Vulnerabilities > Nodejs > High

DATE CVE VULNERABILITY TITLE RISK
2021-01-06 CVE-2020-8265 Use After Free vulnerability in multiple products
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation.
network
high complexity
nodejs debian fedoraproject oracle siemens CWE-416
8.1
2020-11-19 CVE-2020-8277 Resource Exhaustion vulnerability in multiple products
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses.
7.5
2020-09-18 CVE-2020-8252 Classic Buffer Overflow vulnerability in multiple products
The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
local
low complexity
nodejs opensuse fedoraproject CWE-120
7.8
2020-09-18 CVE-2020-8251 Resource Exhaustion vulnerability in multiple products
Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
network
low complexity
nodejs fedoraproject CWE-400
7.5
2020-09-18 CVE-2020-8201 HTTP Request Smuggling vulnerability in multiple products
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users.
network
high complexity
nodejs opensuse fedoraproject CWE-444
7.4
2020-07-24 CVE-2020-8174 Integer Underflow (Wrap or Wraparound) vulnerability in multiple products
napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
network
high complexity
nodejs oracle netapp CWE-191
8.1
2020-06-08 CVE-2020-8172 Improper Certificate Validation vulnerability in multiple products
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0.
network
high complexity
nodejs oracle CWE-295
7.4
2020-06-03 CVE-2020-11080 Improper Enforcement of Message or Data Structure vulnerability in multiple products
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service.
7.5
2020-03-12 CVE-2020-10531 Integer Overflow or Wraparound vulnerability in multiple products
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1.
8.8
2020-02-11 CVE-2014-9748 Race Condition vulnerability in multiple products
The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
network
high complexity
libuv nodejs CWE-362
8.1