Vulnerabilities > Nodejs > High

DATE CVE VULNERABILITY TITLE RISK
2016-09-01 CVE-2016-2183 Information Exposure vulnerability in multiple products
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
network
low complexity
redhat python cisco openssl oracle nodejs CWE-200
7.5
2016-07-02 CVE-2016-3956 Information Exposure vulnerability in multiple products
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.
network
low complexity
ibm nodejs npmjs CWE-200
7.5
2016-05-14 CVE-2016-1669 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code.
network
low complexity
debian google opensuse nodejs canonical CWE-119
8.8
2016-05-05 CVE-2016-2105 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
7.5
2016-04-07 CVE-2016-2216 Improper Input Validation vulnerability in multiple products
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
network
low complexity
nodejs fedoraproject CWE-20
7.5
2016-04-07 CVE-2016-2086 Improper Input Validation vulnerability in multiple products
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
network
low complexity
nodejs fedoraproject CWE-20
7.5
2016-03-03 CVE-2016-0797 Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
network
low complexity
openssl nodejs canonical debian
7.5
2016-01-02 CVE-2015-8027 Code vulnerability in Nodejs Node.Js
Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.
network
low complexity
nodejs CWE-17
7.5
2015-12-06 CVE-2015-3194 NULL Pointer Dereference vulnerability in multiple products
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
network
low complexity
openssl canonical debian nodejs CWE-476
7.5
2015-12-06 CVE-2015-3193 Information Exposure vulnerability in multiple products
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
network
low complexity
openssl nodejs canonical CWE-200
7.5