Vulnerabilities > Nodejs > High

DATE CVE VULNERABILITY TITLE RISK
2023-08-15 CVE-2023-32004 Path Traversal vulnerability in multiple products
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model.
network
low complexity
nodejs fedoraproject CWE-22
8.8
2023-08-15 CVE-2023-32006 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.
network
low complexity
nodejs fedoraproject
8.8
2023-07-01 CVE-2023-30586 Missing Authorization vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.
network
low complexity
nodejs CWE-862
7.5
2023-07-01 CVE-2023-30589 The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
nodejs fedoraproject
7.5
2023-02-23 CVE-2023-23918 Incorrect Authorization vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require().
network
low complexity
nodejs CWE-863
7.5
2023-02-23 CVE-2023-23919 Unspecified vulnerability in Nodejs Node.Js
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it.
network
low complexity
nodejs
7.5
2023-02-16 CVE-2023-24807 Unspecified vulnerability in Nodejs Undici
Undici is an HTTP/1.1 client for Node.js.
network
low complexity
nodejs
7.5
2022-12-05 CVE-2022-43548 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
network
high complexity
nodejs debian CWE-78
8.1
2022-11-01 CVE-2022-3602 Out-of-bounds Write vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject netapp nodejs CWE-787
7.5
2022-11-01 CVE-2022-3786 Classic Buffer Overflow vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject nodejs CWE-120
7.5