Vulnerabilities > Nodejs > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-07-01 | CVE-2023-30586 | Missing Authorization vulnerability in Nodejs Node.Js 20.1.0/20.3.0 A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. | 7.5 |
2023-07-01 | CVE-2023-30589 | The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. | 7.5 |
2023-02-23 | CVE-2023-23918 | Incorrect Authorization vulnerability in Nodejs Node.Js A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). | 7.5 |
2023-02-23 | CVE-2023-23919 | Unspecified vulnerability in Nodejs Node.Js A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. | 7.5 |
2023-02-16 | CVE-2023-24807 | Unspecified vulnerability in Nodejs Undici Undici is an HTTP/1.1 client for Node.js. | 7.5 |
2022-12-05 | CVE-2022-43548 | OS Command Injection vulnerability in multiple products A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. | 8.1 |
2022-11-01 | CVE-2022-3602 | Out-of-bounds Write vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
2022-11-01 | CVE-2022-3786 | Classic Buffer Overflow vulnerability in multiple products A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. | 7.5 |
2022-07-14 | CVE-2022-32212 | OS Command Injection vulnerability in multiple products A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. | 8.1 |
2022-07-14 | CVE-2022-32223 | Uncontrolled Search Path Element vulnerability in Nodejs Node.Js Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability. | 7.3 |