Vulnerabilities > Nodejs > Node JS > High

DATE CVE VULNERABILITY TITLE RISK
2017-05-23 CVE-2016-9840 inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. 8.8
2017-05-04 CVE-2017-3731 Out-of-bounds Read vulnerability in multiple products
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash.
network
low complexity
openssl nodejs CWE-125
7.5
2017-01-23 CVE-2015-8860 Link Following vulnerability in Nodejs Node.Js
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
network
low complexity
nodejs CWE-59
7.5
2017-01-23 CVE-2015-8855 Resource Management Errors vulnerability in Nodejs Node.Js
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
network
low complexity
nodejs CWE-399
7.5
2016-09-26 CVE-2016-7052 NULL Pointer Dereference vulnerability in multiple products
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
network
low complexity
novell openssl nodejs CWE-476
7.5
2016-09-26 CVE-2016-6304 Memory Leak vulnerability in multiple products
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
network
low complexity
openssl nodejs novell CWE-401
7.5
2016-09-01 CVE-2016-2183 Information Exposure vulnerability in multiple products
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
network
low complexity
redhat python cisco openssl oracle nodejs CWE-200
7.5
2016-07-02 CVE-2016-3956 Information Exposure vulnerability in multiple products
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
network
low complexity
ibm nodejs npmjs CWE-200
7.5
2016-05-14 CVE-2016-1669 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code.
network
low complexity
debian google opensuse nodejs canonical CWE-119
8.8
2016-05-05 CVE-2016-2105 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
7.5