Vulnerabilities > Nodejs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-23 | CVE-2023-30581 | Unspecified vulnerability in Nodejs Node.Js The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. | 7.5 |
| 2023-10-18 | CVE-2023-38552 | Insufficient Verification of Data Authenticity vulnerability in multiple products When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. | 7.5 |
| 2023-10-18 | CVE-2023-39331 | Path Traversal vulnerability in Nodejs Node.Js A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. | 7.5 |
| 2023-10-18 | CVE-2023-39332 | Path Traversal vulnerability in multiple products Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. | 9.8 |
| 2023-10-12 | CVE-2023-45143 | Undici is an HTTP/1.1 client written from scratch for Node.js. | 3.5 |
| 2023-10-10 | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |
| 2023-09-12 | CVE-2023-32005 | Incorrect Permission Assignment for Critical Resource vulnerability in Nodejs Node.Js A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. | 5.3 |
| 2023-09-12 | CVE-2023-32558 | Path Traversal vulnerability in Nodejs Node.Js The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. | 7.5 |
| 2023-08-24 | CVE-2023-32559 | Unspecified vulnerability in Nodejs Node.Js A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. | 7.5 |
| 2023-08-21 | CVE-2023-32002 | Unspecified vulnerability in Nodejs Node.Js The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. | 9.8 |