Vulnerabilities > Nodejs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-05 | CVE-2022-35255 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Nodejs Node.Js A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. | 9.1 |
| 2022-12-05 | CVE-2022-35256 | HTTP Request Smuggling vulnerability in multiple products The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. | 6.5 |
| 2022-12-05 | CVE-2022-43548 | OS Command Injection vulnerability in Nodejs Node.Js A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. | 8.1 |
| 2022-11-01 | CVE-2022-3602 | Classic Buffer Overflow vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
| 2022-11-01 | CVE-2022-3786 | Classic Buffer Overflow vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
| 2022-08-15 | CVE-2022-35948 | CRLF Injection vulnerability in Nodejs Undici undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. | 5.3 |
| 2022-08-12 | CVE-2022-35949 | Server-Side Request Forgery (SSRF) vulnerability in Nodejs Undici undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. | 9.8 |
| 2022-07-21 | CVE-2022-31151 | Open Redirect vulnerability in Nodejs Undici Authorization headers are cleared on cross-origin redirect. | 6.5 |
| 2022-07-19 | CVE-2022-31150 | CRLF Injection vulnerability in Nodejs Undici undici is an HTTP/1.1 client, written from scratch for Node.js. | 6.5 |
| 2022-07-14 | CVE-2022-32212 | OS Command Injection vulnerability in multiple products A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. | 8.1 |