Vulnerabilities > Nodejs > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-04-04 CVE-2024-30260 Incorrect Authorization vulnerability in multiple products
Undici is an HTTP/1.1 client, written from scratch for Node.js.
network
low complexity
nodejs fedoraproject CWE-863
4.3
2024-02-16 CVE-2024-24750 Memory Leak vulnerability in Nodejs Undici
Undici is an HTTP/1.1 client, written from scratch for Node.js.
network
low complexity
nodejs CWE-401
6.5
2024-02-16 CVE-2024-24758 Unspecified vulnerability in Nodejs Undici
Undici is an HTTP/1.1 client, written from scratch for Node.js.
network
low complexity
nodejs
4.5
2023-11-28 CVE-2023-30588 Unspecified vulnerability in Nodejs Node.Js
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code.
network
low complexity
nodejs
5.3
2023-09-12 CVE-2023-32005 Incorrect Permission Assignment for Critical Resource vulnerability in Nodejs Node.Js
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API.
network
low complexity
nodejs CWE-732
5.3
2023-08-15 CVE-2023-32003 Path Traversal vulnerability in multiple products
`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack.
network
low complexity
nodejs fedoraproject CWE-22
5.3
2023-02-23 CVE-2023-23920 Untrusted Search Path vulnerability in multiple products
An untrusted search path vulnerability exists in Node.js.
local
low complexity
nodejs debian CWE-426
4.2
2023-02-16 CVE-2023-23936 Injection vulnerability in Nodejs Undici
Undici is an HTTP/1.1 client for Node.js.
network
low complexity
nodejs CWE-74
5.4
2022-12-05 CVE-2022-35256 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF.
network
low complexity
nodejs llhttp siemens debian CWE-444
6.5
2022-08-15 CVE-2022-35948 Unspecified vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.`=< [email protected]` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.
network
low complexity
nodejs
5.3