Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2024-21891 HIGH This Week

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2024-21890 MEDIUM This Month

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Node Js
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-24758 npm MEDIUM PATCH This Month

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Undici
NVD GitHub
CVSS 3.1
4.5
EPSS
0.8%
CVE-2024-24750 npm MEDIUM PATCH This Month

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Undici
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2024-24828 npm HIGH This Week

pkg is tool design to bundle Node.js projects into an executables. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Node.js Pkg
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-23054 CRITICAL POC Act Now

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Docker Plone Docker Official Image
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.7%
CVE-2024-24558 npm MEDIUM PATCH This Month

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js XSS React Query Next Experimental
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-23841 npm MEDIUM PATCH This Month

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js XSS Apollo Client
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-23743 LOW POC Monitor

Notion through 3.1.0 on macOS might allow code execution because of RunAsNode and enableNodeClilnspectArguments. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apple Node.js RCE Notion
NVD GitHub
CVSS 3.1
3.3
EPSS
0.4%
CVE-2024-23340 npm MEDIUM POC PATCH This Month

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Node Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-46943 npm CRITICAL PATCH Act Now

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Authentication Bypass Node.js Evershop
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2023-46942 npm HIGH PATCH This Week

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Evershop
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2023-39655 npm CRITICAL Act Now

A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Couchauth
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2023-48795 LIB MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js SSH Java +66
NVD GitHub
CVSS 3.1
5.9
EPSS
53.6%
Threat
4.3
CVE-2023-50728 npm HIGH PATCH This Week

octokit/webhooks is a GitHub webhook events toolset for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure App Octokit Webhooks +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-49583 npm CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Node.js Privilege Escalation Sap Xssec
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-49803 npm HIGH PATCH This Week

@koa/cors npm provides Cross-Origin Resource Sharing (CORS) for koa, a web framework for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Cross Origin Resource Sharing For Koa
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-46499 npm MEDIUM PATCH This Month

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS Evershop
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-46498 npm CRITICAL PATCH Act Now

An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Evershop
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2023-46497 npm MEDIUM PATCH This Month

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Evershop
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-46496 npm HIGH PATCH This Week

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Evershop
NVD
CVSS 3.1
8.3
EPSS
1.2%
CVE-2023-46495 npm MEDIUM PATCH This Month

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS Evershop
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-46494 npm MEDIUM PATCH This Month

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS Evershop
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-46493 npm MEDIUM PATCH This Month

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Evershop
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2023-30588 MEDIUM This Month

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Node Js
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2023-30585 HIGH This Week

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Microsoft Node Js
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-48711 npm LOW POC PATCH Monitor

google-translate-api-browser is an npm package which interfaces with the google translate web api. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js SSRF Google Google Translate Api Browser
NVD GitHub
CVSS 3.1
3.7
EPSS
0.5%
CVE-2023-49210 npm CRITICAL POC PATCH Act Now

The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js OpenSSL Command Injection Node Openssl
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-30581 HIGH This Week

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Node Js
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-46119 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-41896 CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js XSS Home Assistant Home Assistant Js Websocket
NVD GitHub
CVSS 3.1
9.0
EPSS
0.3%
CVE-2023-39332 CRITICAL Act Now

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js Fedora
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2023-39331 HIGH This Week

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-38552 HIGH This Week

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Node Js Fedora
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-45143 npm LOW PATCH Monitor

Undici is an HTTP/1.1 client written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Undici Fedora
NVD GitHub
CVSS 3.1
3.5
EPSS
1.2%
CVE-2023-42810 npm CRITICAL PATCH Act Now

systeminformation is a System Information Library for Node.JS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Node.js Command Injection Systeminformation
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2023-32558 HIGH POC This Week

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Node Js
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-32005 MEDIUM POC This Month

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Node Js
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2023-41049 npm MEDIUM PATCH This Month

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js XSS Single Sign On Client
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-32559 HIGH POC This Week

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Node.js RCE Node Js
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2023-32002 CRITICAL Act Now

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Node Js
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-40340 Maven HIGH PATCH This Week

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Jenkins Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-40027 npm MEDIUM PATCH This Month

Keystone is an open source headless CMS for Node.js - built with GraphQL and React. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Node.js Authentication Bypass Keystone
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-32006 HIGH This Week

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Node Js Fedora
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2023-32004 HIGH This Week

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js Fedora
NVD
CVSS 3.1
8.8
EPSS
1.8%
CVE-2023-32003 MEDIUM This Month

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js Fedora
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2023-39532 npm CRITICAL POC PATCH Act Now

SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js RCE Ses
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2023-38700 npm LOW PATCH Monitor

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Matrix Irc Bridge
NVD GitHub
CVSS 3.1
3.7
EPSS
0.5%
CVE-2023-38690 npm CRITICAL PATCH Act Now

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Matrix Irc Bridge
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-37478 npm CRITICAL POC PATCH Act Now

pnpm is a package manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Pnpm
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-38504 npm HIGH PATCH This Week

Sails is a realtime MVC Framework for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Sails
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-26045 npm CRITICAL PATCH Act Now

NodeBB is Node.js based forum software. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Nodebb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-37903 npm CRITICAL Act Now

vm2 is an open source vm/sandbox for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Command Injection Vm2
NVD GitHub
CVSS 3.1
10.0
EPSS
2.8%
CVE-2023-37466 npm CRITICAL POC PATCH Act Now

vm2 is an advanced vm/sandbox for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Node.js Code Injection Vm2
NVD GitHub
CVSS 3.1
10.0
EPSS
2.3%
CVE-2023-36821 npm HIGH POC PATCH This Week

Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js RCE Uptime Kuma
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2023-30589 npm HIGH POC PATCH This Week

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Node Js Fedora
NVD
CVSS 3.1
7.5
EPSS
3.9%
CVE-2023-30586 HIGH This Week

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Node.js OpenSSL Authentication Bypass Node Js
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-36475 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Node.js RCE Prototype Pollution Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2023-34247 npm MEDIUM PATCH This Month

Keystone is a content management system for Node.JS. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Node.js Open Redirect Keystone
NVD GitHub
CVSS 3.1
4.1
EPSS
0.4%
CVE-2023-0508 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Gitlab
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2023-32689 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Node.js File Upload Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-32695 npm HIGH PATCH This Week

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Socket Io Parser
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-26129 npm HIGH POC This Week

All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Bwm Ng
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2023-26128 npm HIGH POC This Week

All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Keep Module Latest
NVD GitHub
CVSS 3.1
7.8
EPSS
1.2%
CVE-2023-26127 npm HIGH This Week

All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Node.js Command Injection N158
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVE-2023-27564 npm HIGH POC PATCH This Week

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure N8n
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-27563 npm HIGH POC PATCH This Week

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Node.js N8n
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-27562 npm MEDIUM POC PATCH This Month

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal N8n
NVD GitHub
CVSS 3.1
6.5
EPSS
2.3%
CVE-2023-31125 npm MEDIUM PATCH This Month

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Engine Io
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
CVE-2023-1767 MEDIUM POC This Month

The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js XSS Advisor
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-30543 npm MEDIUM PATCH This Month

@web3-react is a framework for building Ethereum Apps . Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Race Condition Node.js Information Disclosure Web3 React Coinbase Wallet Web3 React Eip1193 +2
NVD GitHub
CVSS 3.1
5.7
EPSS
0.4%
CVE-2023-28155 npm MEDIUM POC PATCH This Month

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js SSRF Request
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2023-23920 MEDIUM PATCH This Month

An untrusted search path vulnerability exists in Node.js. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity.

Node.js Information Disclosure Node Js Debian Linux
NVD
CVSS 3.1
4.2
EPSS
0.5%
CVE-2023-23919 HIGH POC PATCH This Week

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js OpenSSL Denial Of Service Node Js
NVD
CVSS 3.1
7.5
EPSS
2.2%
CVE-2023-23918 HIGH PATCH This Week

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Privilege Escalation Node.js Authentication Bypass Node Js
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2023-25813 npm CRITICAL POC PATCH Act Now

Sequelize is a Node.js ORM tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js SQLi Sequelize
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2023-25653 npm HIGH PATCH This Week

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Node Jose
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-24807 npm HIGH PATCH This Week

Undici is an HTTP/1.1 client for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Undici
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-23936 npm MEDIUM POC PATCH This Month

Undici is an HTTP/1.1 client for Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Code Injection Node Js Undici
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2023-22474 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Node.js Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
8.1
EPSS
0.7%
CVE-2023-24057 Maven HIGH POC PATCH This Week

HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Path Traversal Hl7 Fhir Core Fhir Ig Publisher
NVD GitHub
CVSS 3.1
8.1
EPSS
1.2%
CVE-2023-22491 npm MEDIUM POC PATCH This Month

Gatsby is a free and open source framework based on React that helps developers build websites and apps. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Code Injection Gatsby
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-43548 HIGH PATCH This Week

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Node.js Command Injection Node Js Debian Linux
NVD
CVSS 3.1
8.1
EPSS
14.0%
CVE-2022-35255 CRITICAL POC Act Now

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Node Js Sinec Ins Debian Linux
NVD
CVSS 3.1
9.1
EPSS
1.9%
CVE-2022-46164 npm CRITICAL POC PATCH THREAT Act Now

NodeBB is an open source Node.js based forum software. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Nodebb
NVD GitHub
CVSS 3.1
9.8
EPSS
49.0%
CVE-2022-46155 MEDIUM PATCH This Month

Airtable.js is the JavaScript client for Airtable. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Node.js Information Disclosure Airtable
NVD GitHub
CVSS 3.1
6.4
EPSS
0.4%
CVE-2022-41940 npm MEDIUM POC PATCH This Month

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Information Disclosure Engine Io
NVD GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2022-41878 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-41879 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Prototype Pollution Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-39396 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Prototype Pollution Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
38.7%
EPSS 1% CVSS 8.8
HIGH This Week

Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Node Js
NVD
EPSS 1% CVSS 4.5
MEDIUM PATCH This Month

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Undici
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Undici is an HTTP/1.1 client, written from scratch for Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Undici
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

pkg is tool design to bundle Node.js projects into an executables. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Node.js Pkg
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js RCE Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js XSS React Query Next Experimental
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js XSS Apollo Client
NVD GitHub
EPSS 0% CVSS 3.3
LOW POC Monitor

Notion through 3.1.0 on macOS might allow code execution because of RunAsNode and enableNodeClilnspectArguments. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Apple Node.js +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal Node Server
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Authentication Bypass Node.js Evershop
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Evershop
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Couchauth
NVD GitHub
EPSS 54% 4.3 CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js +68
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

octokit/webhooks is a GitHub webhook events toolset for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure App +3
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Node.js Privilege Escalation +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

@koa/cors npm provides Cross-Origin Resource Sharing (CORS) for koa, a web framework for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Cross Origin Resource Sharing For Koa
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS Evershop
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /deleteCustomer/route.json file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Evershop
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the mkdirSync function in the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Evershop
NVD
EPSS 1% CVSS 8.3
HIGH PATCH This Week

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the DELETE function in api/files. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Evershop
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS Evershop
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js XSS Evershop
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the readDirSync function in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Evershop
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

When an invalid public key is used to create an x509 certificate using the crypto.X509Certificate() API a non-expect termination occurs making it susceptible to DoS attacks when the attacker could. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Node Js
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Microsoft +1
NVD
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

google-translate-api-browser is an npm package which interfaces with the google translate web api. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Node.js SSRF Google +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js OpenSSL Command Injection +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Node Js
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Parse Server
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL Act Now

Home assistant is an open source home automation. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js XSS Home Assistant +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js
NVD
EPSS 1% CVSS 7.5
HIGH This Week

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Node Js +1
NVD
EPSS 1% CVSS 3.5
LOW PATCH Monitor

Undici is an HTTP/1.1 client written from scratch for Node.js. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Undici +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

systeminformation is a System Information Library for Node.JS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Node.js Command Injection Systeminformation
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal Node Js
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Node Js
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

@dcl/single-sign-on-client is an open source npm library which deals with single sign on authentication flows. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js XSS Single Sign On Client
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Privilege Escalation Node.js RCE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Node Js
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Jenkins Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Keystone is an open source headless CMS for Node.js - built with GraphQL and React. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Node.js Authentication Bypass Keystone
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Node Js +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permission model check using a path traversal attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Path Traversal Node Js +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js RCE Ses
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Matrix Irc Bridge
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Matrix Irc Bridge
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

pnpm is a package manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Authentication Bypass Pnpm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Sails is a realtime MVC Framework for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Sails
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

NodeBB is Node.js based forum software. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Nodebb
NVD GitHub
EPSS 3% CVSS 10.0
CRITICAL Act Now

vm2 is an open source vm/sandbox for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Command Injection +1
NVD GitHub
EPSS 2% CVSS 10.0
CRITICAL POC PATCH Act Now

vm2 is an advanced vm/sandbox for Node.js. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Node.js Code Injection +1
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Uptime Kuma, a self-hosted monitoring tool, allows an authenticated attacker to install a maliciously crafted plugin in versions prior to 1.22.1, which may lead to remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js RCE Uptime Kuma
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure Node Js +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A privilege escalation vulnerability exists in Node.js 20 that allowed loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Node.js OpenSSL +2
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Node.js RCE Prototype Pollution +1
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

Keystone is a content management system for Node.JS. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Node.js Open Redirect Keystone
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Gitlab
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Node.js File Upload Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Socket Io Parser
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC This Week

All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Bwm Ng
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the installModule function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Node.js Command Injection Keep Module Latest
NVD GitHub
EPSS 1% CVSS 7.8
HIGH This Week

All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Node.js Command Injection N158
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

The n8n package 0.218.0 for Node.js allows Information Disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure N8n
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

The n8n package 0.218.0 for Node.js allows Escalation of Privileges. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Node.js N8n
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

The n8n package 0.218.0 for Node.js allows Directory Traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Path Traversal N8n
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Engine Io
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js XSS Advisor
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

@web3-react is a framework for building Ethereum Apps . Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Race Condition Node.js Information Disclosure +4
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js SSRF Request
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

An untrusted search path vulnerability exists in Node.js. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity.

Node.js Information Disclosure Node Js +1
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js OpenSSL Denial Of Service +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Privilege Escalation Node.js Authentication Bypass +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Sequelize is a Node.js ORM tool. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js SQLi Sequelize
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for web browsers and node.js-based servers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Node Jose
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Undici is an HTTP/1.1 client for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Undici
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Undici is an HTTP/1.1 client for Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Code Injection Node Js +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Node.js Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers to extract files into arbitrary directories via directory traversal from a crafted ZIP or TGZ archive (for a prepackaged. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Path Traversal Hl7 Fhir Core +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Gatsby is a free and open source framework based on React that helps developers build websites and apps. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Code Injection Gatsby
NVD GitHub
EPSS 14% CVSS 8.1
HIGH PATCH This Week

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Node.js Command Injection Node Js +1
NVD
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Node Js +2
NVD
EPSS 49% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

NodeBB is an open source Node.js based forum software. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Nodebb
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Airtable.js is the JavaScript client for Airtable. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Node.js Information Disclosure Airtable
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Information Disclosure Engine Io
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Prototype Pollution +1
NVD GitHub
EPSS 39% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Prototype Pollution +1
NVD GitHub
Prev Page 8 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy