Vulnerabilities > Nodejs

DATE CVE VULNERABILITY TITLE RISK
2022-11-01 CVE-2022-3602 Out-of-bounds Write vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject netapp nodejs CWE-787
7.5
2022-11-01 CVE-2022-3786 Classic Buffer Overflow vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject nodejs CWE-120
7.5
2022-08-15 CVE-2022-35948 Unspecified vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.
network
low complexity
nodejs
5.3
2022-08-12 CVE-2022-35949 Unspecified vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`.
network
low complexity
nodejs
critical
9.8
2022-07-21 CVE-2022-31151 Unspecified vulnerability in Nodejs Undici
Authorization headers are cleared on cross-origin redirect.
network
low complexity
nodejs
6.5
2022-07-19 CVE-2022-31150 Unspecified vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.
network
low complexity
nodejs
6.5
2022-07-14 CVE-2022-32210 Improper Certificate Validation vulnerability in Nodejs Undici
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy.
network
high complexity
nodejs CWE-295
6.5
2022-07-14 CVE-2022-32212 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
network
high complexity
nodejs debian fedoraproject siemens CWE-78
8.1
2022-07-14 CVE-2022-32213 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
6.5
2022-07-14 CVE-2022-32214 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
llhttp nodejs debian stormshield CWE-444
6.5