Nodejs Node.Js vulnerabilities

CVE-2023-39331 [HIGH] CVE-2023-39331: A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission mod

CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-32558 [HIGH] CWE-22 CVE-2023-32558: The use of the deprecated API `process.binding()` can bypass the permission model through path trave The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

CVE-2023-32005 [MEDIUM] CWE-732 CVE-2023-32005: A vulnerability has been identified in Node.js version 20, affecting users of the experimental permi A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files t

CVE-2023-32559 [HIGH] CWE-269 CVE-2023-32559: A privilege escalation vulnerability exists in the experimental policy mechanism in all active relea A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits de

CVE-2023-32002 [CRITICAL] CWE-288 CVE-2023-32002: The use of `Module._load()` can bypass the policy mechanism and require modules outside of the polic The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental f

CVE-2023-32006 [HIGH] CWE-693 CVE-2023-32006: The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is a

CVE-2023-32004 [HIGH] CWE-22 CVE-2023-32004: A vulnerability has been discovered in Node.js version 20, specifically within the experimental perm A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions. This vulnerability affects all users using the experimental permission model in Node.js 20. Please n

CVE-2023-32003 [MEDIUM] CWE-22 CVE-2023-32003: `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please

CVE-2023-30586 [HIGH] CWE-862 CVE-2023-30586: A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL eng A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible Ope

CVE-2023-30589 [HIGH] CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to deli The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impa

CVE-2023-23918 [HIGH] CWE-863 CVE-2023-23918: A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permi

CVE-2023-23919 [HIGH] CWE-310 CVE-2023-23919: A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some c A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of ser

CVE-2023-23920 [MEDIUM] CWE-426 CVE-2023-23920: An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

CVE-2023-23936 [MEDIUM] CWE-93 CVE-2023-23936: Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, t Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.

CVE-2022-35255 [CRITICAL] CWE-338 CVE-2022-35255: A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with Entrop A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data

CVE-2022-43548 [HIGH] CVE-2022-43548: A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0. A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvenam

CVE-2022-35256 [MEDIUM] CWE-444 CVE-2022-35256: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that ar The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

CVE-2022-3602 [HIGH] CWE-787 CVE-2022-3602: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted

CVE-2022-3786 [HIGH] CWE-120 CVE-2022-3786: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted iss