Skip to main content

Node.js

1072 CVEs product

Monthly

CVE-2018-1002204 npm MEDIUM POC PATCH THREAT This Month

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Node.js Adm Zip
NVD GitHub
CVSS 3.1
5.5
EPSS
15.4%
CVE-2018-1002203 npm MEDIUM POC PATCH THREAT This Month

unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Node.js Unzipper
NVD GitHub
CVSS 3.0
5.5
EPSS
11.9%
CVE-2018-13797 npm CRITICAL POC PATCH Act Now

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Node Macaddress
NVD GitHub
CVSS 3.0
9.8
EPSS
6.7%
CVE-2018-3754 npm HIGH POC This Week

Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Node.js Query Mysql
NVD
CVSS 3.0
8.8
EPSS
1.2%
CVE-2018-12519 HIGH POC This Week

An issue was discovered in ShopNx through 2017-11-17. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Node.js Shopnx
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
7.9%
CVE-2018-7167 HIGH This Week

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Node.js Node Js
NVD
CVSS 3.1
7.5
EPSS
7.2%
CVE-2018-7164 HIGH This Week

Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
CVSS 3.1
7.5
EPSS
6.4%
CVE-2018-7162 HIGH This Week

All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
CVSS 3.1
7.5
EPSS
7.0%
CVE-2018-7161 HIGH PATCH This Week

All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Node Js
NVD
CVSS 3.1
7.5
EPSS
7.9%
CVE-2018-3746 npm CRITICAL POC PATCH Act Now

The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Pdfinfojs
NVD
CVSS 3.1
9.8
EPSS
4.9%
CVE-2018-3745 npm CRITICAL POC PATCH Act Now

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Buffer Overflow Node.js Atob
NVD
CVSS 3.1
9.1
EPSS
2.2%
CVE-2018-7160 HIGH This Week

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Node.js Node Js
NVD
CVSS 3.1
8.8
EPSS
9.9%
CVE-2018-7159 MEDIUM This Month

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Node Js
NVD
CVSS 3.1
5.3
EPSS
3.6%
CVE-2018-7158 HIGH This Week

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2018-7560 npm HIGH PATCH This Week

index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service (ReDoS) issue via a crafted multipart/form-data boundary string. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Aws Lambda Multipart Parser
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2018-7651 npm MEDIUM PATCH This Month

index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Ssri
NVD GitHub
CVSS 3.0
5.9
EPSS
1.8%
CVE-2018-7408 npm HIGH PATCH This Week

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Node.js npm
NVD GitHub
CVSS 3.0
7.8
EPSS
0.3%
CVE-2016-10703 npm HIGH POC PATCH This Week

A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Ecstatic
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2017-15897 LOW Monitor

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Node.js Information Disclosure Node Js
NVD
CVSS 3.1
3.1
EPSS
0.6%
CVE-2017-15896 CRITICAL Act Now

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass OpenSSL Node Js
NVD
CVSS 3.1
9.1
EPSS
0.2%
CVE-2017-1000219 npm CRITICAL POC PATCH Act Now

npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Microsoft Command Injection RCE Windows Cpu
NVD
CVSS 3.0
9.8
EPSS
3.3%
CVE-2017-14919 HIGH This Week

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD VulDB
CVSS 3.0
7.5
EPSS
0.8%
CVE-2014-3744 npm HIGH POC PATCH THREAT Act Now

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 78.2%.

Path Traversal Node.js Node Js
NVD GitHub
CVSS 3.0
7.5
EPSS
78.2%
Threat
5.3
CVE-2014-3741 npm CRITICAL PATCH Act Now

The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Node.js Command Injection Node Printer
NVD GitHub
CVSS 3.0
9.8
EPSS
1.9%
CVE-2013-7377 npm HIGH PATCH This Week

The codem-transcode module before 0.5.0 for Node.js, when ffprobe is enabled, allows remote attackers to execute arbitrary commands via a POST request to /probe. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Node.js Command Injection Codem Transcode
NVD
CVSS 3.0
8.1
EPSS
1.3%
CVE-2015-7384 HIGH This Week

Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD GitHub
CVSS 3.0
7.5
EPSS
0.9%
CVE-2017-15010 npm HIGH PATCH This Week

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Tough Cookie
NVD GitHub
CVSS 3.0
7.5
EPSS
3.9%
CVE-2017-14849 HIGH POC PATCH THREAT Act Now

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.2%.

Path Traversal Node.js Node Js
NVD
CVSS 3.0
7.5
EPSS
90.2%
Threat
5.7
CVE-2014-6393 npm MEDIUM PATCH This Month

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Express
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-12581 npm HIGH POC PATCH This Week

GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js Google Command Injection Electron Chrome
NVD
CVSS 3.0
8.1
EPSS
2.3%
CVE-2017-11499 HIGH PATCH This Week

Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Node Js
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2017-8914 HIGH This Week

sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js SAP Information Disclosure Hana Xs
NVD
CVSS 3.0
8.3
EPSS
0.5%
CVE-2017-7474 npm CRITICAL PATCH Act Now

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Keycloak Nodejs Auth Utils
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2017-5954 npm CRITICAL POC PATCH Act Now

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Node.js RCE Serialize To Js
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2017-5941 npm CRITICAL POC THREAT Emergency

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 77.9%.

Deserialization Node.js RCE Node Serialize
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
77.9%
Threat
5.8
CVE-2016-4055 npm MEDIUM POC PATCH This Month

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Node.js Moment Nessus Primavera Unifier
NVD VulDB
CVSS 3.1
6.5
EPSS
2.7%
CVE-2015-8862 npm MEDIUM POC PATCH This Month

mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node.js Mustache Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.1%
CVE-2015-8861 npm MEDIUM POC PATCH This Month

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Handlebars Js
NVD VulDB GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2015-8860 npm HIGH PATCH This Week

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Node Js
NVD VulDB
CVSS 3.0
7.5
EPSS
0.4%
CVE-2015-8859 npm MEDIUM PATCH This Month

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Send
NVD VulDB
CVSS 3.1
5.3
EPSS
0.6%
CVE-2015-8858 npm HIGH POC PATCH This Week

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Uglifyjs
NVD VulDB
CVSS 3.0
7.5
EPSS
0.9%
CVE-2015-8857 LIB CRITICAL POC PATCH Act Now

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Uglifyjs
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2015-8856 npm MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Serve Index
NVD VulDB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2015-8855 npm HIGH PATCH This Week

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Node Js
NVD VulDB
CVSS 3.0
7.5
EPSS
1.1%
CVE-2015-8854 npm HIGH PATCH This Week

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Marked Fedora
NVD VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2015-8315 npm HIGH POC PATCH This Week

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Ms Vercel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2014-9772 npm MEDIUM POC PATCH This Month

The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node.js Node Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.4%
CVE-2013-7454 npm MEDIUM POC PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Node Js
NVD VulDB GitHub
CVSS 3.0
6.1
EPSS
0.5%
CVE-2013-7453 npm MEDIUM PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Node Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.5%
CVE-2013-7452 npm MEDIUM PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Node Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.6%
CVE-2013-7451 npm MEDIUM PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Node Js
NVD VulDB
CVSS 3.0
6.1
EPSS
0.6%
CVE-2016-3012 HIGH This Week

IBM API Connect (aka APIConnect) before 5.0.3.0 with NPM before 2.2.8 includes certain internal server credentials in the software package, which might allow remote attackers to bypass intended. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Node.js Api Connect Network Path Manager
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2016-7099 MEDIUM PATCH This Month

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Node.js Node Js Linux Enterprise
NVD GitHub
CVSS 3.0
5.9
EPSS
0.7%
CVE-2016-5325 MEDIUM PATCH This Month

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Node.js Node Js Linux Enterprise
NVD GitHub
CVSS 3.0
6.1
EPSS
1.0%
CVE-2016-7191 npm HIGH PATCH This Week

The Microsoft Azure Active Directory Passport (aka Passport-Azure-AD) library 1.x before 1.4.6 and 2.x before 2.0.1 for Node.js does not recognize the validateIssuer setting, which allows remote. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Microsoft Node.js Authentication Bypass Azure Active Directory Passport
NVD GitHub
CVSS 3.0
8.1
EPSS
3.8%
CVE-2016-3956 npm HIGH PATCH This Week

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Sdk Node Js npm
NVD GitHub
CVSS 3.1
7.5
EPSS
3.2%
CVE-2016-1202 npm HIGH PATCH This Week

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Node.js Electron
NVD GitHub
CVSS 3.0
7.8
EPSS
0.1%
CVE-2016-2216 HIGH PATCH This Week

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Node Js Fedora
NVD
CVSS 3.0
7.5
EPSS
1.8%
CVE-2016-2086 HIGH PATCH This Week

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Node Js Fedora
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2016-2537 npm HIGH PATCH This Week

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Is My Json Valid
NVD GitHub
CVSS 3.0
7.5
EPSS
0.5%
CVE-2015-8027 HIGH This Week

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
CVSS 3.0
7.5
EPSS
1.4%
CVE-2015-5688 npm MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.1%.

Path Traversal Node.js Geddy
NVD GitHub
CVSS 2.0
5.0
EPSS
81.1%
Threat
4.9
CVE-2015-5380 HIGH PATCH This Week

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service Google Buffer Overflow Node.js V8 +2
NVD GitHub
CVSS 2.0
7.5
EPSS
0.6%
CVE-2014-9566 HIGH POC THREAT Act Now

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.5%.

SQLi Node.js Orion Ip Address Manager Orion Netflow Traffic Analyzer Orion Network Configuration Manager +5
NVD Exploit-DB GitHub
CVSS 2.0
7.5
EPSS
77.5%
Threat
5.3
CVE-2014-9682 npm CRITICAL PATCH Act Now

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Node.js Dns Sync
NVD GitHub
CVSS 2.0
10.0
EPSS
1.0%
CVE-2015-1370 npm MEDIUM POC PATCH This Month

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS Node.js Marked
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-1369 npm HIGH POC PATCH This Week

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Node.js Sequelize
NVD GitHub
CVSS 2.0
7.5
EPSS
0.4%
CVE-2015-1164 npm MEDIUM POC PATCH This Month

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Open Redirect Node.js Serve Static
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
CVE-2014-7193 npm MEDIUM PATCH This Month

The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Node.js Authentication Bypass Hapi Crumb
NVD GitHub
CVSS 2.0
5.8
EPSS
0.2%
CVE-2014-7192 npm CRITICAL POC PATCH THREAT Act Now

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.9%.

IBM RCE Node.js Code Injection Node Js
NVD GitHub Exploit-DB
CVSS 2.0
10.0
EPSS
43.9%
Threat
4.8
CVE-2014-7191 npm MEDIUM PATCH This Month

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Node.js Node Js
NVD GitHub
CVSS 2.0
5.0
EPSS
0.7%
CVE-2014-7205 npm CRITICAL POC PATCH THREAT Act Now

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 84.2%.

RCE Node.js Code Injection Bassmaster
NVD GitHub Exploit-DB
CVSS 2.0
10.0
EPSS
84.2%
Threat
6.0
CVE-2014-6394 npm HIGH POC PATCH This Week

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Node.js Fedora Xcode Node Js
NVD GitHub
CVSS 2.0
7.5
EPSS
4.8%
CVE-2014-5256 MEDIUM POC PATCH This Month

Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Buffer Overflow Node.js
NVD GitHub
CVSS 2.0
5.0
EPSS
1.3%
CVE-2014-3742 npm MEDIUM PATCH This Month

The hapi server framework 2.0.x and 2.1.x before 2.2.0 for Node.js allows remote attackers to cause a denial of service (file descriptor consumption and process crash) via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Node.js Hapi Server Framework
NVD GitHub
CVSS 2.0
5.0
EPSS
0.7%
CVE-2013-7379 npm MEDIUM POC PATCH This Month

The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Node.js Authentication Bypass Tomato
NVD GitHub
CVSS 2.0
6.8
EPSS
0.4%
CVE-2013-4116 npm LOW PATCH Monitor

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking. Rated low severity (CVSS 3.3).

Information Disclosure Node.js Node Packaged Modules
NVD GitHub VulDB
CVSS 2.0
3.3
EPSS
0.1%
CVE-2013-4450 MEDIUM POC PATCH THREAT This Month

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 68.7%.

Denial Of Service Node.js
NVD GitHub
CVSS 2.0
5.0
EPSS
68.7%
Threat
4.6
CVE-2013-4660 npm MEDIUM POC PATCH THREAT This Month

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 64.5%.

Node.js RCE Js Yaml
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
64.5%
Threat
4.8
CVE-2012-2330 MEDIUM POC PATCH This Month

The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Information Disclosure
NVD GitHub
CVSS 2.0
6.4
EPSS
0.6%
CVE-2012-2602 MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to hijack the authentication of administrators. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Node.js Orion Network Performance Monitor
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
8.7%
CVE-2012-2577 MEDIUM POC THREAT This Month

Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 18.7%.

Node.js XSS Orion Network Performance Monitor
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
18.7%
EPSS 15% CVSS 5.5
MEDIUM POC PATCH THREAT This Month

adm-zip npm library before 0.4.9 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Node.js Adm Zip
NVD GitHub
EPSS 12% CVSS 5.5
MEDIUM POC PATCH THREAT This Month

unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Node.js Unzipper
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Command Injection Node Macaddress
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Node.js Query Mysql
NVD
EPSS 8% CVSS 8.8
HIGH POC This Week

An issue was discovered in ShopNx through 2017-11-17. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Node.js Shopnx
NVD Exploit-DB
EPSS 7% CVSS 7.5
HIGH This Week

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Node.js +1
NVD
EPSS 6% CVSS 7.5
HIGH This Week

Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
EPSS 7% CVSS 7.5
HIGH This Week

All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
EPSS 8% CVSS 7.5
HIGH PATCH This Week

All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Node Js
NVD
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Pdfinfojs
NVD
EPSS 2% CVSS 9.1
CRITICAL POC PATCH Act Now

atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Buffer Overflow Node.js +1
NVD
EPSS 10% CVSS 8.8
HIGH This Week

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Node.js Node Js
NVD
EPSS 4% CVSS 5.3
MEDIUM This Month

The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Node Js
NVD
EPSS 3% CVSS 7.5
HIGH This Week

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service (ReDoS) issue via a crafted multipart/form-data boundary string. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Aws Lambda Multipart Parser
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Ssri
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Node.js npm
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Ecstatic
NVD GitHub
EPSS 1% CVSS 3.1
LOW Monitor

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Node.js Information Disclosure Node Js
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass OpenSSL +1
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Microsoft Command Injection +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD VulDB
EPSS 78% 5.3 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 78.2%.

Path Traversal Node.js Node Js
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Node.js Command Injection Node Printer
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The codem-transcode module before 0.5.0 for Node.js, when ffprobe is enabled, allows remote attackers to execute arbitrary commands via a POST request to /probe. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Node.js Command Injection Codem Transcode
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD GitHub
EPSS 4% CVSS 7.5
HIGH PATCH This Week

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Node.js Tough Cookie
NVD GitHub
EPSS 90% 5.7 CVSS 7.5
HIGH POC PATCH THREAT Act Now

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.2%.

Path Traversal Node.js Node Js
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Express
NVD
EPSS 2% CVSS 8.1
HIGH POC PATCH This Week

GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js Google Command Injection +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Node Js
NVD
EPSS 0% CVSS 8.3
HIGH This Week

sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers to hijack npm packages or host arbitrary files by leveraging an insecure user creation policy, aka SAP Security Note 2407694. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js SAP Information Disclosure +1
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Keycloak Nodejs Auth Utils
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Node.js RCE +1
NVD GitHub
EPSS 78% 5.8 CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 77.9%.

Deserialization Node.js RCE +1
NVD Exploit-DB
EPSS 3% CVSS 6.5
MEDIUM POC PATCH This Month

The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Node.js Moment +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node.js Mustache Js
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Handlebars Js
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Node Js
NVD VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Send
NVD VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Uglifyjs
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Uglifyjs
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Serve Index
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Node Js
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Marked +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS).". Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Ms +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Node.js Node Js
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Node Js
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Node Js
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Node.js Node Js
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Node Js
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

IBM API Connect (aka APIConnect) before 5.0.3.0 with NPM before 2.2.8 includes certain internal server credentials in the software package, which might allow remote attackers to bypass intended. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Node.js +2
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Node.js Node Js +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Node.js Node Js +1
NVD GitHub
EPSS 4% CVSS 8.1
HIGH PATCH This Week

The Microsoft Azure Active Directory Passport (aka Passport-Azure-AD) library 1.x before 1.4.6 and 2.x before 2.0.1 for Node.js does not recognize the validateIssuer setting, which allows remote. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Microsoft Node.js Authentication Bypass +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Sdk +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Information Disclosure Node.js Electron
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Authentication Bypass Node Js +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Node.js Node Js +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Is My Json Valid
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Node Js
NVD
EPSS 81% 4.9 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.1%.

Path Traversal Node.js Geddy
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service Google Buffer Overflow +4
NVD GitHub
EPSS 78% 5.3 CVSS 7.5
HIGH POC THREAT Act Now

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 77.5%.

SQLi Node.js Orion Ip Address Manager +7
NVD Exploit-DB GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Node.js Dns Sync
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS Node.js Marked
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Node.js Sequelize
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Open Redirect Node.js Serve Static
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Node.js Authentication Bypass Hapi Crumb
NVD GitHub
EPSS 44% 4.8 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application Developer and other products, allows remote attackers to. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 43.9%.

IBM RCE Node.js +2
NVD GitHub Exploit-DB
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Node.js Node Js
NVD GitHub
EPSS 84% 6.0 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 84.2%.

RCE Node.js Code Injection +1
NVD GitHub Exploit-DB
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal Node.js Fedora +2
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Buffer Overflow Node.js
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

The hapi server framework 2.0.x and 2.1.x before 2.2.0 for Node.js allows remote attackers to cause a denial of service (file descriptor consumption and process crash) via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Node.js Hapi Server Framework
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

The admin API in the tomato module before 0.0.6 for Node.js does not properly check the access key when it is set to a string, which allows remote attackers to bypass authentication via a string in. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Node.js Authentication Bypass Tomato
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking. Rated low severity (CVSS 3.3).

Information Disclosure Node.js Node Packaged Modules
NVD GitHub VulDB
EPSS 69% 4.6 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 68.7%.

Denial Of Service Node.js
NVD GitHub
EPSS 65% 4.8 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, which allows remote attackers to execute arbitrary code via a crafted string that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 64.5%.

Node.js RCE Js Yaml
NVD Exploit-DB
EPSS 1% CVSS 6.4
MEDIUM POC PATCH This Month

The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Information Disclosure
NVD GitHub
EPSS 9% CVSS 6.8
MEDIUM POC This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to hijack the authentication of administrators. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Node.js Orion Network Performance Monitor
NVD Exploit-DB
EPSS 19% CVSS 4.3
MEDIUM POC THREAT This Month

Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) before 10.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 18.7%.

Node.js XSS Orion Network Performance Monitor
NVD Exploit-DB
Prev Page 12 of 12

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy