Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2021-32804 npm HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Tar Graalvm Sinec Infrastructure Network Services
NVD GitHub
CVSS 3.1
8.1
EPSS
15.0%
CVE-2021-32803 npm HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Tar Graalvm Sinec Infrastructure Network Services
NVD GitHub
CVSS 3.1
8.1
EPSS
7.8%
CVE-2021-36716 npm HIGH PATCH This Week

A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Is Email
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-22921 HIGH POC PATCH This Week

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation Microsoft Node.js Node Js Sinec Infrastructure Network Services
NVD
CVSS 3.1
7.8
EPSS
7.4%
CVE-2021-22918 MEDIUM POC PATCH THREAT This Month

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Node.js Information Disclosure Node Js Sinec Infrastructure Network Services
NVD
CVSS 3.1
5.3
EPSS
23.1%
CVE-2021-21422 npm MEDIUM POC PATCH This Month

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js XSS Mongo Express
NVD GitHub
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-32696 npm MEDIUM PATCH This Month

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js XSS Striptags
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
CVE-2021-32685 npm CRITICAL PATCH Act Now

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Jwt Attack Tenvoy
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2021-33205 HIGH This Week

Western Digital EdgeRover before 0.25 has an escalation of privileges vulnerability where a low privileged user could load malicious content into directories with higher privileges, because of how. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Node.js Edgerover
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-26707 npm CRITICAL PATCH Act Now

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Node.js Information Disclosure Merge Deep E Series Performance Analyzer
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-33587 npm HIGH PATCH This Week

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Css What E Series Performance Analyzer
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-33623 npm HIGH PATCH This Week

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Trim Newlines E Series Performance Analyzer Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
2.9%
CVE-2021-32640 npm MEDIUM POC PATCH This Month

ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Ws E Series Performance Analyzer
NVD GitHub
CVSS 3.1
5.3
EPSS
2.8%
CVE-2021-32624 npm MEDIUM This Month

Keystone 5 is an open source CMS platform to build Node.js applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Node.js Oracle Information Disclosure Keystone 5
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-33502 npm HIGH PATCH This Week

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data:. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Normalize Url
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-32573 MEDIUM POC This Month

The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js XSS Express Cart
NVD
CVSS 3.1
4.8
EPSS
0.5%
CVE-2021-29369 npm CRITICAL PATCH Act Now

The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Node.js Command Injection Gnuplot
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-28860 npm CRITICAL PATCH Act Now

In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Denial Of Service Node.js Mixme
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
2.0%
CVE-2021-29486 npm HIGH POC PATCH This Week

cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Cumulative Distribution Function
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2021-29484 npm MEDIUM POC PATCH This Month

Ghost is a Node.js CMS. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js XSS Ghost
NVD GitHub
CVSS 3.1
6.8
EPSS
7.9%
CVE-2021-21388 npm CRITICAL PATCH Act Now

systeminformation is an open source system and OS information library for node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Command Injection Systeminformation
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-21414 npm HIGH PATCH This Week

Prisma is an open source ORM for Node.js & TypeScript. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Node.js Command Injection Prisma
NVD GitHub
CVSS 3.1
7.2
EPSS
2.1%
CVE-2021-21391 npm MEDIUM PATCH This Month

CKEditor 5 provides a WYSIWYG editing solution. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Microsoft Denial Of Service Ckeditor5 Engine Ckeditor5 Font +6
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-29469 npm HIGH PATCH This Week

Node-redis is a Node.js Redis client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Redis Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-31597 npm CRITICAL POC PATCH Act Now

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Xmlhttprequest Ssl
NVD GitHub
CVSS 3.1
9.4
EPSS
2.1%
CVE-2021-29452 npm MEDIUM PATCH This Month

a12n-server is an npm package which aims to provide a simple authentication system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Privilege Escalation A12N Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-29446 npm MEDIUM PATCH This Month

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Oracle Information Disclosure Jose Node Cjs Runtime
NVD GitHub
CVSS 3.1
5.9
EPSS
1.2%
CVE-2021-29445 npm MEDIUM PATCH This Month

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Oracle Information Disclosure Jose Node Cjs Runtime
NVD GitHub
CVSS 3.1
5.9
EPSS
1.2%
CVE-2021-29444 npm MEDIUM PATCH This Month

jose-browser-runtime is an npm package which provides a number of cryptographic functions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Oracle Information Disclosure Jose Node Cjs Runtime
NVD GitHub
CVSS 3.1
5.9
EPSS
1.2%
CVE-2021-29443 npm MEDIUM PATCH This Month

jose is an npm library providing a number of cryptographic operations. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Node.js Oracle Microsoft Jose
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
1.2%
CVE-2021-26073 npm HIGH PATCH This Week

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Atlassian Authentication Bypass Connect Express
NVD
CVSS 3.1
7.7
EPSS
0.9%
CVE-2021-29438 npm MEDIUM PATCH This Month

The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Nextcloud XSS Nextcloud Dialogs
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-30246 npm CRITICAL PATCH Act Now

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Jwt Attack Jsrsasign
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
1.0%
CVE-2021-21423 LIB HIGH PATCH This Week

`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Node.js Projen
NVD GitHub
CVSS 3.1
8.1
EPSS
1.4%
CVE-2021-28918 npm CRITICAL POC PATCH THREAT Act Now

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js SSRF Netmask
NVD GitHub
CVSS 3.1
9.1
EPSS
16.4%
CVE-2021-21412 npm HIGH PATCH This Week

Potential for arbitrary code execution in npm package @thi.ng/egf `#gpg`-tagged property values (only if `decrypt: true` option is enabled). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Node.js Command Injection Thi Ng Egf
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-29418 npm MEDIUM PATCH This Month

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Netmask
NVD GitHub
CVSS 3.1
5.3
EPSS
1.7%
CVE-2021-21267 npm HIGH POC PATCH This Week

Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Schema Inspector E Series Performance Analyzer Oncommand Insight
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2021-26275 npm CRITICAL POC Act Now

The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Eslint Fixer
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2021-21383 MEDIUM POC PATCH This Month

Wiki.js an open-source wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS Wiki Js
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-28092 npm HIGH PATCH This Week

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Is Svg
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2021-21368 npm HIGH POC PATCH This Week

msgpack5 is a msgpack v5 implementation for node.js and the browser. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Node.js Msgpack5
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-3377 npm MEDIUM POC PATCH This Month

The npm package ansi_up converts ANSI escape codes into HTML. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js XSS Ansi Up
NVD GitHub
CVSS 3.1
6.1
EPSS
8.0%
CVE-2021-22884 HIGH POC PATCH THREAT This Week

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js Authentication Bypass Node Js Fedora Active Iq Unified Manager +10
NVD
CVSS 3.1
7.5
EPSS
32.4%
CVE-2021-22883 HIGH PATCH This Week

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Node Js Fedora E Series Performance Analyzer +6
NVD
CVSS 3.1
7.5
EPSS
77.4%
CVE-2021-21353 npm CRITICAL POC PATCH Act Now

Pug is an npm package which is a high-performance template engine. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Node.js Pug Pug Code Gen
NVD GitHub
CVSS 3.1
9.0
EPSS
4.3%
CVE-2021-21322 npm CRITICAL PATCH Act Now

fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Fastify Http Proxy
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-21321 npm CRITICAL PATCH Act Now

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Fastify Reply From
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2021-21320 npm MEDIUM PATCH This Month

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Matrix React Sdk
NVD GitHub
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-27884 npm MEDIUM PATCH This Month

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Yapi
NVD GitHub
CVSS 3.1
5.1
EPSS
0.3%
CVE-2021-26700 npm HIGH PATCH MAL This Week

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Node.js npm
NVD
CVSS 3.1
7.8
EPSS
6.0%
CVE-2021-24105 HIGH PATCH This Week

<p>Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity.

Python RCE Apple Microsoft Node.js +2
NVD
CVSS 3.1
8.4
EPSS
2.1%
CVE-2021-20327 npm MEDIUM PATCH This Month

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required. No vendor patch available.

Microsoft Node.js Information Disclosure Libmongocrypt
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2021-3189 npm MEDIUM POC This Month

The slashify package 1.0.0 for Node.js allows open-redirect attacks, as demonstrated by a localhost:3000///example.com/ substring. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Node.js Slashify
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2021-27405 npm HIGH PATCH This Week

A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Scrapbox Parser
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-21317 npm MEDIUM PATCH This Month

uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Python Denial Of Service Uap Core
NVD GitHub
CVSS 3.1
5.3
EPSS
2.5%
CVE-2021-21316 npm HIGH PATCH This Week

less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Node.js Information Disclosure Less Openui5
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-21315 npm HIGH POC KEV PATCH THREAT This Week

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation Cordova
NVD GitHub
CVSS 3.1
7.8
EPSS
90.2%
CVE-2021-27191 npm HIGH POC PATCH This Week

The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Get Ip Range
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2021-27185 npm CRITICAL POC PATCH Act Now

The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Samba Client
NVD GitHub
CVSS 3.1
9.8
EPSS
4.8%
CVE-2021-21306 npm HIGH PATCH This Week

Marked is an open-source markdown parser and compiler (npm package "marked"). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Marked
NVD GitHub
CVSS 3.1
7.5
EPSS
2.5%
CVE-2021-26276 npm MEDIUM POC PATCH This Month

scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Node Config Shield
NVD GitHub
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-3190 npm CRITICAL POC PATCH Act Now

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Async Git
NVD GitHub
CVSS 3.1
9.8
EPSS
5.3%
CVE-2021-21252 LIB HIGH PATCH This Week

The jQuery Validation Plugin provides drop-in validation for your existing forms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Jquery Validation Snapcenter
NVD GitHub
CVSS 3.1
7.5
EPSS
3.5%
CVE-2020-26291 npm MEDIUM PATCH This Month

URI.js is a javascript URL mutation library (npm package urijs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js SSRF Uri Js
NVD GitHub
CVSS 3.1
6.5
EPSS
1.7%
CVE-2020-26296 npm HIGH PATCH This Week

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Node.js Vega
NVD GitHub
CVSS 3.1
8.7
EPSS
1.4%
CVE-2020-26288 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-26289 npm HIGH PATCH This Week

date-and-time is an npm package for manipulating date and time. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Date And Time
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2020-26274 npm HIGH PATCH This Week

In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation
NVD GitHub
CVSS 3.1
8.8
EPSS
2.7%
CVE-2020-26256 npm MEDIUM POC PATCH This Month

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Denial Of Service Fast Csv
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-26245 npm CRITICAL PATCH Act Now

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2020-28360 npm CRITICAL PATCH Act Now

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE SSRF Private Ip
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-8277 HIGH PATCH This Week

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Node Js Fedora Blockchain Platform +5
NVD
CVSS 3.1
7.5
EPSS
54.2%
CVE-2020-26226 npm HIGH PATCH This Week

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Semantic Release
NVD GitHub
CVSS 3.1
8.1
EPSS
1.4%
CVE-2020-8268 npm HIGH POC PATCH This Week

Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Code Injection Json8 Merge Patch
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2020-28168 npm MEDIUM POC PATCH MAL This Month

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js SSRF Axios Sinec Ins
NVD GitHub
CVSS 3.1
5.9
EPSS
2.3%
CVE-2020-13537 HIGH POC This Week

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Privilege Escalation Mxview
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2020-13536 HIGH POC This Week

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Privilege Escalation Mxview
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2020-7754 npm HIGH POC PATCH This Week

This affects the package npm-user-validate before 1.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Npm User Validate
NVD GitHub
CVSS 3.1
7.5
EPSS
3.4%
CVE-2020-15270 npm MEDIUM PATCH This Month

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
4.3
EPSS
1.2%
CVE-2020-24807 npm HIGH This Week

The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Socket Io File
NVD GitHub
CVSS 3.1
7.8
EPSS
2.1%
CVE-2020-15228 npm MEDIUM POC PATCH This Month

In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Toolkit
NVD GitHub
CVSS 3.1
5.0
EPSS
1.5%
CVE-2020-8252 HIGH This Week

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Node.js Node Js Leap Fedora
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2020-8251 HIGH This Week

Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Node Js Fedora
NVD
CVSS 3.1
7.5
EPSS
8.8%
CVE-2020-8237 npm HIGH POC PATCH This Week

Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Denial Of Service Json Bigint
NVD
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-8201 HIGH This Week

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Request Smuggling Information Disclosure Node Js Leap +1
NVD
CVSS 3.1
7.4
EPSS
5.1%
CVE-2020-24660 npm CRITICAL POC PATCH Act Now

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Nginx Lemonldap Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-15152 npm CRITICAL PATCH Act Now

ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Node.js SSRF Ftp Srv
NVD GitHub
CVSS 3.1
9.1
EPSS
1.9%
CVE-2020-15135 npm HIGH POC PATCH This Week

save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js CSRF Save Server
NVD GitHub
CVSS 3.1
7.6
EPSS
0.7%
CVE-2020-15131 npm HIGH PATCH This Week

In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slp Validate
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
EPSS 15% CVSS 8.1
HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Tar +2
NVD GitHub
EPSS 8% CVSS 8.1
HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Tar +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Is Email
NVD GitHub
EPSS 7% CVSS 7.8
HIGH POC PATCH This Week

Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation Microsoft Node.js +2
NVD
EPSS 23% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Node.js Information Disclosure +2
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

mongo-express is a web-based MongoDB admin interface, written with Node.js and express. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js XSS Mongo Express
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js XSS Striptags
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Jwt Attack +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Western Digital EdgeRover before 0.25 has an escalation of privileges vulnerability where a low privileged user could load malicious content into directories with higher privileges, because of how. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Node.js Edgerover
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Node.js Information Disclosure +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Css What +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Trim Newlines +2
NVD GitHub
EPSS 3% CVSS 5.3
MEDIUM POC PATCH This Month

ws is an open source WebSocket client and server library for Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Ws +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Keystone 5 is an open source CMS platform to build Node.js applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Node.js Oracle Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data:. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Normalize Url
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The express-cart package through 1.1.10 for Node.js allows Reflected XSS (for an admin) via a user input field for product options. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js XSS Express Cart
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The gnuplot package prior to version 0.1.0 for Node.js allows code execution via shell metacharacters in Gnuplot commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Node.js Command Injection +1
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via '__proto__' through the mutate() and merge() functions. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Prototype Pollution Denial Of Service Node.js +1
NVD GitHub VulDB
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

cumulative-distribution-function is an open source npm library used which calculates statistical cumulative distribution function from data array of x values. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Cumulative Distribution Function
NVD GitHub
EPSS 8% CVSS 6.8
MEDIUM POC PATCH This Month

Ghost is a Node.js CMS. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js XSS Ghost
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

systeminformation is an open source system and OS information library for node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Command Injection Systeminformation
NVD GitHub
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Prisma is an open source ORM for Node.js & TypeScript. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Node.js Command Injection +1
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

CKEditor 5 provides a WYSIWYG editing solution. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Microsoft Denial Of Service +8
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Node-redis is a Node.js Redis client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Redis Denial Of Service
NVD GitHub
EPSS 2% CVSS 9.4
CRITICAL POC PATCH Act Now

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Xmlhttprequest Ssl
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

a12n-server is an npm package which aims to provide a simple authentication system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Privilege Escalation A12N Server
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Oracle Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Oracle Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

jose-browser-runtime is an npm package which provides a number of cryptographic functions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Oracle Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

jose is an npm library providing a number of cryptographic operations. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Node.js Oracle +2
NVD GitHub VulDB
EPSS 1% CVSS 7.7
HIGH PATCH This Week

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Atlassian Authentication Bypass +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Nextcloud XSS +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Jwt Attack +1
NVD GitHub VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

`projen` is a project generation tool that synthesizes project configuration files such as `package.json`, `tsconfig.json`, `.gitignore`, GitHub Workflows, `eslint`, `jest`, and more, from a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Node.js Projen
NVD GitHub
EPSS 16% CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js SSRF Netmask
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Potential for arbitrary code execution in npm package @thi.ng/egf `#gpg`-tagged property values (only if `decrypt: true` option is enabled). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Node.js Command Injection +1
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Netmask
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Schema Inspector +2
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

