Vulnerabilities > Nodejs

DATE CVE VULNERABILITY TITLE RISK
2023-10-18 CVE-2023-39332 Path Traversal vulnerability in multiple products
Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects.
network
low complexity
nodejs fedoraproject CWE-22
critical
9.8
2023-10-12 CVE-2023-45143 Undici is an HTTP/1.1 client written from scratch for Node.js.
network
low complexity
nodejs fedoraproject
3.5
2023-10-10 CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. 7.5
2023-09-12 CVE-2023-32005 Incorrect Permission Assignment for Critical Resource vulnerability in Nodejs Node.Js
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API.
network
low complexity
nodejs CWE-732
5.3
2023-09-12 CVE-2023-32558 Path Traversal vulnerability in Nodejs Node.Js
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.
network
low complexity
nodejs CWE-22
7.5
2023-08-24 CVE-2023-32559 Unspecified vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
network
high complexity
nodejs
7.5
2023-08-21 CVE-2023-32002 Unspecified vulnerability in Nodejs Node.Js
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
network
low complexity
nodejs
critical
9.8
2023-08-15 CVE-2023-32003 Path Traversal vulnerability in multiple products
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.
network
low complexity
nodejs fedoraproject CWE-22
5.3
2023-08-15 CVE-2023-32004 Path Traversal vulnerability in multiple products
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.
network
low complexity
nodejs fedoraproject CWE-22
8.8
2023-08-15 CVE-2023-32006 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
network
low complexity
nodejs fedoraproject
8.8