The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string.
Max CVSS
6.4
EPSS Score
0.75%
Published
2012-08-13
Updated
2023-02-13
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
Max CVSS
7.5
EPSS Score
1.14%
Published
2013-07-31
Updated
2022-08-16

CVE-2013-4450

Public exploit
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
Max CVSS
5.0
EPSS Score
8.05%
Published
2013-10-21
Updated
2018-08-13
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
Max CVSS
7.5
EPSS Score
0.96%
Published
2014-03-05
Updated
2022-08-16
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-23
Updated
2017-01-24
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
Max CVSS
6.1
EPSS Score
0.08%
Published
2017-01-23
Updated
2017-01-24
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-23
Updated
2017-01-24
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-23
Updated
2017-01-24

CVE-2014-0224

Public exploit
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Max CVSS
7.4
EPSS Score
97.41%
Published
2014-06-05
Updated
2022-08-16
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
Max CVSS
7.5
EPSS Score
0.67%
Published
2017-10-23
Updated
2017-11-15
Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack.
Max CVSS
5.0
EPSS Score
2.74%
Published
2014-09-05
Updated
2015-05-12
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Max CVSS
5.0
EPSS Score
5.96%
Published
2014-10-19
Updated
2017-09-08
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
Max CVSS
8.1
EPSS Score
0.28%
Published
2020-02-11
Updated
2022-08-12
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
Max CVSS
6.1
EPSS Score
0.21%
Published
2017-01-23
Updated
2017-03-29
libuv before 0.10.34 does not properly drop group privileges, which allows context-dependent attackers to gain privileges via unspecified vectors.
Max CVSS
10.0
EPSS Score
0.70%
Published
2015-05-18
Updated
2023-02-12
node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption).
Max CVSS
6.8
EPSS Score
0.67%
Published
2017-09-20
Updated
2019-11-25
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
Max CVSS
7.5
EPSS Score
0.45%
Published
2015-12-06
Updated
2023-02-13
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
Max CVSS
7.5
EPSS Score
94.00%
Published
2015-12-06
Updated
2022-12-13
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted byte sequence.
Max CVSS
7.5
EPSS Score
0.75%
Published
2015-07-09
Updated
2016-11-28
The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code.
Max CVSS
9.8
EPSS Score
2.09%
Published
2015-12-06
Updated
2022-08-16
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
Max CVSS
7.5
EPSS Score
0.36%
Published
2017-10-10
Updated
2017-10-27
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
Max CVSS
7.5
EPSS Score
3.34%
Published
2016-01-02
Updated
2017-07-01
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
Max CVSS
7.8
EPSS Score
0.24%
Published
2017-01-23
Updated
2017-01-26
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Max CVSS
7.5
EPSS Score
0.18%
Published
2017-01-23
Updated
2017-01-24
The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack.
Max CVSS
5.1
EPSS Score
0.15%
Published
2016-03-03
Updated
2022-12-13
168 vulnerabilities found
1 2 3 4 5 6 7
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!