Vulnerabilities in NodeJS
114 resultsCVE-2025-22150MEDIUMUndici Uses Insufficiently Random ValuesEPSS 0.7%CVE-2024-30260LOWUndici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipelineEPSS 0.7%CVE-2023-30583HIGHfs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in EPSS 0.7%CVE-2020-8252—The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which EPSS 0.7%CVE-2024-24750MEDIUMBackpressure request ignored in fetch() in UndiciEPSS 0.7%CVE-2026-21636MEDIUMA flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enablEPSS 0.7%CVE-2025-59466MEDIUMWe have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.creaEPSS 0.6%CVE-2023-30582MEDIUMA vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flaEPSS 0.6%CVE-2022-31151LOWUncleared cookies on cross-host/cross-origin redirect in undiciEPSS 0.6%CVE-2024-21892HIGHOn Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running withEPSS 0.6%CVE-2025-55130HIGHA flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relativEPSS 0.5%CVE-2025-23165LOWIn Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocatedEPSS 0.5%CVE-2023-23920MEDIUMAn untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search aEPSS 0.5%CVE-2024-38372LOWUndici vulnerable to data leak when using response.arrayBuffer()EPSS 0.5%CVE-2025-23167MEDIUMA flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`.
This inEPSS 0.5%CVE-2024-22018LOWA vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used.
EPSS 0.5%CVE-2026-21714MEDIUMA memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow cEPSS 0.5%CVE-2024-37372LOWThe Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not alwEPSS 0.4%CVE-2026-22036MEDIUMUndici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustionEPSS 0.4%CVE-2025-23083HIGHWith the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only tEPSS 0.4%