Nodejs Node vulnerabilities
102 known vulnerabilities affecting nodejs/node.
Total CVEs
102
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH48MEDIUM35LOW9
Vulnerabilities
Page 2 of 6
CVE-2025-55131P3HIGHCVSS 7.1≥ 20.19.6, ≤ 20.19.6≥ 22.21.1, ≤ 22.21.1+17 more2026-01-20
CVE-2025-55131 [HIGH] CWE-120 CVE-2025-55131: A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are int
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-proc
nvd
CVE-2021-22940P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-08-16
CVE-2021-22940 [HIGH] CWE-416 CVE-2021-22940: Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attack
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
nvd
CVE-2026-48930P3CRITICALCVSS 9.8≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48930 [CRITICAL] CWE-284 CVE-2026-48930: A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authorit
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2023-32004P3HIGHCVSS 8.8≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2023-08-15
CVE-2023-32004 [HIGH] CWE-22 CVE-2023-32004: A vulnerability has been discovered in Node.js version 20, specifically within the experimental perm
A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of Buffers in file system APIs causing a traversal path to bypass when verifying file permissions.
This vulnerability affects all users using the experimental permission model in Node.js 20.
Please n
nvd
CVE-2023-32006P3HIGHCVSS 8.8≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-08-15
CVE-2023-32006 [HIGH] CWE-693 CVE-2023-32006: The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules
The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x.
Please note that at the time this CVE was issued, the policy is a
nvd
CVE-2024-21891P3HIGHCVSS 8.8≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2024-02-20
CVE-2024-21891 [HIGH] CWE-22 CVE-2024-21891: Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functi
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack.
This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21.
Please
nvd
CVE-2022-32213P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2022-07-14
CVE-2022-32213 [MEDIUM] CWE-444 CVE-2022-32213: The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).
nvd
CVE-2023-32002P3CRITICALCVSS 9.8≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-08-21
CVE-2023-32002 [CRITICAL] CWE-288 CVE-2023-32002: The use of `Module._load()` can bypass the policy mechanism and require modules outside of the polic
The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.
This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
Please note that at the time this CVE was issued, the policy is an experimental f
nvd
CVE-2020-8201P3HIGHCVSS 7.4≥ 4.0, < 4.*≥ 5.0, < 5.*+8 more2020-09-18
CVE-2020-8201 [HIGH] CWE-444 CVE-2020-8201: Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious
Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. The attack was possible due t
nvd
CVE-2022-35255P3CRITICALCVSS 9.1≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2022-12-05
CVE-2022-35255 [CRITICAL] CWE-338 CVE-2022-35255: A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with Entrop
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data
nvd
CVE-2025-59465P3HIGHCVSS 7.5≥ 20.19.6, ≤ 20.19.6≥ 22.21.1, ≤ 22.21.1+17 more2026-01-20
CVE-2025-59465 [HIGH] CWE-400 CVE-2025-59465: A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash b
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure socket
nvd
CVE-2023-32559P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-08-24
CVE-2023-32559 [HIGH] CWE-269 CVE-2023-32559: A privilege escalation vulnerability exists in the experimental policy mechanism in all active relea
A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits de
nvd
CVE-2023-23918P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+14 more2023-02-23
CVE-2023-23918 [HIGH] CWE-863 CVE-2023-23918: A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that
A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permi
nvd
CVE-2026-48933P3HIGHCVSS 7.5≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48933 [HIGH] CWE-190 CVE-2026-48933: A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()`
A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2023-30589P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-07-01
CVE-2023-30589 [HIGH] CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to deli
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impa
nvd
CVE-2024-22019P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2024-02-20
CVE-2024-22019 [HIGH] CWE-404 CVE-2024-22019: A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network ba
nvd
CVE-2020-8287P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+10 more2021-01-06
CVE-2020-8287 [MEDIUM] CWE-444 CVE-2020-8287: Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an H
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.
nvd
CVE-2023-30585P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-11-28
CVE-2023-30585 [HIGH] CVE-2023-30585: A vulnerability has been identified in the Node.js (.msi version) installation process, specifically
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variabl
nvd
CVE-2023-30590P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-11-28
CVE-2023-30590 [HIGH] CVE-2023-30590: The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (o
The generateKeys() API function returned from crypto.createDiffieHellman() only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey(). However, the documentation says this API call: "Generates private and pub
nvd
CVE-2023-30586P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2023-07-01
CVE-2023-30586 [HIGH] CWE-862 CVE-2023-30586: A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL eng
A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model. The attack complexity is high. However, the crypto.setEngine() API can be used to bypass the permission model when called with a compatible Ope
nvd