Information on source package nodejs

Available versions

ReleaseVersion
jessie0.10.29~dfsg-2
stretch4.8.2~dfsg-1
buster10.24.0~dfsg-1~deb10u1
buster (security)10.24.0~dfsg-1~deb10u4
bullseye12.22.12~dfsg-1~deb11u4
bookworm18.13.0+dfsg1-1
bookworm (security)18.19.0+dfsg-6~deb12u1
trixie18.19.1+dfsg-3
sid18.20.1+dfsg-4

Open issues

BugjessiestretchbusterbullseyebookwormtrixiesidDescription
CVE-2024-27983vulnerablevulnerablevulnerablevulnerablevulnerablevulnerablefixedAn attacker can make the Node.js HTTP/2 server completely unavailable ...
CVE-2024-27982vulnerablevulnerablevulnerablevulnerablevulnerablevulnerablefixed
CVE-2024-22025vulnerablevulnerablefixedvulnerablevulnerablefixedfixedA vulnerability in Node.js has been identified, allowing for a Denial ...
CVE-2024-22019vulnerablevulnerablefixedvulnerablevulnerablefixedfixedA vulnerability in Node.js HTTP servers allows an attacker to send a s ...
CVE-2024-21892vulnerablevulnerablefixedfixedvulnerablefixedfixedOn Linux, Node.js ignores certain environment variables if those may h ...
CVE-2023-46809vulnerablevulnerablefixedvulnerablevulnerablefixedfixed
CVE-2023-39333vulnerablevulnerablefixedfixedfixedfixedfixed
CVE-2023-38552vulnerablevulnerablefixedfixedfixedfixedfixedWhen the Node.js policy feature checks the integrity of a resource aga ...
CVE-2023-32559vulnerablevulnerablefixedvulnerable (no DSA, ignored)fixedfixedfixedA privilege escalation vulnerability exists in the experimental policy ...
CVE-2023-32006vulnerablevulnerablefixedvulnerable (no DSA, ignored)fixedfixedfixedThe use of `module.constructor.createRequire()` can bypass the policy ...
CVE-2023-32002vulnerablevulnerablefixedvulnerable (no DSA, ignored)fixedfixedfixedThe use of `Module._load()` can bypass the policy mechanism and requir ...
CVE-2023-30590vulnerablevulnerablefixedvulnerable (no DSA, ignored)fixedfixedfixedThe generateKeys() API function returned from crypto.createDiffieHellm ...
CVE-2023-30589vulnerablevulnerablefixedvulnerable (no DSA)fixedfixedfixedThe llhttp parser in the http module in Node v20.2.0 does not strictly ...
CVE-2023-30588vulnerablevulnerablefixedfixedfixedfixedfixedWhen an invalid public key is used to create an x509 certificate using ...
CVE-2023-30581vulnerablevulnerablefixedvulnerable (no DSA, ignored)fixedfixedfixedThe use of __proto__ in process.mainModule.__proto__.require() can byp ...
CVE-2023-23920vulnerablevulnerablefixedfixedfixedfixedfixedAn untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ...
CVE-2023-23919vulnerablevulnerablefixedfixedfixedfixedfixedA cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ...
CVE-2023-23918vulnerablevulnerablefixedfixedfixedfixedfixedA privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...
CVE-2022-43548vulnerablevulnerablefixedfixedfixedfixedfixedA OS Command Injection vulnerability exists in Node.js versions <14.21 ...
CVE-2022-35256vulnerablevulnerablefixedfixedfixedfixedfixedThe llhttp parser in the http module in Node v18.7.0 does not correctl ...
CVE-2022-35255vulnerablevulnerablefixedfixedfixedfixedfixedA weak randomness in WebCrypto keygen vulnerability exists in Node.js ...
CVE-2022-32215vulnerablevulnerablefixedfixedfixedfixedfixedThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...
CVE-2022-32214vulnerablevulnerablefixedfixedfixedfixedfixedThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...
CVE-2022-32213vulnerablevulnerablefixedfixedfixedfixedfixedThe llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module ...
CVE-2022-32212vulnerablevulnerablefixedfixedfixedfixedfixedA OS Command Injection vulnerability exists in Node.js versions <14.20 ...
CVE-2022-21824vulnerablevulnerablefixedfixedfixedfixedfixedDue to the formatting logic of the "console.table()" function it was n ...
CVE-2021-44534vulnerableunknownunknownunknownunknownunknownunknownRESERVED
CVE-2021-44533vulnerablevulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedNode.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle m ...
CVE-2021-44532vulnerablevulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedNode.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (S ...
CVE-2021-44531vulnerablevulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedAccepting arbitrary Subject Alternative Name (SAN) types, unless a PKI ...
CVE-2021-22960vulnerablevulnerablefixedfixedfixedfixedfixedThe parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extens ...
CVE-2021-22959vulnerablevulnerablefixedfixedfixedfixedfixedThe parser in accepts requests with a space (SP) right after the heade ...
CVE-2021-22940vulnerablefixedfixedfixedfixedfixedfixedNode.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use aft ...
CVE-2021-22939vulnerablevulnerablefixedfixedfixedfixedfixedIf the Node.js https API was used incorrectly and "undefined" was in p ...
CVE-2021-22930vulnerablevulnerablefixedfixedfixedfixedfixedNode.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use aft ...
CVE-2021-22884vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedNode.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ...
CVE-2021-22883vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedNode.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to ...
CVE-2020-11080vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedIn nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS fra ...
CVE-2020-8287vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedNode.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two co ...
CVE-2020-8265vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedNode.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerab ...
CVE-2020-8201vulnerablefixedfixedfixedfixedfixedfixedNode.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync ...
CVE-2020-8174vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixednapi_get_value_string_*() allows various kinds of memory corruption in ...
CVE-2019-15606vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedIncluding trailing white space in HTTP header values in Nodejs 10, 12, ...
CVE-2019-15605vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedHTTP request smuggling in Node.js 10, 12, and 13 causes malicious payl ...
CVE-2019-15604vulnerablevulnerable (no DSA, ignored)fixedfixedfixedfixedfixedImproper Certificate Validation in Node.js 10, 12, and 13 causes the p ...

Open unimportant issues

BugjessiestretchbusterbullseyebookwormtrixiesidDescription
CVE-2019-5739vulnerablevulnerablefixedfixedfixedfixedfixedKeep-alive HTTP and HTTPS connections can remain open and inactive for ...
CVE-2019-5737vulnerablevulnerablefixedfixedfixedfixedfixedIn Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before ...
CVE-2018-12123vulnerablevulnerablefixedfixedfixedfixedfixedNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...
CVE-2018-12122vulnerablevulnerablefixedfixedfixedfixedfixedNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...
CVE-2018-12121vulnerablevulnerablefixedfixedfixedfixedfixedNode.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...
CVE-2018-12120vulnerablevulnerablefixedfixedfixedfixedfixedNode.js: All versions prior to Node.js 6.15.0: Debugger port 5858 list ...
CVE-2018-12116vulnerablevulnerablefixedfixedfixedfixedfixedNode.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request ...
CVE-2018-12115vulnerablevulnerablefixedfixedfixedfixedfixedIn all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when use ...
CVE-2018-7167vulnerablevulnerablefixedfixedfixedfixedfixedCalling Buffer.fill() or Buffer.alloc() with some parameters can lead ...
CVE-2018-7159vulnerablevulnerablefixedfixedfixedfixedfixedThe HTTP parser in all current versions of Node.js ignores spaces in t ...
CVE-2018-7158vulnerablevulnerablefixedfixedfixedfixedfixedThe `'path'` module in the Node.js 4.x release line contains a potenti ...
CVE-2017-11499vulnerablevulnerablefixedfixedfixedfixedfixedNode.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11. ...
CVE-2016-7099vulnerablefixedfixedfixedfixedfixedfixedThe tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, ...
CVE-2016-5325vulnerablefixedfixedfixedfixedfixedfixedCRLF injection vulnerability in the ServerResponse#writeHead function ...
CVE-2016-2216vulnerablefixedfixedfixedfixedfixedfixedThe HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 ...
CVE-2016-2086vulnerablefixedfixedfixedfixedfixedfixedNode.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0 ...
CVE-2016-1669vulnerablefixedfixedfixedfixedfixedfixedThe Zone::New function in zone.cc in Google V8 before 5.0.71.47, as us ...
CVE-2014-9748vulnerablefixedfixedfixedfixedfixedfixedThe uv_rwlock_t fallback implementation for Windows XP and Server 2003 ...
CVE-2014-5256vulnerablefixedfixedfixedfixedfixedfixedNode.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider th ...

