Vulnerabilities in NodeJS
114 resultsCVE-2023-32559HIGHA privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use EPSS 1.5%CVE-2023-32558—The use of the deprecated API `process.binding()` can bypass the permission model through path traversal.
This vulnerability affects all uEPSS 1.5%CVE-2023-30585—A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install NodEPSS 1.5%CVE-2023-30590—The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generEPSS 1.5%CVE-2023-32002CRITICALThe use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
TEPSS 1.4%CVE-2022-35949MEDIUM`undici.request` vulnerable to SSRF using absolute URL on `pathname`EPSS 1.4%CVE-2024-27980HIGHDue to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject aEPSS 1.4%CVE-2025-23084MEDIUMA vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.EPSS 1.4%CVE-2023-30586HIGHA privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission moEPSS 1.3%CVE-2023-39331HIGHA previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability ariEPSS 1.3%CVE-2023-24807HIGHUndici vulnerable to Regular Expression Denial of Service in HeadersEPSS 1.3%CVE-2024-22025MEDIUMA vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetEPSS 1.3%CVE-2023-46809HIGHNode.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched areEPSS 1.3%CVE-2025-23085MEDIUMA memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid hEPSS 1.3%CVE-2023-32006HIGHThe use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition foEPSS 1.3%CVE-2024-21896HIGHThe permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path isEPSS 1.3%CVE-2024-21891HIGHNode.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-dEPSS 1.2%CVE-2023-45143LOWUndici's cookie header not cleared on cross-origin redirect in fetchEPSS 1.2%CVE-2022-35948MEDIUMCRLF Injection in Nodejs ‘undici’ via Content-TypeEPSS 1.2%CVE-2023-32005MEDIUMA vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flaEPSS 1.2%