Vulnerabilities > Nodejs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-21 | CVE-2022-31151 | Open Redirect vulnerability in Nodejs Undici Authorization headers are cleared on cross-origin redirect. | 6.5 |
| 2022-07-19 | CVE-2022-31150 | CRLF Injection vulnerability in Nodejs Undici undici is an HTTP/1.1 client, written from scratch for Node.js. | 6.5 |
| 2022-07-14 | CVE-2022-32210 | Improper Certificate Validation vulnerability in Nodejs Undici `Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy. | 6.5 |
| 2022-07-14 | CVE-2022-32212 | OS Command Injection vulnerability in multiple products A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. | 8.1 |
| 2022-07-14 | CVE-2022-32213 | HTTP Request Smuggling vulnerability in multiple products The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). | 6.5 |
| 2022-07-14 | CVE-2022-32214 | HTTP Request Smuggling vulnerability in multiple products The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. | 6.5 |
| 2022-07-14 | CVE-2022-32215 | HTTP Request Smuggling vulnerability in multiple products The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. | 6.5 |
| 2022-07-14 | CVE-2022-32222 | Uncontrolled Search Path Element vulnerability in multiple products A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3. | 5.3 |
| 2022-07-14 | CVE-2022-32223 | Uncontrolled Search Path Element vulnerability in Nodejs Node.Js Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability. | 7.3 |
| 2022-03-15 | CVE-2022-0778 | Infinite Loop vulnerability in multiple products The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. | 7.5 |