Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2025-59464 HIGH PATCH This Week

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]

Node.js OpenSSL TLS Denial Of Service Node.Js +2
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-55132 MEDIUM PATCH This Month

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. [CVSS 5.3 MEDIUM]

Node.js Node.Js Red Hat Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-55131 HIGH PATCH This Week

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. [CVSS 7.1 HIGH]

Node.js RCE Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-55130 CRITICAL PATCH Act Now

Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.

Node.js Information Disclosure Node Js
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-1245 npm MEDIUM PATCH This Month

Unsafe code generation in binary-parser prior to version 2.3.0 allows remote code execution when processing untrusted input for parser field names or encoding parameters. Node.js applications using vulnerable versions of the library can be compromised to execute arbitrary JavaScript with process-level privileges. A patch is available and exploitation requires no authentication or user interaction.

Node.js Code Injection Binary Parser
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-23950 npm MEDIUM POC PATCH This Month

Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction.

Node.js Tar Apple RCE
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-22037 npm HIGH PATCH This Week

The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.

Node.js
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-23745 npm HIGH POC PATCH This Week

Arbitrary file overwrite and symlink poisoning in the node-tar library (versions <= 7.5.2) lets a malicious tar archive escape its intended extraction root, even with the default-secure preservePaths=false setting. The flaw stems from missing sanitization of the linkpath on hardlink and symbolic-link entries, so absolute symlink targets and hardlinks can redirect writes outside the extraction directory when a victim application unpacks attacker-supplied archives. Publicly available exploit code exists via the GitHub Security Advisory (GHSA-8qq5-rm4j-mr97), though EPSS exploitation probability is very low (0.01%) and it is not listed in CISA KEV; the issue is fixed in 7.5.3.

Node.js Tar Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-22036 npm MEDIUM PATCH This Month

Undici versions up to 7.18.0 is affected by allocation of resources without limits or throttling (CVSS 5.9).

Node.js Undici Red Hat Suse
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-22686 npm CRITICAL POC PATCH Act Now

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Error object is exposed to sandboxed code, which can use its prototype chain to access the host Node.js runtime. Maximum CVSS 10.0 with scope change. PoC available, patch available.

Node.js AI / ML Enclave
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-22704 npm HIGH POC PATCH This Week

Stored cross-site scripting (XSS) in HAX CMS versions 11.0.6 through 24.x allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to account takeover. Public exploit code exists for this vulnerability affecting both PHP and Node.js deployments. Users should upgrade to version 25.0.0 or later to remediate the issue.

PHP Node.js Haxcms Nodejs
NVD GitHub Exploit-DB VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-22597 npm MEDIUM PATCH This Month

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. [CVSS 2.7 LOW]

Node.js SSRF
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-22596 npm MEDIUM PATCH This Month

SQL injection in Ghost's Admin API members/events endpoint enables authenticated administrators to execute arbitrary database queries, affecting versions 5.90.0-5.130.5 and 6.0.0-6.10.3. An attacker with valid Admin API credentials could exploit this to extract, modify, or delete sensitive data stored in the Ghost database. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2026-22595 npm HIGH PATCH This Week

Ghost CMS versions 5.121.0-5.130.5 and 6.0.0-6.10.3 incorrectly allow Staff Token authentication to access endpoints restricted to Staff Session authentication, enabling authenticated Admin/Owner-role users to perform unauthorized actions. An attacker with valid Staff Token credentials for elevated roles could bypass authentication restrictions and access sensitive endpoints not intended for token-based access. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-22594 npm HIGH PATCH This Week

Ghost CMS versions 5.105.0-5.130.5 and 6.0.0-6.10.3 contain an authentication bypass in their two-factor authentication implementation that allows authenticated staff members to circumvent email-based 2FA requirements. An attacker with valid staff credentials can exploit this flaw to gain unauthorized access to administrative functions without completing the required second authentication factor. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-21877 npm CRITICAL POC PATCH THREAT Act Now

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.

RCE Code Injection Node.js N8n
NVD GitHub
CVSS 3.1
9.9
EPSS
12.5%
CVE-2026-21858 npm CRITICAL POC PATCH Act Now

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.

