Nodejs : Security Vulnerabilities, CVEs,
The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.
Max CVSS
6.4
EPSS Score
0.75%
Published
2012-08-13
Updated
2023-02-13
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
Max CVSS
7.5
EPSS Score
1.14%
Published
2013-07-31
Updated
2022-08-16
CVE-2013-4450
Public exploit
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
Max CVSS
5.0
EPSS Score
8.05%
Published
2013-10-21
Updated
2018-08-13
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Max CVSS
7.5
EPSS Score
0.96%
Published
2014-03-05
Updated
2022-08-16
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-23
Updated
2017-01-24
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
Max CVSS
6.1
EPSS Score
0.08%
Published
2017-01-23
Updated
2017-01-24
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-23
Updated
2017-01-24
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-23
Updated
2017-01-24
CVE-2014-0224
Public exploit
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Max CVSS
7.4
EPSS Score
97.41%
Published
2014-06-05
Updated
2022-08-16
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
Max CVSS
7.5
EPSS Score
0.67%
Published
2017-10-23
Updated
2017-11-15
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
Max CVSS
5.0
EPSS Score
2.74%
Published
2014-09-05
Updated
2015-05-12
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Max CVSS
5.0
EPSS Score
5.96%
Published
2014-10-19
Updated
2017-09-08
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
Max CVSS
8.1
EPSS Score
0.28%
Published
2020-02-11
Updated
2022-08-12
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
Max CVSS
6.1
EPSS Score
0.21%
Published
2017-01-23
Updated
2017-03-29
libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.
Max CVSS
10.0
EPSS Score
0.70%
Published
2015-05-18
Updated
2023-02-12
node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption).
Max CVSS
6.8
EPSS Score
0.67%
Published
2017-09-20
Updated
2019-11-25
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
Max CVSS
7.5
EPSS Score
0.45%
Published
2015-12-06
Updated
2023-02-13
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
Max CVSS
7.5
EPSS Score
94.00%
Published
2015-12-06
Updated
2022-12-13
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.
Max CVSS
7.5
EPSS Score
0.75%
Published
2015-07-09
Updated
2016-11-28
The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code.
Max CVSS
9.8
EPSS Score
2.09%
Published
2015-12-06
Updated
2022-08-16
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
Max CVSS
7.5
EPSS Score
0.36%
Published
2017-10-10
Updated
2017-10-27
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
Max CVSS
7.5
EPSS Score
3.34%
Published
2016-01-02
Updated
2017-07-01
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Max CVSS
7.8
EPSS Score
0.24%
Published
2017-01-23
Updated
2017-01-26
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Max CVSS
7.5
EPSS Score
0.18%
Published
2017-01-23
Updated
2017-01-24
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Max CVSS
5.1
EPSS Score
0.15%
Published
2016-03-03
Updated
2022-12-13