Vulnerabilidades en nodejs
114 resultadosCVE-2022-31150MEDIUMCRLF injection in request headersEPSS 1.2%CVE-2023-30588—When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs makiEPSS 1.2%CVE-2024-27982MEDIUMThe team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to EPSS 1.2%CVE-2023-23936MEDIUMCRLF Injection in Nodejs ‘undici’ via hostEPSS 1.1%CVE-2023-38552—When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation aEPSS 1.1%CVE-2024-22020MEDIUMA security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can eEPSS 1.1%CVE-2024-36138HIGHBypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via childEPSS 1.1%CVE-2026-21637MEDIUMA flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallbaEPSS 1.1%CVE-2023-30581HIGHThe use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.jsoEPSS 1.1%CVE-2023-32003MEDIUM`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from EPSS 1.0%CVE-2025-55131HIGHA flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module witEPSS 1.0%CVE-2024-21890MEDIUMThe Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. EPSS 0.9%CVE-2023-39333MEDIUMMaliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data EPSS 0.9%CVE-2025-59465HIGHA malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` erEPSS 0.9%CVE-2024-22017HIGHsetuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid().
This allows the process to performEPSS 0.9%CVE-2024-30261LOWUndici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrectEPSS 0.8%CVE-2025-27209HIGHThe V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HasEPSS 0.8%CVE-2024-24758LOWProxy-Authorization header not cleared on cross-origin redirect in fetch in UndiciEPSS 0.8%CVE-2025-23166HIGHThe C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background tEPSS 0.8%CVE-2023-30587HIGHA vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspectEPSS 0.7%