Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2020-15130 npm HIGH PATCH This Week

In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slpjs
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2020-15125 npm HIGH PATCH This Week

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Auth0 Js
NVD GitHub
CVSS 3.1
7.7
EPSS
1.5%
CVE-2020-15123 npm CRITICAL POC PATCH Act Now

In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Codecov
NVD GitHub
CVSS 3.1
9.3
EPSS
3.8%
CVE-2020-8205 npm HIGH POC PATCH This Week

The uppy npm package < 1.13.2 and < 2.0.0-alpha.5 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js SSRF Uppy
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-15779 npm HIGH POC This Week

A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Socket Io File
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2020-8178 CRITICAL POC Act Now

Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Jison
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2020-15095 npm MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. Rated medium severity (CVSS 4.4).

Node.js Information Disclosure npm Leap Fedora
NVD GitHub
CVSS 3.1
4.4
EPSS
0.4%
CVE-2020-15084 npm CRITICAL PATCH Act Now

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Express Jwt
NVD GitHub
CVSS 3.1
9.1
EPSS
1.1%
CVE-2020-14007 MEDIUM POC This Month

Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Node.js Orion Network Performance Monitor Orion Web Performance Monitor
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2020-14006 MEDIUM POC This Month

Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Node.js Orion Network Performance Monitor Orion Web Performance Monitor
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2020-14005 HIGH This Week

Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js RCE Orion Network Performance Monitor Orion Web Performance Monitor
NVD GitHub
CVSS 3.1
8.8
EPSS
14.3%
CVE-2020-14968 npm CRITICAL POC PATCH Act Now

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Buffer Overflow Jsrsasign Max Data
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-14967 npm CRITICAL POC PATCH Act Now

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Buffer Overflow Jsrsasign Max Data
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-14966 npm HIGH POC PATCH This Week

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Buffer Overflow Jwt Attack Canonical Jsrsasign +1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-4059 npm HIGH PATCH This Week

In mversion before 2.0.0, there is a command injection vulnerability. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js RCE Command Injection Mversion
NVD GitHub
CVSS 3.1
7.3
EPSS
2.6%
CVE-2020-4038 npm HIGH PATCH This Week

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Graphql Playground Html Graphql Playground Middleware Express Graphql Playground Middleware Hapi +2
NVD GitHub
CVSS 3.1
7.4
EPSS
7.2%
CVE-2020-13822 npm HIGH POC PATCH This Week

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Canonical Buffer Overflow Integer Overflow Elliptic
NVD GitHub
CVSS 3.1
7.7
EPSS
2.6%
CVE-2020-4035 npm MEDIUM PATCH This Month

In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable.

Node.js SQLi Apple Watermelondb
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2020-7662 npm HIGH POC PATCH This Week

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Websocket Extensions
NVD GitHub
CVSS 3.1
7.5
EPSS
3.0%
CVE-2020-11079 npm CRITICAL PATCH Act Now

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Node.js RCE Code Injection Node Dns Sync
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-11059 npm HIGH PATCH This Week

In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Aegir
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2020-13110 npm HIGH POC PATCH This Week

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Privilege Escalation Kerberos
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2020-8149 npm CRITICAL POC PATCH Act Now

Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Code Injection Logkitty
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2020-11072 npm HIGH PATCH This Week

In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slp Validate
NVD GitHub
CVSS 3.1
8.6
EPSS
1.0%
CVE-2020-11071 npm HIGH PATCH This Week

SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slpjs
NVD GitHub
CVSS 3.1
8.6
EPSS
0.9%
CVE-2020-11021 npm HIGH PATCH This Week

Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Http Client
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-11020 Ruby CRITICAL POC PATCH Act Now

Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Faye
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-12265 npm CRITICAL POC PATCH Act Now

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Decompress
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2020-11883 npm MEDIUM POC PATCH THREAT This Month

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Storefront Api Vue Storefront Api
NVD GitHub
CVSS 3.1
5.3
EPSS
15.2%
CVE-2020-5263 npm MEDIUM PATCH This Month

auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Node.js Information Disclosure Auth0 Js
NVD GitHub
CVSS 3.1
4.9
EPSS
0.9%
CVE-2020-7614 npm CRITICAL POC PATCH Act Now

npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Npm Programmatic
NVD GitHub
CVSS 3.1
9.8
EPSS
3.5%
CVE-2020-8147 npm CRITICAL POC Act Now

Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Denial Of Service Utils Extend
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2020-10953 HIGH This Week

In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Gitlab Path Traversal
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-5282 CRITICAL PATCH Act Now

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Nick Chan Bot
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2020-8135 npm CRITICAL POC PATCH Act Now

The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js SSRF Uppy
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2020-5259 npm HIGH POC PATCH This Week

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js RCE Code Injection Dojox
NVD GitHub
CVSS 3.1
8.6
EPSS
2.0%
CVE-2020-5258 npm HIGH POC PATCH This Week

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. Public exploit code available.

Node.js RCE Code Injection Dojo Debian Linux +8
NVD GitHub
CVSS 3.1
7.7
EPSS
4.0%
CVE-2020-8132 npm CRITICAL POC Act Now

Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Code Injection Pdf Image
NVD
CVSS 3.1
9.8
EPSS
2.0%
CVE-2020-7597 npm HIGH POC PATCH This Week

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Command Injection Codecov
NVD GitHub
CVSS 3.1
8.8
EPSS
2.9%
CVE-2020-8129 npm CRITICAL POC PATCH Act Now

An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Code Injection Script Manager
NVD
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-8125 npm CRITICAL POC PATCH Act Now

Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Denial Of Service Klona
NVD
CVSS 3.1
9.8
EPSS
4.1%
CVE-2020-8124 npm MEDIUM POC PATCH This Month

Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Url Parse
NVD
CVSS 3.1
5.3
EPSS
1.7%
CVE-2020-8116 npm HIGH POC PATCH This Week

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Dot Prop
NVD GitHub
CVSS 3.1
7.3
EPSS
3.1%
CVE-2020-7596 npm HIGH POC PATCH This Week

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Nodejs Uploader
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2020-6836 npm CRITICAL PATCH Act Now

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js RCE Code Injection Hot Formula Parser
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2019-16777 npm MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm Leap Graalvm +3
NVD GitHub
CVSS 3.1
6.5
EPSS
2.0%
CVE-2019-16776 npm HIGH PATCH This Week

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm Leap Graalvm +3
NVD GitHub
CVSS 3.1
8.1
EPSS
3.3%
CVE-2019-16775 npm MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Node.js Enterprise Linux Enterprise Linux Eus npm +3
NVD GitHub
CVSS 3.1
6.5
EPSS
3.3%
CVE-2019-19771 npm HIGH MAL This Week

The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Lodahs
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2019-19729 npm HIGH POC This Week

An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Node.js Bson Objectid
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2019-16772 npm MEDIUM PATCH This Month

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Serialize To Js
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2019-10769 npm CRITICAL POC Act Now

safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Node.js RCE Safer Eval
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2019-16769 npm MEDIUM PATCH This Month

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Node.js Serialize Javascript
NVD GitHub
CVSS 3.1
5.4
EPSS
1.0%
CVE-2019-16762 npm MEDIUM POC PATCH This Month

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Information Disclosure Slpjs
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2019-16761 npm MEDIUM PATCH This Month

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Slp Validate
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2019-17606 npm MEDIUM PATCH This Month

The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Hexo Admin
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2019-17625 npm CRITICAL POC MAL Act Now

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Node.js XSS Command Injection Rambox
NVD GitHub
CVSS 3.1
9.0
EPSS
3.0%
CVE-2019-17592 npm HIGH PATCH This Week

The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Csv Parse Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2019-15138 npm HIGH POC PATCH This Week

The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Html Pdf
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2019-5485 npm CRITICAL POC THREAT MAL Act Now

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Gitlabhook
NVD Exploit-DB
CVSS 3.1
10.0
EPSS
59.8%
CVE-2019-5480 npm MEDIUM POC This Month

A path traversal vulnerability in <= v0.9.7 of statichttpserver npm module allows attackers to list files in arbitrary folders. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Statichttpserver
NVD
CVSS 3.0
5.3
EPSS
1.6%
CVE-2019-13030 HIGH POC This Week

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Neo Server
NVD GitHub
CVSS 3.1
8.2
EPSS
1.9%
CVE-2019-14939 npm MEDIUM PATCH This Month

An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure MySQL
NVD GitHub
CVSS 3.0
5.5
EPSS
0.4%
CVE-2019-5447 npm MEDIUM POC This Month

A path traversal vulnerability in <= v0.2.6 of http-file-server npm module allows attackers to list files in arbitrary folders. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Http File Server
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2019-5444 npm MEDIUM POC PATCH This Month

Path traversal vulnerability in version up to v1.1.3 in serve-here.js npm module allows attackers to list any file in arbitrary folder. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Serve Here Js
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2019-10157 npm MEDIUM PATCH This Month

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.0
5.5
EPSS
0.2%
CVE-2019-5438 npm MEDIUM POC PATCH This Month

Path traversal using symlink in npm harp module versions <= 0.29.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Harp
NVD
CVSS 3.1
5.3
EPSS
1.5%
CVE-2019-5437 npm MEDIUM POC PATCH This Month

Information exposure through the directory listing in npm's harp module allows to access files that are supposed to be ignored according to the harp server rules.Vulnerable versions are <= 0.29.0 and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Harp
NVD
CVSS 3.0
5.3
EPSS
1.3%
CVE-2019-5423 npm HIGH PATCH This Week

Path traversal vulnerability in http-live-simulator npm package version 1.0.5 allows arbitrary path to be accessed on the file system by a remote attacker. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Path Traversal Http Live Simulator
NVD
CVSS 3.0
7.5
EPSS
2.8%
CVE-2019-5422 npm MEDIUM This Month

XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Node.js Buttle
NVD
CVSS 3.0
6.1
EPSS
1.2%
CVE-2019-5739 HIGH This Week

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js Leap
NVD
CVSS 3.1
7.5
EPSS
5.1%
CVE-2019-5737 HIGH This Week

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js Leap
NVD
CVSS 3.1
7.5
EPSS
16.2%
CVE-2019-10061 npm CRITICAL PATCH Act Now

utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Node Opencv
NVD GitHub
CVSS 3.0
9.8
EPSS
4.2%
CVE-2019-5417 npm HIGH POC PATCH This Week

A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Serve
NVD
CVSS 3.0
7.5
EPSS
2.2%
CVE-2019-5416 npm HIGH POC This Week

A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Localhost Now
NVD
CVSS 3.0
7.5
EPSS
2.2%
CVE-2019-5413 npm CRITICAL POC PATCH Act Now

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Node.js RCE Morgan
NVD
CVSS 3.0
9.8
EPSS
3.4%
CVE-2019-8917 CRITICAL Act Now

SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Orion Network Performance Monitor
NVD GitHub
CVSS 3.0
9.8
EPSS
36.4%
CVE-2018-12123 MEDIUM PATCH This Month

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Node Js
NVD
CVSS 3.1
4.3
EPSS
4.0%
CVE-2018-12122 HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Node Js Suse Enterprise Storage Suse Linux Enterprise Server +1
NVD
CVSS 3.1
7.5
EPSS
41.3%
CVE-2018-12121 HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Node Js Enterprise Linux Enterprise Linux Desktop +5
NVD
CVSS 3.1
7.5
EPSS
10.2%
CVE-2018-12120 HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Node.js Node Js
NVD
CVSS 3.1
8.1
EPSS
4.3%
CVE-2018-12116 HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Node Js Suse Enterprise Storage Suse Linux Enterprise Server +1
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2018-16462 npm CRITICAL POC PATCH Act Now

A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Apex Publish Static Files
NVD
CVSS 3.1
10.0
EPSS
7.0%
CVE-2018-16460 npm CRITICAL POC PATCH Act Now

A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Ps
NVD GitHub
CVSS 3.0
9.8
EPSS
2.9%
CVE-2018-11615 npm HIGH PATCH This Week

This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Mosca
NVD
CVSS 3.0
7.5
EPSS
3.3%
CVE-2018-7166 HIGH This Week

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Node Js
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2018-12115 HIGH This Week

In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Node.js Node Js Openshift Container Platform
NVD
CVSS 3.0
7.5
EPSS
8.0%
CVE-2018-3773 npm MEDIUM POC PATCH This Month

There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Node.js Metascraper
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2018-3772 npm CRITICAL POC PATCH Act Now

Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Whereis
NVD
CVSS 3.0
9.8
EPSS
2.8%
CVE-2018-1002204 npm MEDIUM POC PATCH THREAT This Month

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Node.js Adm Zip
NVD GitHub
CVSS 3.1
5.5
EPSS
15.4%
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slpjs
NVD GitHub
EPSS 2% CVSS 7.7
HIGH PATCH This Week

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Auth0 Js
NVD GitHub
EPSS 4% CVSS 9.3
CRITICAL POC PATCH Act Now

In codecov (npm package) before version 3.7.1 the upload method has a command injection vulnerability. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Codecov
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The uppy npm package < 1.13.2 and < 2.0.0-alpha.5 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js SSRF Uppy
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Socket Io File
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC Act Now

Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Jison
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. Rated medium severity (CVSS 4.4).

Node.js Information Disclosure npm +2
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Express Jwt
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Node.js Orion Network Performance Monitor +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Node.js Orion Network Performance Monitor +1
NVD GitHub
EPSS 14% CVSS 8.8
HIGH This Week

Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js RCE Orion Network Performance Monitor +1
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in the jsrsasign package before 8.0.17 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Buffer Overflow Jsrsasign +1
NVD GitHub VulDB
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in the jsrsasign package before 8.0.18 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Buffer Overflow Jsrsasign +1
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Buffer Overflow Jwt Attack +3
NVD GitHub VulDB
EPSS 3% CVSS 7.3
HIGH PATCH This Week

In mversion before 2.0.0, there is a command injection vulnerability. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js RCE Command Injection +1
NVD GitHub
EPSS 7% CVSS 7.4
HIGH PATCH This Week

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Graphql Playground Html +4
NVD GitHub
EPSS 3% CVSS 7.7
HIGH POC PATCH This Week

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Canonical Buffer Overflow +2
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable.

Node.js SQLi Apple +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

websocket-extensions npm module prior to 0.1.4 allows Denial of Service (DoS) via Regex Backtracking. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Websocket Extensions
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Node.js RCE Code Injection +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Aegir
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

The kerberos package before 1.0.0 for Node.js allows arbitrary code execution and privilege escalation via injection of malicious DLLs through use of the kerberos_sspi LoadLibrary() method, because. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Privilege Escalation +1
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Code Injection +1
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

In SLP Validate (npm package slp-validate) before version 1.2.1, users could experience false-negative validation outcomes for MINT transaction operations. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slp Validate
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Slpjs
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Http Client
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1.3 and 1.2.5, has the potential for authentication bypass in the extension system. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Faye
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Decompress
NVD GitHub
EPSS 15% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

In Divante vue-storefront-api through 1.11.1 and storefront-api through 1.0-rc.1, as used in VueStorefront PWA, unexpected HTTP requests lead to an exception that discloses the error stack trace,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Storefront Api +1
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Node.js Information Disclosure Auth0 Js
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Npm Programmatic
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Denial Of Service +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Gitlab Path Traversal
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Nick Chan Bot
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js SSRF Uppy
NVD
EPSS 2% CVSS 8.6
HIGH POC PATCH This Week

In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js RCE Code Injection +1
NVD GitHub
EPSS 4% CVSS 7.7
HIGH POC PATCH This Week

In affected versions of dojo (NPM package), the deepCopy method is vulnerable to Prototype Pollution. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. Public exploit code available.

