Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2022-39382 npm CRITICAL POC PATCH Act Now

Keystone is a headless CMS for Node.js - built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Keystone
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-39322 npm CRITICAL POC PATCH Act Now

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Keystone
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-39313 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-39299 npm HIGH PATCH This Week

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Jwt Attack Node.js Passport Saml
NVD GitHub
CVSS 3.1
8.1
EPSS
3.0%
CVE-2022-37616 CRITICAL PATCH Act Now

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Code Injection Prototype Pollution Node.js Xmldom Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-39288 npm HIGH PATCH This Week

fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Fastify
NVD GitHub
CVSS 3.1
7.5
EPSS
59.2%
CVE-2022-39287 npm MEDIUM PATCH This Month

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Node.js Tiny Csrf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-40764 npm HIGH POC PATCH This Week

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Command Injection Node.js Cli Golang Cli
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2022-41340 npm HIGH PATCH This Week

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jwt Attack Node.js Secp256K1 Js
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-39231 npm LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Node.js Parse Server
NVD GitHub
CVSS 3.1
3.7
EPSS
0.4%
CVE-2022-39225 npm LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js Parse Server
NVD GitHub
CVSS 3.1
3.1
EPSS
0.4%
CVE-2022-37258 npm CRITICAL POC Act Now

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Prototype Pollution Node.js Steal
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-37257 npm CRITICAL Act Now

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Prototype Pollution Steal
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-39203 npm HIGH PATCH This Week

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Privilege Escalation Matrix Irc Bridge
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-39202 npm MEDIUM PATCH This Month

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Node.js Privilege Escalation Matrix Irc Bridge
NVD GitHub
CVSS 3.1
6.3
EPSS
0.7%
CVE-2022-36083 npm MEDIUM POC PATCH This Month

JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Jose
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
1.1%
CVE-2022-36079 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-36076 npm HIGH POC PATCH This Week

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

PostgreSQL CSRF Redis Node.js Nodebb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-36046 LIB MEDIUM PATCH This Month

Next.js is a React framework that can provide building blocks to create web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js Next Js
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2022-36045 npm CRITICAL PATCH Act Now

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL Redis Information Disclosure Node.js Nodebb
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-35948 npm MEDIUM POC PATCH This Month

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Node.js Undici
NVD GitHub
CVSS 3.1
5.3
EPSS
1.2%
CVE-2022-35949 npm CRITICAL POC PATCH Act Now

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Node.js Undici
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2022-31183 Maven CRITICAL POC PATCH Act Now

fs2 is a compositional, streaming I/O library for Scala. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Fs2
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2022-36313 npm MEDIUM POC PATCH This Month

A malformed MKV file can trigger an infinite loop in the file-type Node.js package (versions before 16.5.4 and 17.x before 17.1.3), causing application unresponsiveness and enabling denial-of-service attacks. The vulnerability affects the Sindresorhus file-type library, a widely-used dependency for file type detection, and requires only local access and user interaction to trigger (CVSS 5.5). With an EPSS score of 0.17% (38th percentile), actual exploitation probability remains relatively low despite the moderate severity rating.

Denial Of Service Node.js File Type
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-32223 HIGH PATCH This Week

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Microsoft OpenSSL Node.js Information Disclosure Node Js
NVD
CVSS 3.1
7.3
EPSS
1.7%
CVE-2022-32222 MEDIUM POC This Month

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

OpenSSL Node.js Information Disclosure Node Js Sinec Ins
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2022-32215 MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +4
NVD
CVSS 3.1
6.5
EPSS
68.8%
CVE-2022-32214 npm MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +2
NVD
CVSS 3.1
6.5
EPSS
81.5%
CVE-2022-32213 npm MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling Llhttp Node Js +4
NVD
CVSS 3.1
6.5
EPSS
42.0%
CVE-2022-32212 HIGH This Week

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Command Injection Node.js Node Js Debian Linux +2
NVD
CVSS 3.1
8.1
EPSS
5.9%
CVE-2022-31112 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
8.2
EPSS
1.2%
CVE-2022-31089 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-33987 npm MEDIUM PATCH This Month

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Got
NVD GitHub
CVSS 3.1
5.3
EPSS
1.9%
CVE-2022-25852 npm HIGH POC PATCH This Week

All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Node.js Libpq Pg Native
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-31083 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Apple Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-31069 npm HIGH PATCH This Week

NestJS Proxy is a NestJS module to decorate and proxy calls. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Nestjs Proxy
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-29247 npm CRITICAL PATCH Act Now

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Electron
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-29244 npm HIGH PATCH This Week

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure npm Ontap Select Deploy Administration Utility
NVD GitHub
CVSS 3.1
7.5
EPSS
3.5%
CVE-2022-31051 npm HIGH PATCH This Week

semantic-release is an open source npm package for automated version management and package publishing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Semantic Release
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2022-1929 npm HIGH POC PATCH This Week

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Node.js Devcert
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-29256 npm MEDIUM PATCH This Month

sharp is an application for Node.js image processing. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Microsoft Command Injection Node.js Sharp
NVD GitHub
CVSS 3.1
6.7
EPSS
0.4%
CVE-2022-29229 npm HIGH PATCH This Week

CaSS is a Competency and Skills System. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure Competency And Skills System
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2022-29166 npm HIGH PATCH This Week

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Matrix Irc Bridge
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2022-30241 npm MEDIUM PATCH This Month

The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Jquery Json Viewer
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2022-29078 npm CRITICAL POC PATCH THREAT Act Now

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Command Injection Node.js Ejs
NVD GitHub
CVSS 3.1
9.8
EPSS
32.8%
CVE-2022-29080 npm CRITICAL POC Act Now

The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Node.js Npm Dependency Versions
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2022-24785 LIB HIGH PATCH This Week

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Moment Tenable Sc Active Iq +2
NVD GitHub
CVSS 3.1
7.5
EPSS
5.7%
CVE-2022-0841 npm CRITICAL POC PATCH Act Now

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Node.js Npm Lockfile
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2022-21824 HIGH PATCH This Week

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Node Js Mysql Cluster Mysql Connectors +8
NVD
CVSS 3.1
8.2
EPSS
21.5%
CVE-2022-23654 MEDIUM PATCH This Month

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Wiki Js
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-0691 npm CRITICAL POC PATCH Act Now

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Url Parse
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2022-0686 npm CRITICAL POC PATCH Act Now

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Url Parse
NVD GitHub
CVSS 3.1
9.1
EPSS
1.8%
CVE-2022-0639 npm MEDIUM POC PATCH This Month

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Url Parse
NVD GitHub
CVSS 3.1
5.3
EPSS
1.5%
CVE-2021-43856 MEDIUM POC PATCH This Month

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS File Upload Wiki Js
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-43855 MEDIUM POC PATCH This Month

Wiki.js is a wiki app built on node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS File Upload Wiki Js
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-45459 npm CRITICAL POC PATCH Act Now

lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Node.js Command Injection Node Windows
NVD GitHub
CVSS 3.1
9.8
EPSS
4.1%
CVE-2021-43842 MEDIUM PATCH This Month

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js Docker XSS File Upload Wiki Js
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-43803 npm HIGH PATCH This Week

Next.js is a React framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Next Js
NVD GitHub
CVSS 3.1
7.5
EPSS
44.8%
CVE-2021-43800 HIGH PATCH This Week

Wiki.js is a wiki app built on Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Microsoft Path Traversal Wiki Js
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-43788 npm MEDIUM POC PATCH THREAT This Month

Nodebb is an open source Node.js based forum software. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Path Traversal Nodebb
NVD GitHub
CVSS 3.1
5.0
EPSS
25.8%
CVE-2021-43787 npm MEDIUM POC PATCH This Month

Nodebb is an open source Node.js based forum software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal XSS Nodebb
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-43786 npm HIGH POC PATCH This Week

Nodebb is an open source Node.js based forum software. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Nodebb
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-40831 LIB HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Authentication Bypass Apple Node.js Java +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.6%
CVE-2021-40830 LIB HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python Node.js Java Amazon Web Services Aws C Io +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-40829 LIB HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Apple Information Disclosure Node.js Java +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-40828 LIB HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Microsoft Information Disclosure Node.js Java +2
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-43616 CRITICAL POC PATCH Act Now

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure npm Next Generation Application Programming Interface Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2021-43571 npm CRITICAL POC PATCH Act Now

The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Jwt Attack Ecdsa Node
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-42740 npm CRITICAL PATCH Act Now

The shell-quote package before 1.7.3 for Node.js allows command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Node.js Command Injection Shell Quote
NVD GitHub
CVSS 3.1
9.8
EPSS
4.3%
CVE-2021-22930 CRITICAL PATCH Act Now

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Denial Of Service Memory Corruption Use After Free Node.js +4
NVD
CVSS 3.1
9.8
EPSS
37.3%
CVE-2021-41109 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-41580 npm MEDIUM PATCH This Month

The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Passport Oauth2
NVD GitHub
CVSS 3.1
5.3
EPSS
1.3%
CVE-2021-39192 npm HIGH PATCH This Week

Ghost is a Node.js content management system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Node.js Information Disclosure Ghost
NVD GitHub
CVSS 3.1
7.2
EPSS
1.0%
CVE-2021-39187 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-39135 npm HIGH PATCH This Week

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Node.js Information Disclosure Arborist Graalvm Sinec Infrastructure Network Services
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2021-39134 npm HIGH PATCH This Week

`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Apple Microsoft Node.js Information Disclosure Arborist +2
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2021-37713 npm HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Microsoft Path Traversal RCE Tar +2
NVD GitHub
CVSS 3.1
8.6
EPSS
1.3%
CVE-2021-37712 npm HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Microsoft Path Traversal RCE Tar +3
NVD GitHub
CVSS 3.1
8.6
EPSS
1.8%
CVE-2021-37701 npm HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js RCE Path Traversal Tar Debian Linux +2
NVD GitHub
CVSS 3.1
8.6
EPSS
3.3%
CVE-2021-32831 npm HIGH POC PATCH This Week

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Node.js Code Injection Python Total Js
NVD GitHub
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-39171 npm HIGH PATCH This Week

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Passport Saml
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-39157 npm HIGH POC PATCH This Week

detect-character-encoding is an open source character encoding inspection library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Detect Character Encoding
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2021-39138 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Node.js Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-39131 npm HIGH POC PATCH This Week

ced detects character encoding using Google’s compact_enc_det library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Denial Of Service Node.js Ced
NVD GitHub
CVSS 3.1
7.5
EPSS
1.9%
CVE-2021-32830 npm HIGH POC This Week

The @diez/generation npm package is a client for Diez. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

RCE Node.js Command Injection Diez
NVD GitHub
CVSS 3.1
7.0
EPSS
1.9%
CVE-2021-32822 npm MEDIUM POC This Month

The npm hbs package is an Express view engine wrapper for Handlebars. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Hbs
NVD GitHub
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-22940 HIGH PATCH This Week

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Denial Of Service Memory Corruption Use After Free Node.js +7
NVD
CVSS 3.1
7.5
EPSS
13.9%
CVE-2021-22939 MEDIUM POC PATCH THREAT This Month

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Node Js Graalvm Jd Edwards Enterpriseone Tools +5
NVD
CVSS 3.1
5.3
EPSS
14.7%
CVE-2021-22931 CRITICAL POC PATCH THREAT Act Now

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS RCE Node.js Node Js Active Iq Unified Manager +8
NVD
CVSS 3.1
9.8
EPSS
22.0%
CVE-2021-37700 npm MEDIUM POC PATCH This Month

@github/paste-markdown is an npm package for pasting markdown objects. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js XSS Paste Markdown
NVD GitHub
CVSS 3.1
6.1
EPSS
1.7%
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Keystone is a headless CMS for Node.js - built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Keystone
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Keystone
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Parse Server
NVD GitHub
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass Jwt Attack Node.js +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Code Injection Prototype Pollution Node.js +2
NVD GitHub
EPSS 59% CVSS 7.5
HIGH PATCH This Week

fastify is a fast and low overhead web framework, for Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Fastify
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Node.js Tiny Csrf
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Command Injection Node.js Cli +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jwt Attack Node.js +1
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Prototype Pollution Node.js +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the requestedVersion variable in npm-convert.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Prototype Pollution +1
NVD GitHub VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Privilege Escalation Matrix Irc Bridge
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Node.js Privilege Escalation Matrix Irc Bridge
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Jose
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

PostgreSQL CSRF Redis +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Next.js is a React framework that can provide building blocks to create web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js Next Js
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PostgreSQL Redis Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Node.js Undici
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Node.js Undici
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

fs2 is a compositional, streaming I/O library for Scala. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Fs2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

A malformed MKV file can trigger an infinite loop in the file-type Node.js package (versions before 16.5.4 and 17.x before 17.1.3), causing application unresponsiveness and enabling denial-of-service attacks. The vulnerability affects the Sindresorhus file-type library, a widely-used dependency for file type detection, and requires only local access and user interaction to trigger (CVSS 5.5). With an EPSS score of 0.17% (38th percentile), actual exploitation probability remains relatively low despite the moderate severity rating.

Denial Of Service Node.js File Type
NVD GitHub VulDB
EPSS 2% CVSS 7.3
HIGH PATCH This Week

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Microsoft OpenSSL Node.js +2
NVD
EPSS 2% CVSS 5.3
MEDIUM POC This Month

A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

OpenSSL Node.js Information Disclosure +2
NVD
EPSS 69% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 81% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +4
NVD
EPSS 42% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Node.js Request Smuggling +6
NVD
EPSS 6% CVSS 8.1
HIGH This Week

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Command Injection Node.js +4
NVD
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Got
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Node.js Libpq +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Apple +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

NestJS Proxy is a NestJS module to decorate and proxy calls. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Nestjs Proxy
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Electron
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure npm +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

semantic-release is an open source npm package for automated version management and package publishing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Semantic Release
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Node.js Devcert
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

sharp is an application for Node.js image processing. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Microsoft Command Injection Node.js +1
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

CaSS is a Competency and Skills System. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Node.js Information Disclosure Competency And Skills System
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Matrix Irc Bridge
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Node.js Jquery Json Viewer
NVD GitHub
EPSS 33% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Command Injection +2
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Node.js Npm Dependency Versions
NVD GitHub
EPSS 6% CVSS 7.5
HIGH PATCH This Week

Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Path Traversal Moment +4
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

OS Command Injection in GitHub repository ljharb/npm-lockfile in v2.0.3 and v2.0.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Node.js Npm Lockfile
NVD GitHub
EPSS 22% CVSS 8.2
HIGH PATCH This Week

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Node Js +10
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Wiki Js
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Url Parse
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL POC PATCH Act Now

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Url Parse
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM POC PATCH This Month

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Node.js Url Parse
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS File Upload +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Wiki.js is a wiki app built on node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS File Upload +1
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL POC PATCH Act Now

lib/cmd.js in the node-windows package before 1.0.0-beta.6 for Node.js allows command injection via the PID parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft Node.js Command Injection +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Wiki.js is a wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Node.js Docker XSS +2
NVD GitHub
EPSS 45% CVSS 7.5
HIGH PATCH This Week

Next.js is a React framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Next Js
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Wiki.js is a wiki app built on Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Microsoft Path Traversal +1
NVD GitHub
EPSS 26% CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Nodebb is an open source Node.js based forum software. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js Path Traversal Nodebb
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Nodebb is an open source Node.js based forum software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Path Traversal XSS +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Nodebb is an open source Node.js based forum software. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Nodebb
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Authentication Bypass Apple +4
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python Node.js +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Apple Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Microsoft Information Disclosure +4
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Information Disclosure npm +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Jwt Attack +1
NVD GitHub
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

The shell-quote package before 1.7.3 for Node.js allows command injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Node.js Command Injection +1
NVD GitHub
EPSS 37% CVSS 9.8
CRITICAL PATCH Act Now

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Denial Of Service Memory Corruption +6
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The passport-oauth2 package before 1.6.1 for Node.js mishandles the error condition of failure to obtain an access token. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Information Disclosure Passport Oauth2
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Ghost is a Node.js content management system. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Node.js Information Disclosure +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Node.js Information Disclosure Arborist +2
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Apple Microsoft Node.js +4
NVD GitHub
EPSS 1% CVSS 8.6
HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Microsoft Path Traversal +4
NVD GitHub
EPSS 2% CVSS 8.6
HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js Microsoft Path Traversal +5
NVD GitHub
EPSS 3% CVSS 8.6
HIGH PATCH This Week

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Node.js RCE Path Traversal +4
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Node.js Code Injection +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Node.js Denial Of Service Passport Saml
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

detect-character-encoding is an open source character encoding inspection library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Node.js Detect Character Encoding
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Node.js Authentication Bypass Parse Server
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

ced detects character encoding using Google’s compact_enc_det library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Denial Of Service Node.js +1
NVD GitHub
EPSS 2% CVSS 7.0
HIGH POC This Week

The @diez/generation npm package is a client for Diez. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

RCE Node.js Command Injection +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

The npm hbs package is an Express view engine wrapper for Handlebars. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Hbs
NVD GitHub
EPSS 14% CVSS 7.5
HIGH PATCH This Week

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Denial Of Service Memory Corruption +9
NVD
EPSS 15% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Node Js +7
NVD
EPSS 22% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS RCE Node.js +10
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

@github/paste-markdown is an npm package for pasting markdown objects. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js XSS Paste Markdown
NVD GitHub
Prev Page 9 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy