Filtered by vendor Nodejs
Subscriptions
Filtered by product Node.js
Subscriptions
Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-9841 | 9 Apple, Canonical, Debian and 6 more | 42 Iphone Os, Mac Os X, Tvos and 39 more | 2025-04-20 | 9.8 Critical |
| inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | ||||
| CVE-2014-3744 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. | ||||
| CVE-2015-7384 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. | ||||
| CVE-2013-7451 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. | ||||
| CVE-2015-8855 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | ||||
| CVE-2015-8860 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. | ||||
| CVE-2016-9843 | 10 Apple, Canonical, Debian and 7 more | 27 Iphone Os, Mac Os X, Tvos and 24 more | 2025-04-20 | 9.8 Critical |
| The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. | ||||
| CVE-2014-9772 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. | ||||
| CVE-2013-7452 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. | ||||
| CVE-2015-2927 | 3 Debian, Nodejs, Uronode | 3 Debian Linux, Node.js, Uro Node | 2025-04-20 | N/A |
| node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption). | ||||
| CVE-2013-7453 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. | ||||
| CVE-2013-7454 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. | ||||
| CVE-2016-9842 | 8 Apple, Canonical, Debian and 5 more | 22 Iphone Os, Mac Os X, Tvos and 19 more | 2025-04-20 | 8.8 High |
| The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. | ||||
| CVE-2017-1000381 | 4 C-ares, C-ares Project, Nodejs and 1 more | 4 C-ares, C-ares, Node.js and 1 more | 2025-04-20 | 7.5 High |
| The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. | ||||
| CVE-2017-11499 | 2 Nodejs, Redhat | 2 Node.js, Rhel Software Collections | 2025-04-20 | N/A |
| Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. | ||||
| CVE-2017-15896 | 1 Nodejs | 1 Node.js | 2025-04-20 | 9.1 Critical |
| Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. | ||||
| CVE-2017-15897 | 1 Nodejs | 1 Node.js | 2025-04-20 | 3.1 Low |
| Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases. | ||||
| CVE-2017-3731 | 3 Nodejs, Openssl, Redhat | 4 Node.js, Openssl, Enterprise Linux and 1 more | 2025-04-20 | 7.5 High |
| If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. | ||||
| CVE-2017-14919 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. | ||||
| CVE-2017-3738 | 4 Debian, Nodejs, Openssl and 1 more | 5 Debian Linux, Node.js, Openssl and 2 more | 2025-04-20 | 5.9 Medium |
| There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository. | ||||