Vulnerabilities > Nodejs

DATE CVE VULNERABILITY TITLE RISK
2022-12-05 CVE-2022-35255 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Nodejs Node.Js
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc.
network
low complexity
nodejs CWE-338
critical
9.1
2022-12-05 CVE-2022-35256 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.
network
low complexity
nodejs llhttp CWE-444
6.5
2022-12-05 CVE-2022-43548 OS Command Injection vulnerability in Nodejs Node.Js
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
network
high complexity
nodejs CWE-78
8.1
2022-11-01 CVE-2022-3602 Classic Buffer Overflow vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject netapp nodejs CWE-120
7.5
2022-11-01 CVE-2022-3786 Classic Buffer Overflow vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject nodejs CWE-120
7.5
2022-08-15 CVE-2022-35948 CRLF Injection vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.
network
low complexity
nodejs CWE-93
5.3
2022-08-12 CVE-2022-35949 Server-Side Request Forgery (SSRF) vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`.
network
low complexity
nodejs CWE-918
critical
9.8
2022-07-21 CVE-2022-31151 Open Redirect vulnerability in Nodejs Undici
Authorization headers are cleared on cross-origin redirect.
network
low complexity
nodejs CWE-601
6.5
2022-07-19 CVE-2022-31150 CRLF Injection vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.
network
low complexity
nodejs CWE-93
6.5
2022-07-14 CVE-2022-32212 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
network
high complexity
nodejs debian CWE-78
8.1