Resolved issues

BugDescription
CVE-2024-27980
CVE-2024-22017setuid() does not affect libuv's internal io_uring operations if initi ...
CVE-2024-21896The permission model protects itself against path traversal attacks by ...
CVE-2024-21891Node.js depends on multiple built-in utility functions to normalize pa ...
CVE-2024-21890The Node.js Permission Model does not clarify in the documentation tha ...
CVE-2024-3566A command inject vulnerability allows an attacker to perform command i ...
CVE-2023-39332Various `node:fs` functions allow specifying paths as either strings o ...
CVE-2023-39331A previously disclosed vulnerability (CVE-2023-30584) was patched insu ...
CVE-2023-32558The use of the deprecated API `process.binding()` can bypass the permi ...
CVE-2023-32005A vulnerability has been identified in Node.js version 20, affecting u ...
CVE-2023-32004A vulnerability has been discovered in Node.js version 20, specificall ...
CVE-2023-32003`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the permis ...
CVE-2023-30587
CVE-2023-30586A privilege escalation vulnerability exists in Node.js 20 that allowed ...
CVE-2023-30585A vulnerability has been identified in the Node.js (.msi version) inst ...
CVE-2023-30584
CVE-2023-30583
CVE-2023-30582
CVE-2022-32223Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under ce ...
CVE-2022-32222A cryptographic vulnerability exists on Node.js on linux in versions o ...
CVE-2021-22931Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Co ...
CVE-2021-22921Node.js before 16.4.1, 14.17.2, and 12.22.2 is vulnerable to local pri ...
CVE-2020-8251Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) attack ...
CVE-2020-8172TLS session reuse can lead to host certificate verification bypass in ...
CVE-2019-9514Some HTTP/2 implementations are vulnerable to a reset flood, potential ...
CVE-2019-9513Some HTTP/2 implementations are vulnerable to resource loops, potentia ...
CVE-2019-9511Some HTTP/2 implementations are vulnerable to window size manipulation ...
CVE-2018-7166In all versions of Node.js 10 prior to 10.9.0, an argument processing ...
CVE-2018-7164Node.js versions 9.7.0 and later and 10.x are vulnerable and the sever ...
CVE-2018-7162All versions of Node.js 9.x and 10.x are vulnerable and the severity i ...
CVE-2018-7161All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the seve ...
CVE-2018-7160The Node.js inspector, in 6.x and later is vulnerable to a DNS rebindi ...
CVE-2017-15897Node.js had a bug in versions 8.X and 9.X which caused buffers to not ...
CVE-2017-15896Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards ...
CVE-2017-14919Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows r ...
CVE-2017-14849Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintende ...
CVE-2015-8027Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 d ...
CVE-2015-7384Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a den ...
CVE-2015-6764The BasicJsonStringifier::SerializeJSArray function in json-stringifie ...
CVE-2015-5380The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in ...
CVE-2013-4450The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8. ...
CVE-2012-2330The Update method in src/node_http_parser.cc in Node.js before 0.6.17 ...

Security announcements

DSA / DLADescription
DLA-3776-1nodejs - security update
DSA-5589-1nodejs - security update
DSA-5395-1nodejs - security update
DLA-3344-1nodejs - security update
DSA-5326-1nodejs - security update
DLA-3137-1nodejs - security update
DSA-5170-1nodejs - security update
DSA-4863-1nodejs - security update
DSA-4826-1nodejs - security update
DSA-4696-1nodejs - security update
DSA-4669-1nodejs - security update
Search for package or bug name: Reporting problems