Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2025-47944 npm HIGH PATCH This Month

Multer is a node.js middleware for handling `multipart/form-data`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-47935 npm HIGH PATCH This Month

Multer is a node.js middleware for handling `multipart/form-data`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-23167 MEDIUM PATCH This Month

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Authentication Bypass Node.js Red Hat Suse
NVD
CVSS 3.0
6.5
EPSS
0.1%
CVE-2025-23166 HIGH PATCH This Month

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat Suse
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2025-23165 LOW Monitor

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Denial Of Service
NVD
CVSS 3.0
3.7
EPSS
0.4%
CVE-2025-4759 npm MEDIUM POC PATCH This Month

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Lockfile Lint Api
NVD GitHub
CVSS 4.0
5.5
EPSS
0.2%
CVE-2025-47279 npm LOW PATCH Monitor

Undici is an HTTP/1.1 client for Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-46720 npm LOW PATCH Monitor

Keystone is a content management system for Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Oracle Node.js Keystone
NVD GitHub
CVSS 3.1
3.1
EPSS
0.1%
CVE-2025-47153 MEDIUM PATCH This Month

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Node.js Debian Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2025-32965 npm CRITICAL PATCH Act Now

xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2025-32442 npm HIGH POC PATCH This Week

Fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Fastify Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-32379 npm MEDIUM PATCH This Month

Koa is expressive middleware for Node.js using ES2017 async functions. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Koa Red Hat
NVD GitHub
CVSS 3.1
5.0
EPSS
0.2%
CVE-2025-30168 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Node.js
NVD GitHub
CVSS 3.1
6.9
EPSS
0.2%
CVE-2025-29775 npm CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js Red Hat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-29774 npm CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js Red Hat
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2024-28607 LOW Monitor

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value. [CVSS 2.9 LOW]

Node.js SSRF
NVD GitHub
CVSS 3.1
2.9
EPSS
0.0%
CVE-2025-27597 npm HIGH PATCH This Week

Vue I18n is the internationalization plugin for Vue.js. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Node.js Denial Of Service
NVD GitHub
CVSS 4.0
8.9
EPSS
0.3%
CVE-2025-27152 npm HIGH POC PATCH MAL This Week

axios is a promise based HTTP client for the browser and node.js. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Node.js Axios Red Hat Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-27146 npm LOW PATCH Monitor

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Node.js Matrix Irc Bridge
NVD GitHub
CVSS 3.1
2.7
EPSS
0.4%
CVE-2025-25288 npm MEDIUM PATCH This Month

@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-25285 npm MEDIUM PATCH This Month

@octokit/endpoint turns REST API endpoints into generic request options. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-25283 npm HIGH PATCH This Week

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-25200 npm CRITICAL PATCH Act Now

Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Koa
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2025-24876 npm HIGH PATCH This Week

The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Node.js
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2024-57177 npm HIGH This Month

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Ssti
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-11831 npm MEDIUM PATCH This Month

A flaw was found in npm-serialize-javascript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Node.js
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2025-23085 MEDIUM PATCH This Month

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat Suse
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2025-23084 MEDIUM PATCH This Month

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Node.js Path Traversal Node Js Windows +1
NVD
CVSS 3.1
5.5
EPSS
1.3%
CVE-2025-23083 HIGH PATCH This Month

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.0
7.7
EPSS
0.1%
CVE-2024-52006 LOW PATCH Monitor

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Node.js Git Debian Linux
NVD GitHub
CVSS 4.0
2.1
EPSS
1.3%
CVE-2024-55591 CRITICAL POC KEV EUVD KEV THREAT CERT-EU Emergency

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote attackers to gain super-admin privileges through crafted requests.

Node.js Authentication Bypass Fortinet Fortiproxy Fortios
NVD GitHub
CVSS 3.1
9.8
EPSS
94.2%
Threat
7.8
CVE-2024-56198 npm CRITICAL PATCH Act Now

path-sanitizer is a simple lightweight npm package for sanitizing paths to prevent Path Traversal. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2024-56334 npm HIGH PATCH This Week

systeminformation is a System and OS information library for node.js. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Code Injection RCE Node.js
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
CVE-2024-21548 npm MEDIUM PATCH This Month

Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Information Disclosure Node.js Prototype Pollution
NVD GitHub
CVSS 4.0
6.8
EPSS
0.2%
CVE-2024-12641 CRITICAL Act Now

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS CSRF Tenderdoctransfer
NVD
CVSS 3.1
9.6
EPSS
1.4%
CVE-2024-53866 npm MEDIUM POC PATCH This Month

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js RCE Pnpm
NVD GitHub
CVSS 4.0
5.8
EPSS
0.9%
CVE-2024-52810 npm MEDIUM PATCH This Month

@intlify/shared is a shared library for the intlify project. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Node.js Denial Of Service
NVD GitHub
CVSS 4.0
6.9
EPSS
0.7%
CVE-2024-53843 npm HIGH PATCH This Week

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-49362 npm CRITICAL POC PATCH Act Now

Joplin is a free, open source note taking and to-do application. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Node.js Joplin
NVD GitHub
CVSS 3.1
9.6
EPSS
1.0%
CVE-2024-52505 MEDIUM This Month

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-49770 npm HIGH POC This Week

`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal
NVD GitHub
CVSS 4.0
7.7
EPSS
0.7%
CVE-2024-41713 CRITICAL POC KEV THREAT Act Now

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Node.js Path Traversal Micollab
NVD
CVSS 3.1
9.1
EPSS
98.1%
CVE-2024-35287 MEDIUM This Month

A vulnerability in the NuPoint Messenger (NPM) component of Mitel MiCollab through version 9.8 SP1 (9.8.1.5) could allow an authenticated attacker with administrative privilege to conduct a privilege. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Node.js Micollab
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2024-35286 CRITICAL POC THREAT Act Now

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Node.js Micollab
NVD
CVSS 3.1
9.8
EPSS
65.6%
CVE-2024-35285 CRITICAL Act Now

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Command Injection Micollab
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-48930 npm HIGH PATCH This Week

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2024-21536 npm HIGH POC PATCH This Week

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Http Proxy Middleware
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-48948 npm MEDIUM POC PATCH This Month

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2024-48949 npm CRITICAL PATCH Act Now

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-21532 npm HIGH This Week

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Command Injection
NVD GitHub
CVSS 3.1
7.3
EPSS
0.3%
CVE-2024-45277 npm MEDIUM PATCH This Month

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Node.js SAP Hana Client
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2024-47183 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Node.js Parse Server
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-45298 MEDIUM This Month

Wiki.js is an open source wiki app built on Node.js. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Node.js
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-45590 npm HIGH PATCH This Week

body-parser is Node.js body parsing middleware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Body Parser
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-43409 npm MEDIUM PATCH This Month

Ghost is a Node.js content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Node.js Ghost
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-43373 npm HIGH POC PATCH This Week

webcrack is a tool for reverse engineering javascript. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal RCE Microsoft Webcrack
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-22169 HIGH This Week

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Node.js
NVD
CVSS 4.0
7.1
EPSS
0.3%
CVE-2024-42461 npm CRITICAL PATCH Act Now

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-42460 npm MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-42459 npm MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-6595 MEDIUM POC This Month

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Node.js Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-38372 npm LOW PATCH Monitor

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
2.0
EPSS
0.5%
CVE-2024-39691 npm MEDIUM PATCH This Month

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2024-39943 npm HIGH PATCH This Week

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Apple Command Injection Node.js Http File Server
NVD GitHub
CVSS 3.1
8.8
EPSS
48.5%
CVE-2024-39309 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Node.js
NVD GitHub
CVSS 3.1
9.8
EPSS
20.2%
CVE-2024-38355 npm HIGH PATCH This Week

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
7.3
EPSS
0.7%
CVE-2024-37890 npm HIGH PATCH This Week

ws is an open source WebSocket client and server for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Node.js Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2024-37150 MEDIUM PATCH This Month

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Deno
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-29415 npm HIGH This Week

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SSRF Node.js
NVD GitHub
CVSS 3.1
8.1
EPSS
8.3%
CVE-2024-35237 HIGH This Week

MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Node.js
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-34710 Go HIGH This Week

Wiki.js is al wiki app built on Node.js. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Ssti Code Injection
NVD GitHub
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-4068 npm HIGH POC PATCH This Week

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Braces
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-4067 npm MEDIUM POC PATCH This Month

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Micromatch
NVD GitHub
CVSS 3.1
5.3
EPSS
1.4%
CVE-2024-34347 npm HIGH PATCH This Week

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Command Injection
NVD GitHub
CVSS 3.1
8.3
EPSS
0.6%
CVE-2024-32962 npm CRITICAL PATCH Act Now

xml-crypto is an xml digital signature and encryption library for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Jwt Attack Information Disclosure
NVD GitHub
CVSS 3.1
10.0
EPSS
0.8%
CVE-2024-33883 npm MEDIUM PATCH This Month

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
4.0
EPSS
0.6%
CVE-2024-32652 npm HIGH POC PATCH This Week

The adapter @hono/node-server allows you to run your Hono application on Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Node Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-32000 npm MEDIUM PATCH This Month

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-30260 npm MEDIUM PATCH This Month

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Node.js Undici Fedora
NVD GitHub
CVSS 3.1
4.3
EPSS
0.7%
CVE-2024-30261 npm LOW POC PATCH Monitor

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Undici Fedora
NVD GitHub
CVSS 3.1
3.5
EPSS
0.8%
CVE-2024-29900 npm HIGH PATCH This Week

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Packager
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-29042 npm MEDIUM POC PATCH This Month

Translate is a package that allows users to convert text to different languages on Node.js and the browser. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Translate
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2024-28863 npm MEDIUM POC PATCH This Month

node-tar is a Tar for Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Tar
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-27935 Cargo HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Deno
NVD GitHub
CVSS 3.1
8.3
EPSS
0.7%
CVE-2024-29027 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Node.js RCE Parse Server
NVD GitHub
CVSS 3.1
9.0
EPSS
1.2%
CVE-2024-22025 MEDIUM This Month

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD
CVSS 3.0
6.5
EPSS
1.3%
CVE-2024-22017 HIGH This Week

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Node.js
NVD
CVSS 3.0
7.3
EPSS
0.9%
CVE-2024-27298 npm CRITICAL PATCH Act Now

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PostgreSQL Node.js Parse Server
NVD GitHub
CVSS 3.1
10.0
EPSS
1.0%
CVE-2024-22019 HIGH This Week

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Node Js Astra Control Center
NVD
CVSS 3.1
7.5
EPSS
3.2%
CVE-2024-21896 CRITICAL Act Now

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js
NVD
CVSS 3.1
9.8
EPSS
1.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Month

Multer is a node.js middleware for handling `multipart/form-data`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Month

Multer is a node.js middleware for handling `multipart/form-data`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Authentication Bypass Node.js +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat +1
NVD
EPSS 0% CVSS 3.7
LOW Monitor

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Denial Of Service
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of the package URL validation which can be bypassed by. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Lockfile Lint Api
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Undici is an HTTP/1.1 client for Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Keystone is a content management system for Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Oracle Node.js +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow Node.js Debian +2
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Fastify +1
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Koa is expressive middleware for Node.js using ES2017 async functions. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Koa +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Node.js
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js +1
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

xml-crypto is an XML digital signature and encryption library for Node.js. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jwt Attack Authentication Bypass Node.js +1
NVD GitHub
EPSS 0% CVSS 2.9
LOW Monitor

The ip-utils package through 2.4.0 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via a falsy isPrivate return value. [CVSS 2.9 LOW]

Node.js SSRF
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Vue I18n is the internationalization plugin for Vue.js. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

axios is a promise based HTTP client for the browser and node.js. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Node.js Axios +2
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Node.js Matrix Irc Bridge
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

@octokit/endpoint turns REST API endpoints into generic request options. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Koa is expressive middleware for Node.js using ES2017 async functions. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Koa
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Node.js
NVD
EPSS 0% CVSS 7.3
HIGH This Month

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Ssti
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A flaw was found in npm-serialize-javascript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Node.js
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Red Hat +1
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Node.js Path Traversal +3
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Month

With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Red Hat +1
NVD VulDB
EPSS 1% CVSS 2.1
LOW PATCH Monitor

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Information Disclosure Node.js +2
NVD GitHub
EPSS 94% 7.8 CVSS 9.8
CRITICAL POC KEV EUVD KEV THREAT Emergency

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote attackers to gain super-admin privileges through crafted requests.

