Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:nodejs:node.js:*
  • Search Type: Search All
There are 70 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2021-22940

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Published: August 16, 2021; 3:15:13 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-22939

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Published: August 16, 2021; 3:15:13 PM -0400
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2021-22931

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Published: August 16, 2021; 3:15:13 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-22921

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

Published: July 12, 2021; 7:15:08 AM -0400
V3.1: 7.8 HIGH
V2.0: 4.4 MEDIUM
CVE-2021-22918

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Published: July 12, 2021; 7:15:07 AM -0400
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

Published: March 03, 2021; 1:15:14 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.1 MEDIUM
CVE-2021-22883

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

Published: March 03, 2021; 1:15:14 PM -0500
V3.1: 7.5 HIGH
V2.0: 7.8 HIGH
CVE-2020-8287

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Published: January 06, 2021; 4:15:14 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 6.4 MEDIUM
CVE-2020-8265

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

Published: January 06, 2021; 4:15:14 PM -0500
V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-21270

Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).

Published: December 03, 2020; 4:15:11 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.

Published: November 18, 2020; 8:15:12 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-8252

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

Published: September 18, 2020; 5:15:13 PM -0400
V3.1: 7.8 HIGH
V2.0: 4.6 MEDIUM
CVE-2020-8251

Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.

Published: September 18, 2020; 5:15:13 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-8201

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in processing of carrier-return symbols in the HTTP header names.

Published: September 18, 2020; 5:15:12 PM -0400
V3.1: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2020-8174

napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.

Published: July 24, 2020; 6:15:12 PM -0400
V3.1: 8.1 HIGH
V2.0: 9.3 HIGH
CVE-2020-8172

TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.

Published: June 08, 2020; 10:15:13 AM -0400
V3.1: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2019-15606

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

Published: February 07, 2020; 10:15:11 AM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2019-15605

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Published: February 07, 2020; 10:15:11 AM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2019-15604

Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate

Published: February 07, 2020; 10:15:11 AM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-5739

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

Published: March 28, 2019; 1:29:01 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM