12.0

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input

9.8CRITICAL

CVE-2021-22921

>= 12.0.0 and < 12.22.2

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Window

7.8HIGH

CVE-2021-22918

>= 12.0.0 and < 12.22.2

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings

5.3MEDIUM

CVE-2021-3450

>= 10.0.0 and < 10.24.1

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not

7.4HIGH

CVE-2021-3449

>= 10.0.0 and <= 10.12.0

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renego

5.9MEDIUM

CVE-2021-22884

>= 15.0.0 and < 15.10.0

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhos

7.5HIGH

CVE-2021-22883

>= 15.0.0 and < 15.10.0

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempt

7.5HIGH

CVE-2021-23840

>= 10.0.0 and <= 10.12.0

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the

7.5HIGH

CVE-2020-8287

>= 15.0.0 and < 15.5.1

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two

6.5MEDIUM

CVE-2020-8265

>= 15.0.0 and < 15.5.1

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When w

8.1HIGH

CVE-2020-1971

>= 10.0.0 and <= 10.12.0

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPar

5.9MEDIUM

CVE-2018-21270

< 0.0.6

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of unini

6.5MEDIUM

CVE-2020-8277

>= 15.0.0 and < 15.2.1

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Servic

7.5HIGH

CVE-2020-8252

>= 14.0.0 and < 14.9.0

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer s

7.8HIGH

CVE-2020-8251

>= 14.0.0 and < 14.11.0

Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the se

7.5HIGH

CVE-2020-8201

>= 14.0.0 and < 14.11.0

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users

7.4HIGH

CVE-2020-8174

< 10.21.0

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

8.1HIGH

CVE-2020-8172

>= 12.0.0 and < 12.18.0

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

7.4HIGH

CVE-2020-11080

>= 10.0.0 and <= 10.12.0

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept at

3.7LOW

CVE-2020-10531

>= 10.0.0 and <= 10.12.0

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a he

8.8HIGH

CVE-2014-9748

>= 0.10.0 and < 0.10.46

The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads fro

8.1HIGH

CVE-2019-15606

>= 13.0.0 and < 13.8.0

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value

9.8CRITICAL

CVE-2019-15605

>= 13.0.0 and < 13.8.0

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

9.8CRITICAL

CVE-2019-15604

>= 13.0.0 and < 13.8.0

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

7.5HIGH

CVE-2019-9518

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker se

7.5HIGH

CVE-2019-9517

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. Th

7.5HIGH

CVE-2019-9516

>= 12.0.0 and < 12.8.1

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stre

6.5MEDIUM

CVE-2019-9515

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a s

7.5HIGH

CVE-2019-9514

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a numb

7.5HIGH

CVE-2019-9513

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates mul

7.5HIGH

CVE-2019-9512

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continua

7.5HIGH

CVE-2019-9511

>= 8.0.0 and <= 8.8.1

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading

7.5HIGH

CVE-2019-5739

<= 6.16.0

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.

7.5HIGH

CVE-2019-5737

>= 11.0.0 and < 11.10.1

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a D

7.5HIGH

CVE-2019-1559

>= 6.0.0 and <= 6.8.1

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to

5.9MEDIUM

CVE-2018-12123

>= 11.0.0 and < 11.3.0

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol

4.3MEDIUM

CVE-2018-12122

>= 11.0.0 and < 11.3.0

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause

7.5HIGH

CVE-2018-12121

>= 11.0.0 and < 11.3.0

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a c

7.5HIGH

CVE-2018-12120

>= 6.0.0 and < 6.15.0

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enable

8.1HIGH

CVE-2018-12116

>= 6.0.0 and <= 6.8.1

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized u

7.5HIGH

CVE-2018-5407

< 6.14.4

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a sid

4.7MEDIUM

CVE-2018-0734

>= 6.0.0 and <= 6.8.1

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variati

5.9MEDIUM

CVE-2018-0735

>= 10.0.0 and < 10.12.0

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use varia

5.9MEDIUM

CVE-2018-7166

>= 10.0.0 and < 10.9.0

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause Buffer.alloc() to return uninitialized memo

7.5HIGH

CVE-2018-12115

< 6.14.4

In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names

7.5HIGH

CVE-2018-7167

>= 9.0.0 and < 9.11.2

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In orde

7.5HIGH

CVE-2018-7164

>= 9.7.0 and < 9.11.2

Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memor

7.5HIGH

CVE-2018-7162

>= 9.0.0 and < 9.11.2

All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by c

7.5HIGH

CVE-2018-7161

>= 8.0.0 and <= 8.8.1

All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS

7.5HIGH

CVE-2018-0732

>= 6.0.0 and < 6.8.1

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to th

7.5HIGH

CVE-2017-16024

< 0.11.9

The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buff

6.5MEDIUM

CVE-2018-7160

>= 6.0.0 and <= 6.8.1

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code ex

8.8HIGH

CVE-2018-7159

>= 4.0.0 and <= 4.1.2

The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as `Content-

5.3MEDIUM

CVE-2018-7158

>= 4.0.0 and <= 4.1.2

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The

7.5HIGH

CVE-2018-1000168

>= 9.0.0 and <= 9.11.2

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handli

7.5HIGH

CVE-2017-15897

>= 8.0.0 and <= 8.8.1

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not

3.1LOW

CVE-2017-15896

>= 4.0.0 and <= 4.1.2

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The

9.1CRITICAL

CVE-2017-3738

>= 4.0.0 and <= 4.1.2

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algori

5.9MEDIUM

CVE-2017-14919

all versions

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught excep

7.5HIGH

CVE-2014-3744

<= 0.2.4

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a

7.5HIGH

CVE-2015-7384

all versions

Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.

7.5HIGH

CVE-2017-14849

all versions

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible

7.5HIGH

CVE-2015-2927

all versions

node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption).

6.5MEDIUM

CVE-2017-11499

all versions

Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was suscept

7.5HIGH

CVE-2017-1000381

>= 4.0.0 and <= 4.1.2

The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outsi

7.5HIGH

CVE-2016-9843

>= 4.0.0 and <= 4.1.2

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors inv

9.8CRITICAL

CVE-2016-9842

>= 4.0.0 and <= 4.1.2

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors

8.8HIGH

CVE-2016-9841

>= 4.0.0 and <= 4.1.2

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmet

9.8CRITICAL

CVE-2016-9840

>= 4.0.0 and <= 4.1.2

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithme

8.8HIGH

CVE-2016-7055

>= 4.0.0 and <= 4.1.2

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1

5.9MEDIUM

CVE-2017-3732

>= 4.0.0 and <= 4.1.2

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0

5.9MEDIUM

CVE-2017-3731

>= 4.0.0 and <= 4.1.2

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause

7.5HIGH

CVE-2015-8860

<= 1.8.4

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

7.5HIGH

CVE-2015-8855

<= 4.3.1

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version str

7.5HIGH

CVE-2014-9772

<= 1.8.4

The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-enc

6.1MEDIUM

CVE-2013-7454

<= 1.0.4

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested f

6.1MEDIUM

CVE-2013-7453

<= 1.0.4

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors

6.1MEDIUM

CVE-2013-7452

<= 1.0.4

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafte

6.1MEDIUM

CVE-2013-7451

all versions

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.

6.1MEDIUM

CVE-2016-7099

all versions

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7

5.9MEDIUM

CVE-2016-5325

all versions

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x

6.1MEDIUM

CVE-2016-5180

>= 0.10.0 and < 0.10.48

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial

9.8CRITICAL

CVE-2016-7052

>= 4.0.0 and <= 4.1.2

crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and applic

7.5HIGH

CVE-2016-6306

>= 0.10.0 and < 0.10.47

The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service

5.9MEDIUM

CVE-2016-6304

>= 0.10.0 and < 0.10.47

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to

7.5HIGH

CVE-2016-5172

>= 6.0.0 and <= 6.8.1

The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain

6.5MEDIUM

CVE-2016-6303

< 0.12.16

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a

9.8CRITICAL

CVE-2016-2183

>= 0.10.0 and < 0.10.47

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bou

7.5HIGH

CVE-2016-3956

all versions

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, an

7.5HIGH

CVE-2016-2178

>= 0.10.0 and < 0.10.47

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time o

5.5MEDIUM

CVE-2016-1669

>= 0.10.0 and < 0.10.46

The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly

8.8HIGH

CVE-2016-2107

>= 0.10.0 and < 0.10.45

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain pa

5.9MEDIUM

CVE-2016-2105

>= 0.10.0 and < 0.10.45

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows r

7.5HIGH

CVE-2016-2216

all versions

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, an

7.5HIGH

CVE-2016-2086

all versions

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTT

7.5HIGH

CVE-2016-0797

>= 5.0.0 and < 5.7.1

Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of serv

7.5HIGH

CVE-2016-0702

>= 4.0.0 and <= 4.1.2

The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not

5.1MEDIUM

CVE-2015-8027

all versions

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP so

7.5HIGH

CVE-2015-3194

>= 0.10.0 and < 0.10.41

crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service

7.5HIGH

CVE-2015-3193

>= 4.0.0 and <= 4.1.2

The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as

7.5HIGH

CVE-2015-6764

>= 4.0.0 and <= 4.1.2

The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google

9.8CRITICAL

CVE-2015-5380

<= 0.12.5

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.

CVE-2015-0278

< 0.10.37

libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unsp

CVE-2014-7192

<= 0.10.32

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Appl

CVE-2014-7191

<= 0.10.18

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a

CVE-2014-6394

<= 0.8.3

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root,

CVE-2014-5256

all versions

Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garba

CVE-2014-0224

< 0.10.29

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec mes

7.4HIGH

CVE-2013-6668

>= 0.10.0 and < 0.10.31

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attacker

CVE-2013-4450

all versions

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (mem

CVE-2013-2882

>= 0.10.0 and < 0.10.16

Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have uns

CVE-2012-2330

<= 0.6.16

The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a

nodejs node.js