Node.js RCE Code Injection +10
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Code Injection +1
NVD
EPSS 3% CVSS 8.8
HIGH POC PATCH This Week

codecov-node npm module before 3.6.5 allows remote attackers to execute arbitrary commands.The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Command Injection Codecov
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Code Injection +1
NVD
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Denial Of Service +1
NVD
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Url Parse
NVD
EPSS 3% CVSS 7.3
HIGH POC PATCH This Week

Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Dot Prop
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Nodejs Uploader
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js RCE Code Injection +1
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm +5
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal npm +5
NVD GitHub
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Node.js Enterprise Linux +5
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

The lodahs package 0.0.1 for Node.js is a Trojan horse, and may have been installed by persons who mistyped the lodash package name. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Lodahs
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Node.js Bson Objectid
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Serialize To Js
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Node.js RCE +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Node.js Serialize Javascript
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Information Disclosure Slpjs
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Slp Validate
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The Post editor functionality in the hexo-admin plugin versions 2.3.0 and earlier for Node.js is vulnerable to stored XSS via the content of a post. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Hexo Admin
NVD GitHub
EPSS 3% CVSS 9.0
CRITICAL POC Act Now

There is a stored XSS in Rambox 0.6.9 that can lead to code execution. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Node.js XSS +2
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Csv Parse +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Html Pdf
NVD
EPSS 60% CVSS 10.0
CRITICAL POC THREAT Act Now

NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Gitlabhook
NVD Exploit-DB
EPSS 2% CVSS 5.3
MEDIUM POC This Month

A path traversal vulnerability in <= v0.9.7 of statichttpserver npm module allows attackers to list files in arbitrary folders. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Statichttpserver
NVD
EPSS 2% CVSS 8.2
HIGH POC This Week

eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prior to 2.4.5 allows uncontrolled admin access to start or stop the Node.js process, resulting in the ability to obtain mediola. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Neo Server
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for Node.js. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure MySQL
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC This Month

A path traversal vulnerability in <= v0.2.6 of http-file-server npm module allows attackers to list files in arbitrary folders. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Http File Server
NVD
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

Path traversal vulnerability in version up to v1.1.3 in serve-here.js npm module allows attackers to list any file in arbitrary folder. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Serve Here Js
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure Keycloak +1
NVD
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Path traversal using symlink in npm harp module versions <= 0.29.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Harp
NVD
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Information exposure through the directory listing in npm's harp module allows to access files that are supposed to be ignored according to the harp server rules.Vulnerable versions are <= 0.29.0 and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Harp
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Path traversal vulnerability in http-live-simulator npm package version 1.0.5 allows arbitrary path to be accessed on the file system by a remote attacker. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Path Traversal Http Live Simulator
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Node.js Buttle
NVD
EPSS 5% CVSS 7.5
HIGH This Week

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js +1
NVD
EPSS 16% CVSS 7.5
HIGH This Week

In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js +1
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) prior to 6.1.0 is vulnerable to Command Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Node Opencv
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Serve
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Localhost Now
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Node.js RCE +1
NVD
EPSS 36% CVSS 9.8
CRITICAL Act Now

SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Orion Network Performance Monitor
NVD GitHub
EPSS 4% CVSS 4.3
MEDIUM PATCH This Month

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Node Js
NVD
EPSS 41% CVSS 7.5
HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Node Js +3
NVD
EPSS 10% CVSS 7.5
HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Node Js +7
NVD
EPSS 4% CVSS 8.1
HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Node.js Node Js
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Node Js +3
NVD
EPSS 7% CVSS 10.0
CRITICAL POC PATCH Act Now

A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Apex Publish Static Files
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Ps
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Mosca
NVD
EPSS 3% CVSS 7.5
HIGH This Week

In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Node Js
NVD
EPSS 8% CVSS 7.5
HIGH This Week

In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Node.js +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Node.js Metascraper
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Whereis
NVD
EPSS 15% CVSS 5.5
MEDIUM POC PATCH THREAT This Month

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Node.js Adm Zip
NVD GitHub
Prev Page 11 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy