Vulnerabilidades en NodeJS

114 resultados
CVE-2025-27210HIGHAn incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. EPSS 9.8%CVE-2021-44533Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craEPSS 9.4%CVE-2020-8265Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to EPSS 9.0%CVE-2020-8251Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unablEPSS 8.8%CVE-2021-44531Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bEPSS 8.4%CVE-2021-22921Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platformEPSS 7.4%CVE-2022-32212A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that EPSS 5.6%CVE-2020-8201Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The paylEPSS 5.1%CVE-2023-30589The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTPEPSS 3.9%CVE-2024-22019HIGHA vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resourEPSS 3.2%CVE-2021-22959The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS)EPSS 2.9%CVE-2022-35256MEDIUMThe llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may resEPSS 2.6%CVE-2021-22960The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP ReqEPSS 2.3%CVE-2023-23919HIGHA cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL erroEPSS 2.2%CVE-2023-23918HIGHA privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimeEPSS 2.0%CVE-2022-35255CRITICALA weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGeEPSS 1.9%CVE-2023-39332Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class exEPSS 1.8%CVE-2023-32004HIGHA vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improEPSS 1.8%CVE-2022-32222A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf tEPSS 1.7%CVE-2022-32223Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploiEPSS 1.6%