Vulnerabilities > Nodejs > Node JS > High

DATE CVE VULNERABILITY TITLE RISK
2023-11-28 CVE-2023-30590 Unspecified vulnerability in Nodejs Node.Js
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey().
network
low complexity
nodejs
7.5
2023-11-28 CVE-2023-30585 Unspecified vulnerability in Nodejs Node.Js
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer.
network
low complexity
nodejs
7.5
2023-11-23 CVE-2023-30581 Unspecified vulnerability in Nodejs Node.Js
The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition.
network
low complexity
nodejs
7.5
2023-10-18 CVE-2023-38552 Insufficient Verification of Data Authenticity vulnerability in multiple products
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
network
low complexity
nodejs fedoraproject CWE-345
7.5
2023-10-18 CVE-2023-39331 Path Traversal vulnerability in Nodejs Node.Js
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6.
network
low complexity
nodejs CWE-22
7.5
2023-10-10 CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. 7.5
2023-09-12 CVE-2023-32558 Path Traversal vulnerability in Nodejs Node.Js
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.
network
low complexity
nodejs CWE-22
7.5
2023-08-24 CVE-2023-32559 Unspecified vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
network
high complexity
nodejs
7.5
2023-08-15 CVE-2023-32004 Path Traversal vulnerability in multiple products
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.
network
low complexity
nodejs fedoraproject CWE-22
8.8
2023-08-15 CVE-2023-32006 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
network
low complexity
nodejs fedoraproject
8.8