cbcvebase.

Nodejs Node vulnerabilities

102 known vulnerabilities affecting nodejs/node.

Total CVEs
102
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH48MEDIUM35LOW9

Vulnerabilities

Page 3 of 6
CVE-2026-48618P3MEDIUMCVSS 6.5≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48618 [MEDIUM] CWE-176 CVE-2026-48618: A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all s
nvd
CVE-2020-8251P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+7 more2020-09-18
CVE-2020-8251 [HIGH] CWE-400 CVE-2020-8251: Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests su Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections.
nvd
CVE-2021-22921P3HIGHCVSS 7.8≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-07-12
CVE-2021-22921 [HIGH] CWE-732 CVE-2021-22921: Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks unde Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.
nvd
CVE-2026-21637P3HIGHCVSS 7.5≥ 20.19.6, ≤ 20.19.6≥ 22.21.1, ≤ 22.21.1+17 more2026-01-20
CVE-2026-21637 [HIGH] CWE-400 CVE-2026-21637: A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks
nvd
CVE-2026-48619P3HIGHCVSS 7.5≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48619 [HIGH] CWE-400 CVE-2026-48619: A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2026-48615P3HIGHCVSS 7.5≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48615 [HIGH] CWE-359 CVE-2026-48615: A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` e A flaw in Node.js proxy tunnel error handling could expose proxy credentials in `ERR_PROXY_TUNNEL` error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability affects all supported release lines: **Node.js 22**,
nvd
CVE-2023-32558P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2023-09-12
CVE-2023-32558 [HIGH] CWE-22 CVE-2023-32558: The use of the deprecated API `process.binding()` can bypass the permission model through path trave The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
nvd
CVE-2023-46809P3HIGHCVSS 7.4≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2024-09-07
CVE-2023-46809 [HIGH] CWE-385 CVE-2023-46809: Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked ve Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
nvd
CVE-2025-27209P3HIGHCVSS 7.5≥ 24.0.0, < 24.4.12025-07-18
CVE-2025-27209 [HIGH] CWE-407 CVE-2025-27209: The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. T The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects
nvd
CVE-2023-30587P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2024-09-07
CVE-2023-30587 [HIGH] CWE-284 CVE-2023-30587: A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-pe A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the
nvd
CVE-2021-22918P3MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-07-12
CVE-2021-22918 [MEDIUM] CWE-125 CVE-2021-22918: Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be
nvd
CVE-2024-21892P3HIGHCVSS 7.8≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2024-02-20
CVE-2024-21892 [HIGH] CWE-94 CVE-2024-21892: On Linux, Node.js ignores certain environment variables if those may have been set by an unprivilege On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been
nvd
CVE-2023-30581P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-11-23
CVE-2023-30581 [HIGH] CWE-862 CVE-2023-30581: The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and r The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experi
nvd
CVE-2025-59466P3HIGHCVSS 7.5≥ 20.19.6, ≤ 20.19.6≥ 22.21.1, ≤ 22.21.1+13 more2026-01-20
CVE-2025-59466 [HIGH] CWE-248 CVE-2025-59466: We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors b We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createH
nvd
CVE-2023-30583P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2024-09-07
CVE-2023-30583 [HIGH] CWE-284 CVE-2023-30583: fs.openAsBlob() can bypass the experimental permission model when using the file system read restric fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
nvd
CVE-2023-23919P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+14 more2023-02-23
CVE-2023-23919 [HIGH] CWE-310 CVE-2023-23919: A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some c A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of ser
nvd
CVE-2023-38552P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-10-18
CVE-2023-38552 [HIGH] CWE-345 CVE-2023-38552: When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the a When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active
nvd
CVE-2025-23083P3HIGHCVSS 7.7≥ 4.0, < 4.*≥ 5.0, < 5.*+17 more2025-01-22
CVE-2025-23083 [HIGH] CWE-284 CVE-2025-23083: With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker threa With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--p
nvd
CVE-2025-23166P3HIGHCVSS 7.5≥ 4.0, < 4.*≥ 5.0, < 5.*+19 more2025-05-19
CVE-2025-23166 [HIGH] CWE-248 CVE-2025-23166: The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime.
nvd
CVE-2025-59464P3HIGHCVSS 7.5≥ 24.12.0, < 24.12.02026-01-20
CVE-2025-59464 [HIGH] CWE-400 CVE-2025-59464: A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead t
nvd
Nodejs Node vulnerabilities | cvebase