Information Disclosure Path Traversal LFI Node.js N8n
NVD GitHub
CVSS 3.1
10.0
EPSS
7.1%
CVE-2024-14020 npm MEDIUM PATCH This Month

A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. [CVSS 5.0 MEDIUM]

Node.js
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-68428 npm CRITICAL PATCH Act Now

Local file inclusion and path traversal in the Node.js builds of jsPDF (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0 lets an attacker who controls the path argument passed to loadFile, addImage, html, or addFont read arbitrary files from the host filesystem, with the file contents embedded verbatim into the generated PDF. Applications that forward unsanitized user input into these methods leak secrets such as /etc/passwd, configuration files, or private keys to anyone who can request a PDF. No public exploit identified at time of analysis; EPSS risk is very low (0.02%, 6th percentile) and the issue is not in CISA KEV.

Node.js Path Traversal Jspdf
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-0621 npm HIGH POC PATCH GHSA This Week

Denial of service in Anthropic's Model Context Protocol (MCP) TypeScript SDK versions up to and including 1.25.1 allows remote attackers to hang the Node.js event loop by submitting a crafted URI to the UriTemplate matcher. The dynamically built regex for RFC 6570 exploded array patterns contains nested quantifiers that trigger catastrophic backtracking, pinning CPU and rendering the process unresponsive. Publicly available exploit code exists, though EPSS is very low (0.02%) and it is not listed in CISA KEV, so real-world exploitation currently appears theoretical rather than widespread.

Node.js Denial Of Service Mcp Typescript Sdk
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-68619 npm HIGH POC PATCH This Week

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. [CVSS 7.2 HIGH]

Node.js Github Signal K Server RCE
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-67731 npm HIGH PATCH This Week

Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by the absence of size limits on JSON request bodies parsed by express.json(). Attackers can exploit this by sending extremely large payloads to cause memory exhaustion and crash the application process. With an EPSS score of 0.07% (21st percentile), active exploitation remains low-probability, though a patch is available and the vulnerability affects any internet-facing application using affected versions.

Node.js Express Denial Of Service Servify Express
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65945 npm HIGH PATCH This Week

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Authentication Bypass Node.js Node Jws Red Hat Auth0
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-65944 npm MEDIUM PATCH This Month

Sentry-Javascript is an official Sentry SDKs for JavaScript. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-65108 npm CRITICAL PATCH This Week

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Google RCE Code Injection Chrome
NVD GitHub
CVSS 3.1
10.0
EPSS
0.6%
CVE-2025-65025 Go HIGH POC PATCH This Week

esm.sh is a nobuild content delivery network(CDN) for modern web development. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Esm Sh Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-64757 npm LOW POC PATCH MAL Monitor

Astro is a web framework. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Astro
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-13204 npm HIGH POC PATCH This Month

npm package `expr-eval` is vulnerable to Prototype Pollution. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Prototype Pollution RCE Javascript Expression Evaluator Red Hat
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-64726 HIGH This Month

Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Node.js RCE
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-64502 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-64430 npm HIGH PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js SSRF File Upload
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59831 npm HIGH POC PATCH This Week

git-commiters is a Node.js function module providing committers stats for their git repository. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Node.js Git Commiters
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-10894 npm CRITICAL MAL This Week

Malicious code was inserted into the Nx (build system) package and several related plugins. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-57347 CRITICAL POC Act Now

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE Prototype Pollution Node.js Dagre D3 Es
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-57354 npm MEDIUM POC This Month

A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Prototype Pollution Node.js
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2025-57353 npm MEDIUM POC PATCH This Month

The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-59528 npm CRITICAL POC PATCH THREAT Act Now

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.

RCE Code Injection Node.js Flowise
NVD GitHub Exploit-DB
CVSS 3.1
10.0
EPSS
83.0%
Threat
6.0
CVE-2025-59526 npm LOW PATCH Monitor

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS
NVD GitHub
CVSS 4.0
2.7
EPSS
0.1%
CVE-2025-34204 HIGH POC This Week

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) contains multiple Docker containers that run primary application processes (for example PHP. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Docker PHP Privilege Escalation Node.js Virtual Appliance Application +1
NVD
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-59717 npm MEDIUM POC This Month

In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Memory Corruption Information Disclosure Node.js Do Markdownit DigitalOcean
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-56648 npm MEDIUM POC PATCH This Month

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Node.js Parcel Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-59333 npm HIGH POC This Week

The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service PostgreSQL Node.js Mcp Database Server
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-59437 LOW Monitor

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

SSRF Node.js
NVD GitHub
CVSS 3.1
3.2
EPSS
0.0%
CVE-2025-59436 LOW Monitor

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

SSRF Node.js
NVD GitHub
CVSS 3.1
3.2
EPSS
0.0%
CVE-2025-59145 npm HIGH PATCH MAL This Month

color-name is a JSON with CSS color names. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59331 npm HIGH PATCH MAL This Week

is-arrayish checks if an object can be used like an Array. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59330 npm HIGH PATCH MAL This Week

error-ex allows error subclassing and stack customization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59162 npm HIGH PATCH MAL This Week

color-convert provides plain color conversion functions in JavaScript. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59144 npm HIGH PATCH MAL This Month

debug is a JavaScript debugging utility. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59143 npm HIGH PATCH MAL This Month

color is a Javascript color conversion and manipulation library. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59142 npm HIGH PATCH MAL This Month

color-string is a parser and generator for CSS color strings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59141 npm HIGH PATCH MAL This Month

simple-swizzle swizzles function arguments. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59140 npm HIGH PATCH MAL This Month

backlash parses collected strings with escapes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2025-59364 npm MEDIUM PATCH This Month

The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-58754 npm HIGH POC PATCH MAL This Week

Axios is a promise based HTTP client for the browser and Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Axios Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59046 npm CRITICAL This Week

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Node.js
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-59039 npm CRITICAL MAL This Week

Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-59038 npm HIGH PATCH MAL This Month

Prebid.js is a free and open source library for publishers to quickly implement header bidding. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-59037 npm HIGH PATCH MAL This Month

DuckDB is an analytical in-process SQL database management system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
CVSS 4.0
8.6
EPSS
0.1%
CVE-2025-54994 npm CRITICAL POC PATCH This Week

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.3%
CVE-2025-58374 HIGH This Month

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Node.js Roo Code
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-9118 CRITICAL Act Now

A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Path Traversal Node.js
NVD
CVSS 4.0
10.0
EPSS
0.3%
CVE-2025-55195 HIGH This Month

@std/toml is the Deno Standard Library. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Node.js
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-55152 npm MEDIUM This Month

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-52913 CRITICAL This Week

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Path Traversal Node.js
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-54798 npm LOW POC PATCH Monitor

tmp is a temporary file and directory creator for node.js. Rated low severity (CVSS 2.5). Public exploit code available.

Information Disclosure Node.js Tmp
NVD GitHub
CVSS 3.1
2.5
EPSS
0.1%
CVE-2025-54594 CRITICAL This Week

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-54871 MEDIUM POC PATCH This Month

Electron Capture facilitates video playback for screen-sharing and capture. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Apple Node.js Electron Capture macOS
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-51387 CRITICAL This Week

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js Gitkraken Desktop
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-8522 LOW POC Monitor

A vulnerability, which was classified as critical, was found in givanz Vvvebjs up to 2.0.4. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP Path Traversal Node.js
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2025-54782 npm CRITICAL POC PATCH THREAT Act Now

Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Command Injection RCE Node.js Devtools Integration
NVD GitHub
CVSS 4.0
9.4
EPSS
22.1%
Threat
4.0
CVE-2025-54590 npm MEDIUM PATCH This Month

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Node.js
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-53818 npm This Week

GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `add_comment` which relies on Node.js child process API `exec` to execute the GitHub (`gh`) command, is an unsafe and vulnerable API if concatenated with untrusted user input. As of time of publication, no known patches are available.

Node.js Command Injection
NVD GitHub
EPSS
0.2%
CVE-2025-53542 HIGH PATCH This Week

CVE-2025-53542 is a command injection vulnerability in Headlamp's macOS packaging workflow (codeSign.js) where unsanitized environment variables and config values are passed directly to Node.js execSync() without proper escaping, allowing local attackers to execute arbitrary commands. This affects Headlamp versions prior to 0.31.1, and while no active KEV or confirmed public POC is mentioned in available data, the vulnerability has a moderate-to-high CVSS score of 7.7 with user interaction required, making it a realistic threat in CI/CD and development environments.

Node.js Command Injection RCE macOS Kubernetes
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-53364 npm MEDIUM POC PATCH This Month

A remote code execution vulnerability in 5.3.0 and (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Node.js
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2025-53372 npm HIGH PATCH This Week

node-code-sandbox-mcp is a Node.js-based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0.

RCE Node.js Command Injection Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-49365 npm PATCH Monitor

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.

Node.js Authentication Bypass
NVD GitHub
EPSS
0.0%
CVE-2024-49364 npm PATCH Monitor

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.

Node.js Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2025-52573 npm MEDIUM PATCH This Month

iOS Simulator MCP Server (ios-simulator-mcp) is a Model Context Protocol (MCP) server for interacting with iOS simulators. Versions prior to 1.3.3 are written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `ui_tap` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. LLM exposed user input for `duration`, `udid`, and `x` and `y` args can be replaced with shell meta-characters like `;` or `&&` or others to change the behavior from running the expected command `idb` to another command. When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server. Version 1.3.3 contains a patch for the issue.

Node.js Apple Command Injection iOS
NVD GitHub
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-52879 MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS Node.js Teamcity
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-50182 PyPI MEDIUM PATCH This Month

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Python Node.js Open Redirect Ubuntu Debian +3
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-6087 npm CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

SSRF Next.js Node.js Information Disclosure Opennext For Cloudflare +2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-22254 MEDIUM This Month

An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

Node.js Privilege Escalation Fortinet Fortiweb Fortios +1
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-49006 HIGH PATCH This Week

Wasp framework versions prior to 0.16.6 contain a critical OAuth/OpenID Connect implementation flaw where user IDs are improperly lowercased before storage and authentication, violating specification requirements. This affects only Keycloak deployments configured with case-sensitive user IDs, enabling attackers to impersonate users, trigger account collisions, and escalate privileges. While the CVSS score of 8.2 reflects high integrity impact, real-world risk is constrained to Keycloak with specific non-default configuration, and no public exploit or KEV designation has been reported.

Node.js Privilege Escalation Google
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2025-48947 npm HIGH PATCH This Week

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.

Next.js Node.js Information Disclosure Authentication Bypass
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-24015 Cargo MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

Node.js Information Disclosure Deno Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-48997 npm HIGH PATCH This Week

Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 through 2.0.0 where an attacker can crash the application process by uploading a file with an empty string field name, triggering an unhandled exception. The vulnerability has a CVSS score of 8.7 indicating high severity, though the impact is limited to availability (DoS) rather than confidentiality or integrity. No active exploitation or public POC has been confirmed at this time, but the low attack complexity and network accessibility make this a practical DoS vector for any exposed Multer instance.

Node.js Denial Of Service Express Red Hat
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-57783 HIGH This Week

Cross-site scripting (XSS) vulnerability in Dot desktop application (versions through 0.9.3) that allows unauthenticated local attackers to execute arbitrary commands with high complexity due to unsafe DOM manipulation via innerHTML. The vulnerability chains user input and LLM output directly into the DOM without sanitization, combined with Electron's Node.js API access, enabling command execution. This is a local attack vector with high impact on confidentiality, integrity, and availability.

Node.js XSS
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-48068 npm LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Next.js Vercel
NVD GitHub
CVSS 4.0
2.3
EPSS
0.1%
CVE-2025-47949 npm CRITICAL PATCH This Week

samlify is a Node.js library for SAML single sign-on. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Node.js Samlify
NVD GitHub
CVSS 4.0
9.9
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]

Node.js OpenSSL TLS +4
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. [CVSS 5.3 MEDIUM]

Node.js Node.Js Red Hat +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. [CVSS 7.1 HIGH]

Node.js RCE Buffer Overflow
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.

Node.js Information Disclosure Node Js
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unsafe code generation in binary-parser prior to version 2.3.0 allows remote code execution when processing untrusted input for parser field names or encoding parameters. Node.js applications using vulnerable versions of the library can be compromised to execute arbitrary JavaScript with process-level privileges. A patch is available and exploitation requires no authentication or user interaction.

Node.js Code Injection Binary Parser
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization on case-insensitive filesystems like macOS APFS, where the path reservation system fails to serialize operations on colliding paths. Public exploit code exists for this vulnerability, enabling concurrent processing that bypasses internal safeguards. Node.js users and applications depending on vulnerable tar versions should update immediately, as attackers can leverage this to manipulate file operations during archive extraction.

Node.js Tar Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.

Node.js
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Arbitrary file overwrite and symlink poisoning in the node-tar library (versions <= 7.5.2) lets a malicious tar archive escape its intended extraction root, even with the default-secure preservePaths=false setting. The flaw stems from missing sanitization of the linkpath on hardlink and symbolic-link entries, so absolute symlink targets and hardlinks can redirect writes outside the extraction directory when a victim application unpacks attacker-supplied archives. Publicly available exploit code exists via the GitHub Security Advisory (GHSA-8qq5-rm4j-mr97), though EPSS exploitation probability is very low (0.01%) and it is not listed in CISA KEV; the issue is fixed in 7.5.3.

Node.js Tar Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Undici versions up to 7.18.0 is affected by allocation of resources without limits or throttling (CVSS 5.9).

Node.js Undici Red Hat +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Error object is exposed to sandboxed code, which can use its prototype chain to access the host Node.js runtime. Maximum CVSS 10.0 with scope change. PoC available, patch available.

Node.js AI / ML Enclave
NVD GitHub
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

Stored cross-site scripting (XSS) in HAX CMS versions 11.0.6 through 24.x allows authenticated attackers to inject malicious scripts that execute in other users' browsers, potentially leading to account takeover. Public exploit code exists for this vulnerability affecting both PHP and Node.js deployments. Users should upgrade to version 25.0.0 or later to remediate the issue.

PHP Node.js Haxcms Nodejs
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. [CVSS 2.7 LOW]

Node.js SSRF
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

SQL injection in Ghost's Admin API members/events endpoint enables authenticated administrators to execute arbitrary database queries, affecting versions 5.90.0-5.130.5 and 6.0.0-6.10.3. An attacker with valid Admin API credentials could exploit this to extract, modify, or delete sensitive data stored in the Ghost database. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Ghost CMS versions 5.121.0-5.130.5 and 6.0.0-6.10.3 incorrectly allow Staff Token authentication to access endpoints restricted to Staff Session authentication, enabling authenticated Admin/Owner-role users to perform unauthorized actions. An attacker with valid Staff Token credentials for elevated roles could bypass authentication restrictions and access sensitive endpoints not intended for token-based access. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Ghost CMS versions 5.105.0-5.130.5 and 6.0.0-6.10.3 contain an authentication bypass in their two-factor authentication implementation that allows authenticated staff members to circumvent email-based 2FA requirements. An attacker with valid staff credentials can exploit this flaw to gain unauthorized access to administrative functions without completing the required second authentication factor. Patches are available in versions 5.130.6 and 6.11.0.

Node.js Ghost
NVD GitHub
EPSS 12% CVSS 9.9
CRITICAL POC PATCH THREAT Act Now

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with scope change enabling full compromise of both self-hosted and cloud instances. EPSS 12.5% indicates high exploitation activity. Patch available.

RCE Code Injection Node.js +1
NVD GitHub
EPSS 7% CVSS 10.0
CRITICAL POC PATCH Act Now

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical CVSS 10.0 vulnerability enabling remote attackers to read sensitive files from the server, with potential for further compromise. PoC available.

Information Disclosure Path Traversal LFI +2
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. [CVSS 5.0 MEDIUM]

Node.js
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Local file inclusion and path traversal in the Node.js builds of jsPDF (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to version 4.0.0 lets an attacker who controls the path argument passed to loadFile, addImage, html, or addFont read arbitrary files from the host filesystem, with the file contents embedded verbatim into the generated PDF. Applications that forward unsanitized user input into these methods leak secrets such as /etc/passwd, configuration files, or private keys to anyone who can request a PDF. No public exploit identified at time of analysis; EPSS risk is very low (0.02%, 6th percentile) and the issue is not in CISA KEV.

Node.js Path Traversal Jspdf
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Denial of service in Anthropic's Model Context Protocol (MCP) TypeScript SDK versions up to and including 1.25.1 allows remote attackers to hang the Node.js event loop by submitting a crafted URI to the UriTemplate matcher. The dynamically built regex for RFC 6570 exploded array patterns contains nested quantifiers that trigger catastrophic backtracking, pinning CPU and rendering the process unresponsive. Publicly available exploit code exists, though EPSS is very low (0.02%) and it is not listed in CISA KEV, so real-world exploitation currently appears theoretical rather than widespread.

Node.js Denial Of Service Mcp Typescript Sdk
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. [CVSS 7.2 HIGH]

Node.js Github Signal K Server +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by the absence of size limits on JSON request bodies parsed by express.json(). Attackers can exploit this by sending extremely large payloads to cause memory exhaustion and crash the application process. With an EPSS score of 0.07% (21st percentile), active exploitation remains low-probability, though a patch is available and the vulnerability affects any internet-facing application using affected versions.

Node.js Express Denial Of Service +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.

Authentication Bypass Node.js Node Jws +2
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Sentry-Javascript is an official Sentry SDKs for JavaScript. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH This Week

md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Google RCE +2
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

esm.sh is a nobuild content delivery network(CDN) for modern web development. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Esm Sh +1
NVD GitHub
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

Astro is a web framework. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Astro
NVD GitHub
EPSS 0% CVSS 7.3
HIGH POC PATCH This Month

npm package `expr-eval` is vulnerable to Prototype Pollution. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Prototype Pollution RCE +2
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Month

Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Node.js RCE
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js SSRF File Upload
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

git-commiters is a Node.js function module providing committers stats for their git repository. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Node.js Git Commiters
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL This Week

Malicious code was inserted into the Nx (build system) package and several related plugins. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConflict function, which fails to properly sanitize user-supplied input during. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service RCE Prototype Pollution +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A vulnerability exists in the 'counterpart' library for Node.js and the browser due to insufficient sanitization of user-controlled input in translation key processing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Prototype Pollution Node.js
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The Runtime components of messageformat package for Node.js before 3.0.2 contain a prototype pollution vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Prototype Pollution Node.js
NVD GitHub
EPSS 83% 6.0 CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig parameter is parsed unsafely, allowing attackers to inject arbitrary system commands through the MCP server configuration that are executed when Flowise spawns the MCP server process.

RCE Code Injection Node.js +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) contains multiple Docker containers that run primary application processes (for example PHP. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Docker PHP Privilege Escalation +3
NVD
EPSS 0% CVSS 5.4
MEDIUM POC This Month

In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Memory Corruption Information Disclosure Node.js +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Node.js Parcel +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC This Week

The mcp-database-server (MCP Server) 1.1.0 and earlier, as distributed via the npm package @executeautomation/database-server, fails to implement adequate security controls to properly enforce a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service PostgreSQL +2
NVD GitHub
EPSS 0% CVSS 3.2
LOW Monitor

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

SSRF Node.js
NVD GitHub
EPSS 0% CVSS 3.2
LOW Monitor

The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

SSRF Node.js
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

color-name is a JSON with CSS color names. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

is-arrayish checks if an object can be used like an Array. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

error-ex allows error subclassing and stack customization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

color-convert provides plain color conversion functions in JavaScript. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

debug is a JavaScript debugging utility. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

color is a Javascript color conversion and manipulation library. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

color-string is a parser and generator for CSS color strings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

simple-swizzle swizzles function arguments. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Month

backlash parses collected strings with escapes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Axios is a promise based HTTP client for the browser and Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Axios +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Node.js
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL This Week

Prebid Universal Creative (PUC) is a JavaScript API to render multiple formats. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Month

Prebid.js is a free and open source library for publishers to quickly implement header bidding. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Month

DuckDB is an analytical in-process SQL database management system. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Red Hat
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH This Week

@akoskm/create-mcp-server-stdio is an MCP server starter kit that uses the StdioServerTransport. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Node.js
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Month

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection RCE Node.js +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Path Traversal Node.js
NVD
EPSS 0% CVSS 7.3
HIGH This Month

@std/toml is the Deno Standard Library. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Node.js
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Path Traversal Node.js
NVD
EPSS 0% CVSS 2.5
LOW POC PATCH Monitor

tmp is a temporary file and directory creator for node.js. Rated low severity (CVSS 2.5). Public exploit code available.

Information Disclosure Node.js Tmp
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL This Week

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Electron Capture facilitates video playback for screen-sharing and capture. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Apple Node.js +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL This Week

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Node.js +1
NVD GitHub
EPSS 0% CVSS 1.3
LOW POC Monitor

A vulnerability, which was classified as critical, was found in givanz Vvvebjs up to 2.0.4. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP Path Traversal Node.js
NVD GitHub VulDB
EPSS 22% 4.0 CVSS 9.4
CRITICAL POC PATCH THREAT Act Now

Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.1%.

Command Injection RCE Node.js +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Node.js
NVD GitHub
EPSS 0%
This Week

GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `add_comment` which relies on Node.js child process API `exec` to execute the GitHub (`gh`) command, is an unsafe and vulnerable API if concatenated with untrusted user input. As of time of publication, no known patches are available.

Node.js Command Injection
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

CVE-2025-53542 is a command injection vulnerability in Headlamp's macOS packaging workflow (codeSign.js) where unsanitized environment variables and config values are passed directly to Node.js execSync() without proper escaping, allowing local attackers to execute arbitrary commands. This affects Headlamp versions prior to 0.31.1, and while no active KEV or confirmed public POC is mentioned in available data, the vulnerability has a moderate-to-high CVSS score of 7.7 with user interaction required, making it a realistic threat in CI/CD and development environments.

Node.js Command Injection RCE +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

A remote code execution vulnerability in 5.3.0 and (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

node-code-sandbox-mcp is a Node.js-based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0.

RCE Node.js Command Injection +1
NVD GitHub
EPSS 0%
PATCH Monitor

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.

Node.js Authentication Bypass
NVD GitHub
EPSS 0%
PATCH Monitor

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.

Node.js Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

iOS Simulator MCP Server (ios-simulator-mcp) is a Model Context Protocol (MCP) server for interacting with iOS simulators. Versions prior to 1.3.3 are written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `ui_tap` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. LLM exposed user input for `duration`, `udid`, and `x` and `y` args can be replaced with shell meta-characters like `;` or `&&` or others to change the behavior from running the expected command `idb` to another command. When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server. Version 1.3.3 contains a patch for the issue.

Node.js Apple Command Injection +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible

XSS Node.js Teamcity
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Python Node.js Open Redirect +5
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

SSRF Next.js Node.js +4
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM This Month

An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module.

Node.js Privilege Escalation Fortinet +3
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Wasp framework versions prior to 0.16.6 contain a critical OAuth/OpenID Connect implementation flaw where user IDs are improperly lowercased before storage and authentication, violating specification requirements. This affects only Keycloak deployments configured with case-sensitive user IDs, enabling attackers to impersonate users, trigger account collisions, and escalate privileges. While the CVSS score of 8.2 reflects high integrity impact, real-world risk is constrained to Keycloak with specific non-default configuration, and no public exploit or KEV designation has been reported.

Node.js Privilege Escalation Google
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.

Next.js Node.js Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the guarantees expected from AES-GCM. Older versions of Deno correctly threw errors in such cases, as does Node.js. Without authentication tag verification, AES-GCM degrades to essentially CTR mode, removing integrity protection. Authenticated data set with set_aad is also affected, as it is incorporated into the GCM hash (ghash) but this too is not validated, rendering AAD checks ineffective. Version 2.1.7 includes a patch that addresses this issue.

Node.js Information Disclosure Deno +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 through 2.0.0 where an attacker can crash the application process by uploading a file with an empty string field name, triggering an unhandled exception. The vulnerability has a CVSS score of 8.7 indicating high severity, though the impact is limited to availability (DoS) rather than confidentiality or integrity. No active exploitation or public POC has been confirmed at this time, but the low attack complexity and network accessibility make this a practical DoS vector for any exposed Multer instance.

Node.js Denial Of Service Express +1
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Cross-site scripting (XSS) vulnerability in Dot desktop application (versions through 0.9.3) that allows unauthenticated local attackers to execute arbitrary commands with high complexity due to unsafe DOM manipulation via innerHTML. The vulnerability chains user input and LLM output directly into the DOM without sanitization, combined with Electron's Node.js API access, enabling command execution. This is a local attack vector with high impact on confidentiality, integrity, and availability.

Node.js XSS
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Next.js +1
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH This Week

samlify is a Node.js library for SAML single sign-on. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Node.js +1
NVD GitHub
Prev Page 6 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy