Vulnerabilities > Nodejs > High

DATE CVE VULNERABILITY TITLE RISK
2023-07-01 CVE-2023-30586 Missing Authorization vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.
network
low complexity
nodejs CWE-862
7.5
2023-07-01 CVE-2023-30589 The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
nodejs fedoraproject
7.5
2023-02-23 CVE-2023-23918 Incorrect Authorization vulnerability in Nodejs Node.Js
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require().
network
low complexity
nodejs CWE-863
7.5
2023-02-23 CVE-2023-23919 Unspecified vulnerability in Nodejs Node.Js
A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it.
network
low complexity
nodejs
7.5
2023-02-16 CVE-2023-24807 Unspecified vulnerability in Nodejs Undici
Undici is an HTTP/1.1 client for Node.js.
network
low complexity
nodejs
7.5
2022-12-05 CVE-2022-43548 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix.
network
high complexity
nodejs debian CWE-78
8.1
2022-11-01 CVE-2022-3602 Out-of-bounds Write vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject netapp nodejs CWE-787
7.5
2022-11-01 CVE-2022-3786 Classic Buffer Overflow vulnerability in multiple products
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
network
low complexity
openssl fedoraproject nodejs CWE-120
7.5
2022-07-14 CVE-2022-32212 OS Command Injection vulnerability in multiple products
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
network
high complexity
nodejs debian fedoraproject siemens CWE-78
8.1
2022-07-14 CVE-2022-32223 Uncontrolled Search Path Element vulnerability in Nodejs Node.Js
Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
local
low complexity
nodejs CWE-427
7.3