cbcvebase.

Nodejs Node vulnerabilities

102 known vulnerabilities affecting nodejs/node.

Total CVEs
102
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH48MEDIUM35LOW9

Vulnerabilities

Page 1 of 6
CVE-2024-27983P2HIGHCVSS 8.2≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2024-04-09
CVE-2024-27983 [HIGH] CWE-362 CVE-2024-27983: An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of H An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggerin
nvd
CVE-2019-15605P2CRITICALCVSS 9.8≥ 4.0, < 4.*≥ 5.0, < 5.*+8 more2020-02-07
CVE-2019-15605 [CRITICAL] CWE-444 CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-enc HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
nvd
CVE-2021-22883P2HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+10 more2021-03-03
CVE-2021-22883 [HIGH] CWE-400 CVE-2021-22883: Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack wh Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also
nvd
CVE-2021-22931P2CRITICALCVSS 9.8≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-08-16
CVE-2021-22931 [CRITICAL] CWE-170 CVE-2021-22931: Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
nvd
CVE-2021-22930P2CRITICALCVSS 9.8≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-10-07
CVE-2021-22930 [CRITICAL] CWE-416 CVE-2021-22930: Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attack Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
nvd
CVE-2019-15606P2CRITICALCVSS 9.8≥ 4.0, < 4.*≥ 5.0, < 5.*+8 more2020-02-07
CVE-2019-15606 [CRITICAL] CWE-20 CVE-2019-15606: Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of autho Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons
nvd
CVE-2026-21636P2CRITICALCVSS 10.0≥ 25.2.1, ≤ 25.2.12026-01-20
CVE-2026-21636 [CRITICAL] CWE-284 CVE-2026-21636: A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network r A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary
nvd
CVE-2022-32214P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2022-07-14
CVE-2022-32214 [MEDIUM] CWE-444 CVE-2022-32214: The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
nvd
CVE-2020-8277P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+9 more2020-11-19
CVE-2020-8277 [HIGH] CWE-400 CVE-2020-8277: A Node.js application that allows an attacker to trigger a DNS request for a host of their choice co A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
nvd
CVE-2025-55130P2CRITICALCVSS 9.1≥ 20.19.6, ≤ 20.19.6≥ 22.21.1, ≤ 22.21.1+2 more2026-01-20
CVE-2025-55130 [CRITICAL] CWE-289 CVE-2025-55130: A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-w A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees
nvd
CVE-2026-21710P3HIGHCVSS 7.5≥ 20.20.1, ≤ 20.20.1≥ 22.22.1, ≤ 22.22.1+18 more2026-03-30
CVE-2026-21710 [HIGH] CWE-770 CVE-2026-21710: A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received wi A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown sync
nvd
CVE-2022-32215P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2022-07-14
CVE-2022-32215 [MEDIUM] CWE-444 CVE-2022-32215: The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
nvd
CVE-2022-21824P3HIGHCVSS 8.2≥ 4.0, < 4.*≥ 5.0, < 5.*+12 more2022-02-24
CVE-2022-21824 [HIGH] CWE-471 CVE-2022-21824: Due to the formatting logic of the "console.table()" function it was not safe to allow user controll Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an em
nvd
CVE-2018-7160P3HIGHCVSS 8.8≥ 4.0, < 4.*≥ 5.0, < 5.*+10 more2018-05-17
CVE-2018-7160 [HIGH] CWE-350 CVE-2018-7160: The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be explo The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebin
nvd
CVE-2024-21896P3CRITICALCVSS 9.8≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2024-02-20
CVE-2024-21896 [CRITICAL] CWE-27 CVE-2024-21896: The permission model protects itself against path traversal attacks by calling path.resolve() on any The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application c
nvd
CVE-2020-8265P3HIGHCVSS 8.1≥ 4.0, < 4.*≥ 5.0, < 5.*+10 more2021-01-06
CVE-2020-8265 [HIGH] CWE-416 CVE-2020-8265: Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to th
nvd
CVE-2019-15604P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+8 more2020-02-07
CVE-2019-15604 [HIGH] CWE-295 CVE-2019-15604: Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a Improper Certificate Validation in Node.js 10, 12, and 13 causes the process to abort when sending a crafted X.509 certificate
nvd
CVE-2021-44531P3HIGHCVSS 7.4≥ 4.0, < 4.*≥ 5.0, < 5.*+12 more2022-02-24
CVE-2021-44531 [HIGH] CWE-295 CVE-2021-44531: Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to us Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, N
nvd
CVE-2022-32212P3HIGHCVSS 8.1≥ 4.0, < 4.*≥ 5.0, < 5.*+14 more2022-07-14
CVE-2022-32212 [HIGH] CWE-284 CVE-2022-32212: A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to a A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
nvd
CVE-2024-27980P3HIGHCVSS 8.1≥ 4.0, < 4.*≥ 5.0, < 5.*+17 more2025-01-09
CVE-2024-27980 [HIGH] CWE-77 CVE-2024-27980: Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a mali Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled.
nvd
Nodejs Node vulnerabilities | cvebase