Bug | jessie | stretch | buster | bullseye | bookworm | trixie | sid | Description |
---|
CVE-2024-27983 | vulnerable | vulnerable | fixed | fixed | vulnerable | fixed | fixed | An attacker can make the Node.js HTTP/2 server completely unavailable ... |
CVE-2024-27982 | fixed | fixed | fixed | fixed | vulnerable | fixed | fixed | The team has identified a critical vulnerability in the http server of ... |
CVE-2024-22025 | vulnerable | vulnerable | fixed | fixed | vulnerable | fixed | fixed | A vulnerability in Node.js has been identified, allowing for a Denial ... |
CVE-2024-22020 | fixed | fixed | fixed | fixed | vulnerable | fixed | fixed | A security flaw in Node.js allows a bypass of network import restrict ... |
CVE-2024-22019 | vulnerable | vulnerable | fixed | fixed | vulnerable | fixed | fixed | A vulnerability in Node.js HTTP servers allows an attacker to send a s ... |
CVE-2024-21892 | vulnerable | vulnerable | fixed | fixed | vulnerable | fixed | fixed | On Linux, Node.js ignores certain environment variables if those may h ... |
CVE-2023-46809 | vulnerable | vulnerable | fixed | fixed | vulnerable | fixed | fixed | Node.js versions which bundle an unpatched version of OpenSSL or run a ... |
CVE-2023-39333 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Maliciously crafted export names in an imported WebAssembly module can ... |
CVE-2023-38552 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | When the Node.js policy feature checks the integrity of a resource aga ... |
CVE-2023-32559 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | A privilege escalation vulnerability exists in the experimental policy ... |
CVE-2023-32006 | vulnerable | vulnerable | fixed | vulnerable (no DSA, ignored) | fixed | fixed | fixed | The use of `module.constructor.createRequire()` can bypass the policy ... |
CVE-2023-32002 | vulnerable | vulnerable | fixed | vulnerable (no DSA, ignored) | fixed | fixed | fixed | The use of `Module._load()` can bypass the policy mechanism and requir ... |
CVE-2023-30590 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The generateKeys() API function returned from crypto.createDiffieHellm ... |
CVE-2023-30589 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The llhttp parser in the http module in Node v20.2.0 does not strictly ... |
CVE-2023-30588 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | When an invalid public key is used to create an x509 certificate using ... |
CVE-2023-30581 | vulnerable | vulnerable | fixed | vulnerable (no DSA, ignored) | fixed | fixed | fixed | The use of __proto__ in process.mainModule.__proto__.require() can byp ... |
CVE-2023-23920 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ... |
CVE-2023-23919 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ... |
CVE-2023-23918 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ... |
CVE-2022-43548 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | A OS Command Injection vulnerability exists in Node.js versions <14.21 ... |
CVE-2022-35256 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The llhttp parser in the http module in Node v18.7.0 does not correctl ... |
CVE-2022-35255 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | A weak randomness in WebCrypto keygen vulnerability exists in Node.js ... |
CVE-2022-32215 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ... |
CVE-2022-32214 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ... |
CVE-2022-32213 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ... |
CVE-2022-32212 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | A OS Command Injection vulnerability exists in Node.js versions <14.20 ... |
CVE-2022-21824 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Due to the formatting logic of the "console.table()" function it was n ... |
CVE-2021-44533 | vulnerable | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle m ... |
CVE-2021-44532 | vulnerable | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (S ... |
CVE-2021-44531 | vulnerable | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI ... |
CVE-2021-22960 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extens ... |
CVE-2021-22959 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The parser in accepts requests with a space (SP) right after the heade ... |
CVE-2021-22940 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use aft ... |
CVE-2021-22939 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | If the Node.js https API was used incorrectly and "undefined" was in p ... |
CVE-2021-22930 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use aft ... |
CVE-2021-22884 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ... |
CVE-2021-22883 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ... |
CVE-2020-11080 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS fra ... |
CVE-2020-8287 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two co ... |
CVE-2020-8265 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerab ... |
CVE-2020-8201 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync ... |
CVE-2020-8174 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | napi_get_value_string_*() allows various kinds of memory corruption in ... |
CVE-2019-15606 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | Including trailing white space in HTTP header values in Nodejs 10, 12, ... |
CVE-2019-15605 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payl ... |
CVE-2019-15604 | vulnerable | vulnerable (no DSA, ignored) | fixed | fixed | fixed | fixed | fixed | Improper Certificate Validation in Node.js 10, 12, and 13 causes the p ... |
Bug | jessie | stretch | buster | bullseye | bookworm | trixie | sid | Description |
---|
CVE-2019-5739 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Keep-alive HTTP and HTTPS connections can remain open and inactive for ... |
CVE-2019-5737 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before ... |
CVE-2018-12123 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ... |
CVE-2018-12122 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ... |
CVE-2018-12121 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ... |
CVE-2018-12120 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 list ... |
CVE-2018-12116 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request ... |
CVE-2018-12115 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when use ... |
CVE-2018-7167 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Calling Buffer.fill() or Buffer.alloc() with some parameters can lead ... |
CVE-2018-7159 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The HTTP parser in all current versions of Node.js ignores spaces in t ... |
CVE-2018-7158 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | The `'path'` module in the Node.js 4.x release line contains a potenti ... |
CVE-2017-11499 | vulnerable | vulnerable | fixed | fixed | fixed | fixed | fixed | Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11. ... |
CVE-2016-7099 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, ... |
CVE-2016-5325 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | CRLF injection vulnerability in the ServerResponse#writeHead function ... |
CVE-2016-2216 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 ... |
CVE-2016-2086 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0 ... |
CVE-2016-1669 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as us ... |
CVE-2014-9748 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | The uv_rwlock_t fallback implementation for Windows XP and Server 2003 ... |
CVE-2014-5256 | vulnerable | fixed | fixed | fixed | fixed | fixed | fixed | Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider th ... |
Bug | Description |
---|
CVE-2024-37372 | |
CVE-2024-36138 | Bypass incomplete fix of CVE-2024-27980, that arises from improper han ... |
CVE-2024-36137 | A vulnerability has been identified in Node.js, affecting users of the ... |
CVE-2024-27980 | |
CVE-2024-22018 | A vulnerability has been identified in Node.js, affecting users of the ... |
CVE-2024-22017 | setuid() does not affect libuv's internal io_uring operations if initi ... |
CVE-2024-21896 | The permission model protects itself against path traversal attacks by ... |
CVE-2024-21891 | Node.js depends on multiple built-in utility functions to normalize pa ... |
CVE-2024-21890 | The Node.js Permission Model does not clarify in the documentation tha ... |
CVE-2024-3566 | A command inject vulnerability allows an attacker to perform command i ... |
CVE-2023-39332 | Various `node:fs` functions allow specifying paths as either strings o ... |
CVE-2023-39331 | A previously disclosed vulnerability (CVE-2023-30584) was patched insu ... |
CVE-2023-32558 | The use of the deprecated API `process.binding()` can bypass the permi ... |
CVE-2023-32005 | A vulnerability has been identified in Node.js version 20, affecting u ... |
CVE-2023-32004 | A vulnerability has been discovered in Node.js version 20, specificall ... |
CVE-2023-32003 | `fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permis ... |
CVE-2023-30587 | A vulnerability in Node.js version 20 allows for bypassing restriction ... |
CVE-2023-30586 | A privilege escalation vulnerability exists in Node.js 20 that allowed ... |
CVE-2023-30585 | A vulnerability has been identified in the Node.js (.msi version) inst ... |
CVE-2023-30584 | A vulnerability has been discovered in Node.js version 20, specificall ... |
CVE-2023-30583 | fs.openAsBlob() can bypass the experimental permission model when usin ... |
CVE-2023-30582 | A vulnerability has been identified in Node.js version 20, affecting u ... |
CVE-2022-32223 | Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under ce ... |
CVE-2022-32222 | A cryptographic vulnerability exists on Node.js on linux in versions o ... |
CVE-2021-22931 | Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Co ... |
CVE-2021-22921 | Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local pri ... |
CVE-2020-8251 | Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attack ... |
CVE-2020-8172 | TLS session reuse can lead to host certificate verification bypass in ... |
CVE-2019-9514 | Some HTTP/2 implementations are vulnerable to a reset flood, potential ... |
CVE-2019-9513 | Some HTTP/2 implementations are vulnerable to resource loops, potentia ... |
CVE-2019-9511 | Some HTTP/2 implementations are vulnerable to window size manipulation ... |
CVE-2018-7166 | In all versions of Node.js 10 prior to 10.9.0, an argument processing ... |
CVE-2018-7164 | Node.js versions 9.7.0 and later and 10.x are vulnerable and the sever ... |
CVE-2018-7162 | All versions of Node.js 9.x and 10.x are vulnerable and the severity i ... |
CVE-2018-7161 | All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the seve ... |
CVE-2018-7160 | The Node.js inspector, in 6.x and later is vulnerable to a DNS rebindi ... |
CVE-2017-15897 | Node.js had a bug in versions 8.X and 9.X which caused buffers to not ... |
CVE-2017-15896 | Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards ... |
CVE-2017-14919 | Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows r ... |
CVE-2017-14849 | Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintende ... |
CVE-2015-8027 | Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 d ... |
CVE-2015-7384 | Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a den ... |
CVE-2015-6764 | The BasicJsonStringifier::SerializeJSArray function in json-stringifie ... |
CVE-2015-5380 | The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in ... |
CVE-2013-4450 | The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8. ... |
CVE-2012-2330 | The Update method in src/node_http_parser.cc in Node.js before 0.6.17 ... |