Vulnerabilities > Nodejs > Node JS > High

DATE CVE VULNERABILITY TITLE RISK
2018-05-17 CVE-2018-7160 Authentication Bypass by Spoofing vulnerability in Nodejs Node.Js
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.
network
low complexity
nodejs CWE-290
8.8
2018-05-17 CVE-2018-7158 Unspecified vulnerability in Nodejs Node.Js
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector.
network
low complexity
nodejs
7.5
2018-05-08 CVE-2018-1000168 NULL Pointer Dereference vulnerability in multiple products
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service.
network
low complexity
nghttp2 nodejs debian CWE-476
7.5
2017-10-30 CVE-2017-14919 Improper Input Validation vulnerability in Nodejs Node.Js
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
network
low complexity
nodejs CWE-20
7.5
2017-10-23 CVE-2014-3744 Path Traversal vulnerability in Nodejs Node.Js
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
network
low complexity
nodejs CWE-22
7.5
2017-10-10 CVE-2015-7384 Resource Exhaustion vulnerability in Nodejs Node.Js 4.0.0/4.1.0/4.1.1
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
network
low complexity
nodejs CWE-400
7.5
2017-09-28 CVE-2017-14849 Path Traversal vulnerability in Nodejs Node.Js 8.5.0
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
network
low complexity
nodejs CWE-22
7.5
2017-07-25 CVE-2017-11499 Improper Input Validation vulnerability in Nodejs Node.Js
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js.
network
low complexity
nodejs CWE-20
7.5
2017-07-07 CVE-2017-1000381 Information Exposure vulnerability in multiple products
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
network
low complexity
c-ares-project c-ares nodejs CWE-200
7.5
2017-05-23 CVE-2016-9842 The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. 8.8