Exposure of Node.js

Programming languages

96

exposure score

532,066

sites use

0

exploited

4

critical

CVEs

127 results

CVE-2018-12120—Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `noEPSS 4.3%CVE-2018-12123—Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a NodEPSS 4.0%CVE-2023-30589—The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTPEPSS 3.9%CVE-2018-7159—The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 EPSS 3.6%CVE-2018-7158—The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in quEPSS 3.4%CVE-2018-7166—In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This mEPSS 3.2%CVE-2024-22019HIGHA vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resourEPSS 3.2%CVE-2021-22959—The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS)EPSS 2.9%CVE-2022-35256MEDIUMThe llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may resEPSS 2.6%CVE-2017-7474—It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypassEPSS 2.5%CVE-2017-15896—Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result wasEPSS 2.4%CVE-2017-15897—Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the EPSS 2.3%CVE-2021-22960—The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP ReqEPSS 2.3%CVE-2023-23919HIGHA cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL erroEPSS 2.2%CVE-2023-23918HIGHA privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimeEPSS 2.0%CVE-2022-35255CRITICALA weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGeEPSS 1.9%CVE-2023-39332—Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class exEPSS 1.8%CVE-2023-32004HIGHA vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improEPSS 1.8%CVE-2022-32222—A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf tEPSS 1.7%CVE-2022-32223—Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploiEPSS 1.6%

← previouspage 3 / 7next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →