Nodejs Node vulnerabilities
102 known vulnerabilities affecting nodejs/node.
Total CVEs
102
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH48MEDIUM35LOW9
Vulnerabilities
Page 5 of 6
CVE-2026-21714P4MEDIUMCVSS 5.3≥ 20.20.1, ≤ 20.20.1≥ 22.22.1, ≤ 22.22.1+2 more2026-03-30
CVE-2026-21714 [MEDIUM] CWE-401 CVE-2026-21714: A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.
This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25
nvd
CVE-2026-48937P4MEDIUMCVSS 5.3≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.02026-06-18
CVE-2026-48937 [MEDIUM] CWE-400 CVE-2026-48937: A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `G
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js 24**.
nvd
CVE-2025-55132P4MEDIUMCVSS 5.3≥ 20.19.6, ≤ 20.19.6≥ 22.21.1, ≤ 22.21.1+2 more2026-01-20
CVE-2025-55132 [MEDIUM] CWE-276 CVE-2025-55132: A flaw in Node.js's permission model allows a file's access and modification timestamps to be change
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to a
nvd
CVE-2026-21712P4MEDIUMCVSS 5.7≥ 24.14.0, ≤ 24.14.0≥ 25.8.1, ≤ 25.8.12026-03-30
CVE-2026-21712 [MEDIUM] CWE-20 CVE-2026-21712: A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is c
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
nvd
CVE-2023-32005P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2023-09-12
CVE-2023-32005 [MEDIUM] CWE-732 CVE-2023-32005: A vulnerability has been identified in Node.js version 20, affecting users of the experimental permi
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument.
This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files t
nvd
CVE-2023-30588P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+15 more2023-11-28
CVE-2023-30588 [MEDIUM] CVE-2023-30588: When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate()
When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could force interruptions of application processing, as the process terminates when accessing public key info of provided certificates from user code. The current contex
nvd
CVE-2023-30582P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+13 more2024-09-07
CVE-2023-30582 [MEDIUM] CWE-284 CVE-2023-30582: A vulnerability has been identified in Node.js version 20, affecting users of the experimental permi
A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they
nvd
CVE-2026-48928P4MEDIUMCVSS 5.4≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48928 [MEDIUM] CWE-284 CVE-2026-48928: A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS s
A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2026-21711P4MEDIUMCVSS 5.3≥ 25.8.1, ≤ 25.8.1≥ 4.0, < 4.*+15 more2026-03-30
CVE-2026-21711 [MEDIUM] CWE-284 CVE-2026-21711: A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operat
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.
As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other
nvd
CVE-2025-23084P4MEDIUMCVSS 5.5≥ 20.0.0, < 20.19.4≥ 22.0.0, < 22.17.1+1 more2025-01-28
CVE-2025-23084 [MEDIUM] CWE-22 CVE-2025-23084: A vulnerability has been identified in Node.js, specifically affecting the handling of drive names i
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file
nvd
CVE-2025-23085P4MEDIUMCVSS 5.3≥ 4.0, < 4.*≥ 5.0, < 5.*+18 more2025-02-07
CVE-2025-23085 [MEDIUM] CWE-401 CVE-2025-23085: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY not
A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain
nvd
CVE-2026-48934P4MEDIUMCVSS 4.3≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48934 [MEDIUM] CWE-295 CVE-2026-48934: A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2023-23920P4MEDIUMCVSS 4.2≥ 4.0, < 4.*≥ 5.0, < 5.*+14 more2023-02-23
CVE-2023-23920 [MEDIUM] CWE-426 CVE-2023-23920: An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3
An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
nvd
CVE-2026-48931P4LOWCVSS 3.7≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-22
CVE-2026-48931 [LOW] CWE-367 CVE-2026-48931: A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before th
A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2026-21715P4LOWCVSS 3.3≥ 20.20.1, ≤ 20.20.1≥ 22.22.1, ≤ 22.22.1+18 more2026-03-30
CVE-2026-21715 [LOW] CWE-732 CVE-2026-21715: A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.
As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, reso
nvd
CVE-2025-23165P4LOWCVSS 3.7≥ 4.0, < 4.*≥ 5.0, < 5.*+17 more2025-05-19
CVE-2025-23165 [LOW] CWE-401 CVE-2025-23165: In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.
In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service.
Impact:
*
nvd
CVE-2024-37372P4LOWCVSS 3.6≥ 4.0, < 4.*≥ 5.0, < 5.*+16 more2025-01-09
CVE-2024-37372 [LOW] CWE-22 CVE-2024-37372: The Permission Model assumes that any path starting with two backslashes \ has a four-character pref
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
nvd
CVE-2026-48936P4LOWCVSS 3.3≥ 26.3.0, ≤ 26.3.02026-06-26
CVE-2026-48936 [LOW] CWE-284 CVE-2026-48936: A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket),
A flaw in Node.js Permission API can cause a local server to be started (via a Unix domain socket), even without the `--allow-net` permission.
This vulnerability affects one supported release line: **Node.js 26**.
nvd
CVE-2026-48935P4LOWCVSS 3.3≥ 22.22.3, ≤ 22.22.3≥ 24.16.0, ≤ 24.16.0+1 more2026-06-26
CVE-2026-48935 [LOW] CWE-276 CVE-2026-48935: A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was se
A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. `--allow-fs-read`.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.
nvd
CVE-2024-36137P4LOWCVSS 3.3≥ 20.20.1, ≤ 20.20.1≥ 22.22.1, ≤ 22.22.1+2 more2024-09-07
CVE-2024-36137 [LOW] CVE-2024-36137: A vulnerability has been identified in Node.js, affecting users of the experimental permission model
A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.
Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file.
nvd