Vulnerabilities > Nodejs > Node JS > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-11-28 CVE-2023-30588 Unspecified vulnerability in Nodejs Node.Js
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code.
network
low complexity
nodejs
5.3
2023-09-12 CVE-2023-32005 Incorrect Permission Assignment for Critical Resource vulnerability in Nodejs Node.Js
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API.
network
low complexity
nodejs CWE-732
5.3
2023-08-15 CVE-2023-32003 Path Traversal vulnerability in multiple products
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.
network
low complexity
nodejs fedoraproject CWE-22
5.3
2023-02-23 CVE-2023-23920 Untrusted Search Path vulnerability in multiple products
An untrusted search path vulnerability exists in Node.js.
local
low complexity
nodejs debian CWE-426
4.2
2023-02-16 CVE-2023-23936 Injection vulnerability in Nodejs Undici
Undici is an HTTP/1.1 client for Node.js.
network
low complexity
nodejs CWE-74
5.4
2022-12-05 CVE-2022-35256 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.
network
low complexity
nodejs llhttp siemens debian CWE-444
6.5
2022-07-14 CVE-2022-32213 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
6.5
2022-07-14 CVE-2022-32214 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
llhttp nodejs debian stormshield CWE-444
6.5
2022-07-14 CVE-2022-32215 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers.
6.5
2022-07-14 CVE-2022-32222 Uncontrolled Search Path Element vulnerability in multiple products
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
network
low complexity
nodejs siemens CWE-427
5.3