Filtered by vendor Nodejs
Subscriptions
Filtered by product Nodejs
Subscriptions
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30587 | 1 Nodejs | 1 Nodejs | 2024-09-09 | 7.5 High |
| A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2023-30584 | 1 Nodejs | 1 Nodejs | 2024-09-09 | 7.7 High |
| A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2023-30583 | 1 Nodejs | 1 Nodejs | 2024-09-09 | 7.5 High |
| fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2023-30582 | 1 Nodejs | 1 Nodejs | 2024-09-09 | 5.3 Medium |
| A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | ||||
| CVE-2024-36138 | 1 Nodejs | 1 Nodejs | 2024-09-09 | N/A |
| Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | ||||
| CVE-2023-46809 | 2 Nodejs, Redhat | 3 Nodejs, Enterprise Linux, Rhel Eus | 2024-09-09 | 7.4 High |
| Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key. | ||||
| CVE-2012-2330 | 1 Nodejs | 1 Nodejs | 2024-08-06 | N/A |
| The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string. | ||||
| CVE-2013-4450 | 2 Nodejs, Redhat | 2 Nodejs, Rhel Software Collections | 2024-08-06 | N/A |
| The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response. | ||||
| CVE-2014-5256 | 2 Nodejs, Redhat | 2 Nodejs, Rhel Software Collections | 2024-08-06 | N/A |
| Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program stack. | ||||
Page 1 of 1.