Vulnerabilities > Nodejs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-32005 | Incorrect Permission Assignment for Critical Resource vulnerability in Nodejs Node.Js A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. | 5.3 |
| 2023-09-12 | CVE-2023-32558 | Path Traversal vulnerability in Nodejs Node.Js The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. | 7.5 |
| 2023-08-24 | CVE-2023-32559 | Improper Privilege Management vulnerability in Nodejs Node.Js A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. | 7.5 |
| 2023-08-21 | CVE-2023-32002 | Unspecified vulnerability in Nodejs Node.Js The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. | 9.8 |
| 2023-08-15 | CVE-2023-32003 | Path Traversal vulnerability in multiple products `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. | 5.3 |
| 2023-08-15 | CVE-2023-32004 | Path Traversal vulnerability in multiple products A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. | 8.8 |
| 2023-08-15 | CVE-2023-32006 | The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. | 8.8 |
| 2023-07-01 | CVE-2023-30586 | Missing Authorization vulnerability in Nodejs Node.Js 20.0.0 A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. | 7.5 |
| 2023-07-01 | CVE-2023-30589 | The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. | 7.5 |
| 2023-02-23 | CVE-2023-23918 | Incorrect Authorization vulnerability in Nodejs Node.Js A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). | 7.5 |