cbcvebase.

Nodejs Node vulnerabilities

102 known vulnerabilities affecting nodejs/node.

Total CVEs
102
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH48MEDIUM35LOW9

Vulnerabilities

Page 4 of 6
CVE-2020-8252P3HIGHCVSS 7.8≥ 4.0, < 4.*≥ 5.0, < 5.*+9 more2020-09-18
CVE-2020-8252 [HIGH] CWE-120 CVE-2020-8252: The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incor The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
nvd
CVE-2023-30584P3HIGHCVSS 7.7≥ 4.0, < 4.*≥ 5.0, < 5.*+14 more2024-09-07
CVE-2023-30584 [HIGH] CWE-22 CVE-2023-30584: A vulnerability has been discovered in Node.js version 20, specifically within the experimental perm A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
nvd
CVE-2021-44532P3MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+12 more2022-02-24
CVE-2021-44532 [MEDIUM] CWE-296 CVE-2021-44532: Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass o
nvd
CVE-2025-23167P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2025-05-19
CVE-2025-23167 [MEDIUM] CWE-444 CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` ins A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correc
nvd
CVE-2024-22017P3HIGHCVSS 7.3≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2024-03-19
CVE-2024-22017 [HIGH] CWE-250 CVE-2024-22017: setuid() does not affect libuv's internal io_uring operations if initialized before the call to setu setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Nod
nvd
CVE-2021-22960P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-11-03
CVE-2021-22960 [MEDIUM] CWE-444 CVE-2021-22960: The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
nvd
CVE-2021-22939P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-08-16
CVE-2021-22939 [MEDIUM] CWE-295 CVE-2021-22939: If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthori If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
nvd
CVE-2022-32223P3HIGHCVSS 7.3≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2022-07-14
CVE-2022-32223 [HIGH] CWE-427 CVE-2022-32223: Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows pl Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` w
nvd
CVE-2024-27982P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2024-05-07
CVE-2024-27982 [MEDIUM] CWE-444 CVE-2024-27982: The team has identified a critical vulnerability in the http server of the most recent version of No The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
nvd
CVE-2021-44533P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+12 more2022-02-24
CVE-2021-44533 [MEDIUM] CWE-295 CVE-2021-44533: Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguis Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allo
nvd
CVE-2022-35256P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2022-12-05
CVE-2022-35256 [MEDIUM] CWE-444 CVE-2022-35256: The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that ar The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
nvd
CVE-2024-22020P4MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+17 more2024-07-09
CVE-2024-22020 [MEDIUM] CWE-94 CVE-2024-22020: A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import securit
nvd
CVE-2024-21890P3MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2024-02-20
CVE-2024-21890 [MEDIUM] CVE-2024-21890: The Node.js Permission Model does not clarify in the documentation that wildcards should be only use The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node
nvd
CVE-2021-22959P4MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+11 more2021-11-15
CVE-2021-22959 [MEDIUM] CWE-444 CVE-2021-22959: The parser in accepts requests with a space (SP) right after the header name before the colon. This The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6.
nvd
CVE-2026-21713P4MEDIUMCVSS 5.9≥ 20.20.1, ≤ 20.20.1≥ 22.22.1, ≤ 22.22.1+18 more2026-03-30
CVE-2026-21713 [MEDIUM] CWE-208 CVE-2026-21713: A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provide A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC va
nvd
CVE-2024-22025P4MEDIUMCVSS 6.5≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2024-03-19
CVE-2024-22025 [MEDIUM] CWE-404 CVE-2024-22025: A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack throug A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exh
nvd
CVE-2026-21717P4MEDIUMCVSS 5.9≥ 20.20.1, ≤ 20.20.1≥ 22.22.1, ≤ 22.22.1+18 more2026-03-30
CVE-2026-21717 [MEDIUM] CWE-328 CVE-2026-21717: A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric va A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint
nvd
CVE-2023-32003P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2023-08-15
CVE-2023-32003 [MEDIUM] CWE-22 CVE-2023-32003: `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. This flaw arises from a missing check in the fs.mkdtemp() API and the impact is a malicious actor could create an arbitrary directory. This vulnerability affects all users using the experimental permission model in Node.js 20. Please
nvd
CVE-2022-32222P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2022-07-14
CVE-2022-32222 [MEDIUM] CWE-310 CVE-2022-32222: A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
nvd
CVE-2023-39333P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2024-09-07
CVE-2023-39333 [MEDIUM] CWE-94 CVE-2023-39333: Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The i Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js.
nvd
Nodejs Node vulnerabilities | cvebase