Vulnerabilities > Nodejs > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-07-21 CVE-2022-31151 Unspecified vulnerability in Nodejs Undici
Authorization headers are cleared on cross-origin redirect.
network
low complexity
nodejs
6.5
2022-07-19 CVE-2022-31150 Unspecified vulnerability in Nodejs Undici
undici is an HTTP/1.1 client, written from scratch for Node.js.
network
low complexity
nodejs
6.5
2022-07-14 CVE-2022-32210 Improper Certificate Validation vulnerability in Nodejs Undici
`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request & response data to the proxy.
network
high complexity
nodejs CWE-295
6.5
2022-07-14 CVE-2022-32213 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
6.5
2022-07-14 CVE-2022-32214 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests.
network
low complexity
llhttp nodejs debian stormshield CWE-444
6.5
2022-07-14 CVE-2022-32215 HTTP Request Smuggling vulnerability in multiple products
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers.
6.5
2022-07-14 CVE-2022-32222 Uncontrolled Search Path Element vulnerability in multiple products
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
network
low complexity
nodejs siemens CWE-427
5.3
2022-02-24 CVE-2021-44532 Improper Certificate Validation vulnerability in multiple products
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format.
network
low complexity
nodejs oracle debian CWE-295
5.3
2022-02-24 CVE-2021-44533 Improper Certificate Validation vulnerability in multiple products
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly.
network
low complexity
nodejs oracle debian CWE-295
5.3
2021-11-23 CVE-2021-3672 Cross-site Scripting vulnerability in multiple products
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking.
5.6