Vulnerabilities > Nodejs

DATE CVE VULNERABILITY TITLE RISK
2021-01-06 CVE-2020-8287 Http Request Smuggling vulnerability in multiple products
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields).
network
low complexity
nodejs debian fedoraproject CWE-444
6.4
2021-01-06 CVE-2020-8265 USE After Free vulnerability in multiple products
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation.
6.8
2020-12-03 CVE-2018-21270 Out-Of-Bounds Read vulnerability in Nodejs Node.Js
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
network
low complexity
nodejs CWE-125
6.4
2020-11-19 CVE-2020-8277 Resource Exhaustion vulnerability in multiple products
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses.
network
low complexity
nodejs fedoraproject CWE-400
5.0
2020-09-18 CVE-2020-8252 Classic Buffer Overflow vulnerability in multiple products
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
local
low complexity
nodejs opensuse CWE-120
4.6
2020-09-18 CVE-2020-8251 Resource Exhaustion vulnerability in Nodejs Node.Js
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
network
low complexity
nodejs CWE-400
5.0
2020-09-18 CVE-2020-8201 Http Request Smuggling vulnerability in multiple products
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users.
5.8
2020-07-24 CVE-2020-8174 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nodejs Node.Js
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
network
nodejs CWE-119
critical
9.3
2020-06-08 CVE-2020-8172 Improper Certificate Validation vulnerability in Nodejs Node.Js
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
network
nodejs CWE-295
5.8
2020-02-07 CVE-2019-15606 Incorrect Authorization vulnerability in Nodejs Node.Js
Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
network
low complexity
nodejs CWE-863
7.5