The eslint-fixer package through 0.1.5 for Node.js allows command injection via shell metacharacters to the fix function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Eslint Fixer
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Wiki.js an open-source wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS Wiki Js
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Is Svg
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

msgpack5 is a msgpack v5 implementation for node.js and the browser. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Node.js Msgpack5
NVD GitHub
EPSS 8% CVSS 6.1
MEDIUM POC PATCH This Month

The npm package ansi_up converts ANSI escape codes into HTML. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js XSS Ansi Up
NVD GitHub
EPSS 32% CVSS 7.5
HIGH POC PATCH THREAT This Week

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js Authentication Bypass Node Js +12
NVD
EPSS 77% CVSS 7.5
HIGH PATCH This Week

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Node Js +8
NVD
EPSS 4% CVSS 9.0
CRITICAL POC PATCH Act Now

Pug is an npm package which is a high-performance template engine. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Node.js Pug +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Fastify Http Proxy
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Fastify Reply From
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Matrix React Sdk
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Yapi
NVD GitHub
EPSS 6% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Node.js npm
NVD
EPSS 2% CVSS 8.4
HIGH PATCH This Week

<p>Depending on configuration of various package managers it is possible for an attacker to insert a malicious package into a package manager's repository which can be retrieved and used during. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity.

Python RCE Apple +4
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required. No vendor patch available.

Microsoft Node.js Information Disclosure +1
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The slashify package 1.0.0 for Node.js allows open-redirect attacks, as demonstrated by a localhost:3000///example.com/ substring. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Node.js Slashify
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Scrapbox Parser
NVD GitHub
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Python Denial Of Service +1
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Node.js Information Disclosure Less Openui5
NVD GitHub
EPSS 90% CVSS 7.8
HIGH POC KEV PATCH THREAT This Week

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

The get-ip-range package before 4.0.0 for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Get Ip Range
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Samba Client
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Marked is an open-source markdown parser and compiler (npm package "marked"). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Marked
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Node Config Shield
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Async Git
NVD GitHub
EPSS 4% CVSS 7.5
HIGH PATCH This Week

The jQuery Validation Plugin provides drop-in validation for your existing forms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Jquery Validation +1
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

URI.js is a javascript URL mutation library (npm package urijs). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js SSRF Uri Js
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Node.js Vega
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

date-and-time is an npm package for manipulating date and time. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Date And Time
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Denial Of Service Fast Csv
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE SSRF +1
NVD GitHub
EPSS 54% CVSS 7.5
HIGH PATCH This Week

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Node Js +7
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Semantic Release
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Code Injection Json8 Merge Patch
NVD
EPSS 2% CVSS 5.9
MEDIUM POC PATCH This Month

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js SSRF Axios +1
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC This Week

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Privilege Escalation Mxview
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

An exploitable local privilege elevation vulnerability exists in the file system permissions of Moxa MXView series 3.1.8 installation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Privilege Escalation Mxview
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

This affects the package npm-user-validate before 1.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Npm User Validate
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 2% CVSS 7.8
HIGH This Week

The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Socket Io File
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM POC PATCH This Month

In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Toolkit
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

The implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Node.js Node Js +2
NVD
EPSS 9% CVSS 7.5
HIGH This Week

Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attacks based on delayed requests submission which can make the server unable to accept new connections. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Node Js +1
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Denial Of Service Json Bigint
NVD
EPSS 5% CVSS 7.4
HIGH This Week

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Request Smuggling Information Disclosure +3
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Nginx +2
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

ftp-srv is an npm package which is a modern and extensible FTP server designed to be simple yet configurable. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Node.js SSRF Ftp Srv
NVD GitHub
EPSS 1% CVSS 7.6
HIGH POC PATCH This Week

save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js CSRF Save Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In SLP Validate (npm package slp-validate) before version 1.2.2, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slp Validate
NVD GitHub
Prev Page 10 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy