Vulnerabilities > Nodejs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-24 | CVE-2022-21824 | Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". | 8.2 |
| 2021-12-14 | CVE-2021-4044 | Infinite Loop vulnerability in multiple products Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. | 7.5 |
| 2021-11-23 | CVE-2021-3672 | Cross-site Scripting vulnerability in multiple products A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. | 5.6 |
| 2021-10-07 | CVE-2021-22930 | Use After Free vulnerability in multiple products Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | 9.8 |
| 2021-08-16 | CVE-2021-22931 | Improper Input Validation vulnerability in multiple products Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. | 9.8 |
| 2021-08-16 | CVE-2021-22939 | Improper Certificate Validation vulnerability in multiple products If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. | 5.3 |
| 2021-08-16 | CVE-2021-22940 | Use After Free vulnerability in multiple products Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. | 7.5 |
| 2021-07-12 | CVE-2021-22918 | Out-of-bounds Read vulnerability in multiple products Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. | 5.3 |
| 2021-07-12 | CVE-2021-22921 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. | 7.8 |
| 2021-03-25 | CVE-2021-3450 | Improper Certificate Validation vulnerability in multiple products The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. | 7.4 |