Debian Nodejs vulnerabilities

CVE-2021-22959 [MEDIUM] CVE-2021-22959: nodejs - The parser in accepts requests with a space (SP) right after the header name bef... The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. Scope: local bookworm: resolved (fixed in 12.22.7~dfsg-1) bullseye: resolved (fixed in 12.22.12~dfsg-1~deb11u1) forky: resolved (fixed in 12.22.7~dfsg-1) sid: resolved (fixed in 12.22.7~dfsg-1)

CVE-2021-22960 [MEDIUM] CVE-2021-22960: nodejs - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when ... The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. Scope: local bookworm: resolved (fixed in 12.22.7~dfsg-1) bullseye: resolved (fixed in 12.22.12~dfsg-1~deb11u1) forky: resolved (fixed in 12.22.7~dfsg-1) sid: resolved (fixed in 12

CVE-2021-22939 [MEDIUM] CVE-2021-22939: nodejs - If the Node.js https API was used incorrectly and "undefined" was in passed for ... If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. Scope: local bookworm: resolved (fixed in 12.22.5~dfsg-1) bullseye: resolved (fixed in 12.22.5~dfsg-2~11u1) forky: resolved (fixed in 12.22.5~dfsg-1

CVE-2021-44532 [MEDIUM] CVE-2021-44532: nodejs - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alt... Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name con

CVE-2021-44533 [MEDIUM] CVE-2021-44533: nodejs - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value... Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the

CVE-2021-22921 [HIGH] CVE-2021-22921: nodejs - Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege esc... Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. Scope: local bookworm: resolved bullseye: resolved

CVE-2021-22931 [CRITICAL] CVE-2021-22931: nodejs - Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Executi... Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. Scope: local boo

CVE-2020-8174 [HIGH] CVE-2020-8174: nodejs - napi_get_value_string_*() allows various kinds of memory corruption in node < 10... napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0. Scope: local bookworm: resolved (fixed in 10.21.0~dfsg-1) bullseye: resolved (fixed in 10.21.0~dfsg-1) forky: resolved (fixed in 10.21.0~dfsg-1) sid: resolved (fixed in 10.21.0~dfsg-1) trixie: resolved (fixed in 10.21.0~dfsg-1)

CVE-2020-8265 [HIGH] CVE-2020-8265: nodejs - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a us... Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as par

CVE-2020-8201 [HIGH] CVE-2020-8201: nodejs - Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks an... Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due to a bug in proc

CVE-2020-8287 [MEDIUM] CVE-2020-8287: http-parser - Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a ... Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling. Scope: local bookworm: resolved (fixed in 2.9.4-5) bullseye: resolved (fixed in

CVE-2020-11080 [LOW] CVE-2020-11080: nghttp2 - In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload... In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. Ther

CVE-2020-8251 [HIGH] CVE-2020-8251: nodejs - Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on... Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2020-8172 [HIGH] CVE-2020-8172: nodejs - TLS session reuse can lead to host certificate verification bypass in node versi... TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2019-15605 [CRITICAL] CVE-2019-15605: http-parser - HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delive... HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed Scope: local bookworm: resolved (fixed in 2.9.4-2) bullseye: resolved (fixed in 2.9.4-2) forky: resolved (fixed in 2.9.4-2) sid: resolved (fixed in 2.9.4-2) trixie: resolved (fixed in 2.9.4-2)

CVE-2019-15606 [CRITICAL] CVE-2019-15606: nodejs - Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 ca... Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons Scope: local bookworm: resolved (fixed in 10.19.0~dfsg-1) bullseye: resolved (fixed in 10.19.0~dfsg-1) forky: resolved (fixed in 10.19.0~dfsg-1) sid: resolved (fixed in 10.19.0~dfsg-1) trixie: resolved (fixed in 10.19.0~df

CVE-2019-9514 [HIGH] CVE-2019-9514: h2o - Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading... Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. Scope: local book

CVE-2019-9511 [HIGH] CVE-2019-9511: nghttp2 - Some HTTP/2 implementations are vulnerable to window size manipulation and strea... Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how

CVE-2019-9513 [HIGH] CVE-2019-9513: nghttp2 - Some HTTP/2 implementations are vulnerable to resource loops, potentially leadin... Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. Scope: local bookworm: resolved (fixed in 1.39.2-1) bullseye: resolved (fix

CVE-2019-15604 [HIGH] CVE-2019-15604: nodejs - Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to ... Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate Scope: local bookworm: resolved (fixed in 10.19.0~dfsg-1) bullseye: resolved (fixed in 10.19.0~dfsg-1) forky: resolved (fixed in 10.19.0~dfsg-1) sid: resolved (fixed in 10.19.0~dfsg-1) trixie: resolved (fixed in 10.19.0~dfsg-1)