Vulnerabilities > Nodejs

DATE CVE VULNERABILITY TITLE RISK
2023-09-12 CVE-2023-32558 Path Traversal vulnerability in Nodejs Node.Js
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.
network
low complexity
nodejs CWE-22
7.5
2023-08-24 CVE-2023-32559 Unspecified vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
network
high complexity
nodejs
7.5
2023-08-21 CVE-2023-32002 Unspecified vulnerability in Nodejs Node.Js
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
network
low complexity
nodejs
critical
9.8
2023-08-15 CVE-2023-32003 Path Traversal vulnerability in multiple products
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.
network
low complexity
nodejs fedoraproject CWE-22
5.3
2023-08-15 CVE-2023-32004 Path Traversal vulnerability in multiple products
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.
network
low complexity
nodejs fedoraproject CWE-22
8.8
2023-08-15 CVE-2023-32006 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
network
low complexity
nodejs fedoraproject
8.8
2023-07-01 CVE-2023-30586 Missing Authorization vulnerability in Nodejs Node.Js 20.1.0/20.3.0
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.
network
low complexity
nodejs CWE-862
7.5
2023-07-01 CVE-2023-30589 The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
nodejs fedoraproject
7.5
2023-02-23 CVE-2023-23918 Incorrect Authorization vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require().
network
low complexity
nodejs CWE-863
7.5
2023-02-23 CVE-2023-23919 Unspecified vulnerability in Nodejs Node.Js
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it.
network
low complexity
nodejs
7.5