📦 Node.js

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled inputs to bypass network restrictions and connect to arbitrary local Unix Domain Sockets. This breaks...

A Node.js permissions model vulnerability allows attackers to bypass file system access restrictions using crafted relative symlink paths. This enables arbitrary file read/write operations, potentiall...

CVE-2024-3566 is a command injection vulnerability affecting Windows applications that use CreateProcess function with improper argument quoting. Attackers can execute arbitrary commands with the priv...

This CVE describes a path traversal vulnerability in Node.js's experimental permission model where attackers can bypass path validation by monkey-patching Buffer.prototype.utf8Write. This allows unaut...

This vulnerability allows path traversal attacks in Node.js when using non-Buffer Uint8Array objects with fs module functions. Attackers can potentially access files outside intended directories. It a...

CVE-2021-22930 is a use-after-free vulnerability in Node.js that allows memory corruption attacks. An attacker could exploit this to execute arbitrary code or crash the Node.js process. This affects a...

Node.js DNS library vulnerability allows remote code execution, XSS, and application crashes due to improper validation of DNS responses. Attackers can inject malicious hostnames leading to domain hij...

A Node.js TLS vulnerability allows remote attackers to crash TLS servers or cause resource exhaustion by triggering unhandled exceptions in PSK or ALPN callbacks during TLS handshakes. This affects an...

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash due to an unhandled TLSSocket ECONNRESET error, enabling remote denial of service. This affects Node.js a...

This vulnerability in Node.js causes applications to crash unrecoverably when deep recursion triggers 'Maximum call stack size exceeded' errors while async_hooks.createHook() is enabled. The error byp...

A memory leak vulnerability in Node.js's OpenSSL integration allows remote attackers to cause denial of service through resource exhaustion. When applications call socket.getPeerCertificate(true) with...

This vulnerability allows attackers to bypass Node.js's experimental permission model by overwriting built-in path normalization functions, enabling path traversal attacks that can access restricted f...

This vulnerability in Node.js's crypto module causes the generateKeys() function to not properly generate public keys after setPrivateKey() is called, contrary to documentation. This can lead to incom...

This vulnerability allows unprivileged Windows users to manipulate the %USERPROFILE% registry variable during Node.js MSI installer repair operations, tricking the system-level msiexec.exe process int...

This vulnerability allows attackers to bypass Node.js's experimental policy mechanism by using __proto__ to require modules outside the policy.json definition. It affects all users using the experimen...

CVE-2023-38552 is a security bypass vulnerability in Node.js's experimental policy mechanism that allows attackers to forge checksums and disable integrity checks. This affects all users of the policy...

CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server resources. This affects any system using HTTP/2, incl...

CVE-2023-32558 allows attackers to bypass Node.js's experimental permission model using the deprecated process.binding() API, enabling path traversal to access restricted files or directories. This af...

This CVE describes a path traversal vulnerability in Node.js 20's experimental permission model where improper Buffer handling in file system APIs allows bypassing file permission checks. Attackers co...

This vulnerability in Node.js's llhttp parser allows HTTP Request Smuggling (HRS) by accepting carriage return (CR) characters alone instead of requiring CRLF sequences to delimit HTTP headers. Attack...

A cryptographic vulnerability in Node.js versions before specified patches fails to clear OpenSSL error stacks after operations, potentially causing false positive errors in subsequent cryptographic o...

This CVE describes an OS command injection vulnerability in Node.js that allows attackers to bypass host validation checks and perform DNS rebinding attacks. It affects Node.js applications that make ...

Node.js on Windows is vulnerable to DLL hijacking when OpenSSL is installed with a specific configuration file path. This allows attackers to execute arbitrary code by placing a malicious providers.dl...

CVE-2022-0778 is a denial-of-service vulnerability in OpenSSL's BN_mod_sqrt() function that can cause infinite loops when parsing specially crafted certificates or private keys containing invalid elli...

This CVE describes a prototype pollution vulnerability in Node.js's console.table() function when user-controlled input is passed to the 'properties' parameter alongside an object with '__proto__' as ...

This vulnerability in Node.js allows attackers to bypass certificate name constraints by using arbitrary Subject Alternative Name (SAN) types, particularly URI SANs. It affects Node.js applications th...

CVE-2021-22940 is a use-after-free vulnerability in Node.js that allows memory corruption attacks. An attacker could exploit this to potentially execute arbitrary code or crash the Node.js process. Th...

This vulnerability allows local attackers on Windows systems to escalate privileges through PATH and DLL hijacking attacks. It affects Node.js installations where improper directory permissions enable...

This OpenSSL vulnerability allows certificate chain validation to be bypassed when the X509_V_FLAG_X509_STRICT flag is explicitly set. It affects applications using OpenSSL 1.1.1h-1.1.1j that enable s...

Node.js servers are vulnerable to denial of service attacks when attackers establish numerous connections with unknown protocols, causing file descriptor leaks. This can exhaust system resources, prev...

A vulnerability in Node.js's permission model allows attackers to modify file timestamps using the futimes() function even when they only have read permissions. This can be used to obscure malicious a...

This Node.js vulnerability on Windows incorrectly handles drive names in path.join(), treating relative paths as root directory references. This allows path traversal attacks where attackers could rea...