Nodejs Security Vulnerabilities (CVEs)

A Node.js TLS vulnerability allows remote attackers to crash TLS servers or cause resource exhaustion by triggering unhandled exceptions in PSK or ALP...

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash due to an unhandled TLSSocket ECONNRESET error, enablin...

This vulnerability in Node.js causes applications to crash unrecoverably when deep recursion triggers 'Maximum call stack size exceeded' errors while ...

A vulnerability in Node.js's permission model allows attackers to modify file timestamps using the futimes() function even when they only have read pe...

A memory leak vulnerability in Node.js's OpenSSL integration allows remote attackers to cause denial of service through resource exhaustion. When appl...

This vulnerability in Undici HTTP client allows a malicious server to send specially crafted compressed responses that force the client to perform exc...

This Node.js vulnerability on Windows incorrectly handles drive names in path.join(), treating relative paths as root directory references. This allow...

This vulnerability allows attackers to bypass Node.js's experimental permission model by overwriting built-in path normalization functions, enabling p...

This vulnerability in Node.js's crypto module causes the generateKeys() function to not properly generate public keys after setPrivateKey() is called,...

This vulnerability allows unprivileged Windows users to manipulate the %USERPROFILE% registry variable during Node.js MSI installer repair operations,...

This vulnerability allows attackers to bypass Node.js's experimental policy mechanism by using __proto__ to require modules outside the policy.json de...

CVE-2023-38552 is a security bypass vulnerability in Node.js's experimental policy mechanism that allows attackers to forge checksums and disable inte...

CVE-2023-44487 is an HTTP/2 protocol vulnerability that allows attackers to cause denial of service by rapidly resetting streams, consuming server res...

CVE-2023-32558 allows attackers to bypass Node.js's experimental permission model using the deprecated process.binding() API, enabling path traversal ...

This CVE describes a path traversal vulnerability in Node.js 20's experimental permission model where improper Buffer handling in file system APIs all...

This vulnerability in Node.js's llhttp parser allows HTTP Request Smuggling (HRS) by accepting carriage return (CR) characters alone instead of requir...

A cryptographic vulnerability in Node.js versions before specified patches fails to clear OpenSSL error stacks after operations, potentially causing f...

This CVE describes an OS command injection vulnerability in Node.js that allows attackers to bypass host validation checks and perform DNS rebinding a...

Node.js on Windows is vulnerable to DLL hijacking when OpenSSL is installed with a specific configuration file path. This allows attackers to execute ...

CVE-2022-0778 is a denial-of-service vulnerability in OpenSSL's BN_mod_sqrt() function that can cause infinite loops when parsing specially crafted ce...

This CVE describes a prototype pollution vulnerability in Node.js's console.table() function when user-controlled input is passed to the 'properties' ...

This vulnerability in Node.js allows attackers to bypass certificate name constraints by using arbitrary Subject Alternative Name (SAN) types, particu...

CVE-2021-22940 is a use-after-free vulnerability in Node.js that allows memory corruption attacks. An attacker could exploit this to potentially execu...

This vulnerability allows local attackers on Windows systems to escalate privileges through PATH and DLL hijacking attacks. It affects Node.js install...

Node.js servers are vulnerable to denial of service attacks when attackers establish numerous connections with unknown protocols, causing file descrip...