Vulnerabilities > Nodejs > Node JS > 14.16.1

DATE CVE VULNERABILITY TITLE RISK
2023-02-23 CVE-2023-23918 Incorrect Authorization vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require().
network
low complexity
nodejs CWE-863
7.5
2023-02-23 CVE-2023-23919 Unspecified vulnerability in Nodejs Node.Js
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it.
network
low complexity
nodejs
7.5
2023-02-23 CVE-2023-23920 Untrusted Search Path vulnerability in multiple products
An untrusted search path vulnerability exists in Node.js.
local
low complexity
nodejs debian CWE-426
4.2
2022-12-05 CVE-2022-35256 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.
network
low complexity
nodejs llhttp siemens debian CWE-444
6.5
2022-12-05 CVE-2022-43548 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
network
high complexity
nodejs debian CWE-78
8.1
2022-07-14 CVE-2022-32212 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
network
high complexity
nodejs debian fedoraproject siemens CWE-78
8.1
2022-07-14 CVE-2022-32213 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
6.5
2022-07-14 CVE-2022-32214 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
llhttp nodejs debian stormshield CWE-444
6.5
2022-07-14 CVE-2022-32215 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers.
6.5
2022-07-14 CVE-2022-32223 Uncontrolled Search Path Element vulnerability in Nodejs Node.Js
Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
local
low complexity
nodejs CWE-427
7.3