Node.js Authentication Bypass Fortinet +2
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

path-sanitizer is a simple lightweight npm package for sanitizing paths to prevent Path Traversal. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

systeminformation is a System and OS information library for node.js. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Code Injection RCE +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Information Disclosure Node.js Prototype Pollution
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL Act Now

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS CSRF +1
NVD
EPSS 1% CVSS 5.8
MEDIUM POC PATCH This Month

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js RCE Pnpm
NVD GitHub
EPSS 1% CVSS 6.9
MEDIUM PATCH This Month

@intlify/shared is a shared library for the intlify project. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Node.js Denial Of Service
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS
NVD GitHub
EPSS 1% CVSS 9.6
CRITICAL POC PATCH Act Now

Joplin is a free, open source note taking and to-do application. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE Node.js +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 1% CVSS 7.7
HIGH POC This Week

`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal
NVD GitHub
EPSS 98% CVSS 9.1
CRITICAL POC KEV THREAT Act Now

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Node.js Path Traversal +1
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

A vulnerability in the NuPoint Messenger (NPM) component of Mitel MiCollab through version 9.8 SP1 (9.8.1.5) could allow an authenticated attacker with administrative privilege to conduct a privilege. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Node.js Micollab
NVD
EPSS 66% CVSS 9.8
CRITICAL POC THREAT Act Now

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Node.js Micollab
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Command Injection Micollab
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Http Proxy Middleware
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch to be fetched and then concatenates this string along. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Command Injection
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Node.js +2
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Wiki.js is an open source wiki app built on Node.js. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Node.js
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

body-parser is Node.js body parsing middleware. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Body Parser
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Ghost is a Node.js content management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Node.js Ghost
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

webcrack is a tool for reverse engineering javascript. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal RCE +2
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Node.js
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Elliptic
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Gitlab Node.js Information Disclosure
NVD
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 48% CVSS 8.8
HIGH PATCH This Week

rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Apple Command Injection Node.js +1
NVD GitHub
EPSS 20% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PostgreSQL Node.js
NVD GitHub
EPSS 1% CVSS 7.3
HIGH PATCH This Week

Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

ws is an open source WebSocket client and server for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Deno
NVD GitHub
EPSS 8% CVSS 8.1
HIGH This Week

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SSRF Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Node.js
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Wiki.js is al wiki app built on Node.js. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Ssti Code Injection
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Braces
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Micromatch
NVD GitHub
EPSS 1% CVSS 8.3
HIGH PATCH This Week

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Node.js Command Injection
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

xml-crypto is an xml digital signature and encryption library for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Jwt Attack Information Disclosure
NVD GitHub
EPSS 1% CVSS 4.0
MEDIUM PATCH This Month

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The adapter @hono/node-server allows you to run your Hono application on Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Node Server
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Node.js Undici +1
NVD GitHub
EPSS 1% CVSS 3.5
LOW POC PATCH Monitor

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Undici +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Electron Packager bundles Electron-based application source code with a renamed Electron executable and supporting files into folders ready for distribution. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Packager
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Translate is a package that allows users to convert text to different languages on Node.js and the browser. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Translate
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

node-tar is a Tar for Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Denial Of Service Tar
NVD GitHub
EPSS 1% CVSS 8.3
HIGH POC PATCH This Week

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Deno
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Node.js RCE Parse Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service
NVD
EPSS 1% CVSS 7.3
HIGH This Week

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Node.js
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PostgreSQL Node.js +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH This Week

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Denial Of Service Node Js +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js
NVD
Prev Page 7 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy