Exposição de Node.js

Programming languages

96

score de exposição

532.066

sites usam

0

em exploração

4

críticos

CVEs

127 resultados

CVE-2023-32559HIGHA privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use EPSS 1.5%CVE-2023-32558—The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all uEPSS 1.5%CVE-2023-30585—A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install NodEPSS 1.5%CVE-2023-30590—The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generEPSS 1.5%CVE-2023-32002CRITICALThe use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. TEPSS 1.4%CVE-2024-27980HIGHDue to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject aEPSS 1.4%CVE-2025-23084MEDIUMA vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.EPSS 1.4%CVE-2023-30586HIGHA privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission moEPSS 1.3%CVE-2023-39331HIGHA previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability ariEPSS 1.3%CVE-2024-22025MEDIUMA vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetEPSS 1.3%CVE-2023-46809HIGHNode.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched areEPSS 1.3%CVE-2025-23085MEDIUMA memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid hEPSS 1.3%CVE-2023-32006HIGHThe use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition foEPSS 1.3%CVE-2024-21896HIGHThe permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path isEPSS 1.3%CVE-2024-21891HIGHNode.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-dEPSS 1.2%CVE-2023-32005MEDIUMA vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flaEPSS 1.2%CVE-2023-30588—When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs makiEPSS 1.2%CVE-2024-27982MEDIUMThe team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to EPSS 1.2%CVE-2023-38552—When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation aEPSS 1.1%CVE-2024-22020MEDIUMA security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can eEPSS 1.1%

← anteriorpágina 4 / 7próxima →

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →