Filtered by vendor Nodejs
Subscriptions
Filtered by product Node.js
Subscriptions
Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2013-7452 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI. | ||||
| CVE-2013-7453 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing. | ||||
| CVE-2013-7454 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings. | ||||
| CVE-2014-3744 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. | ||||
| CVE-2014-9772 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters. | ||||
| CVE-2015-2927 | 3 Debian, Nodejs, Uronode | 3 Debian Linux, Node.js, Uro Node | 2025-04-20 | N/A |
| node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption). | ||||
| CVE-2015-7384 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. | ||||
| CVE-2015-8855 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | ||||
| CVE-2015-8860 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. | ||||
| CVE-2016-9840 | 9 Apple, Boost, Canonical and 6 more | 23 Iphone Os, Mac Os X, Tvos and 20 more | 2025-04-20 | 8.8 High |
| inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | ||||
| CVE-2016-9841 | 9 Apple, Canonical, Debian and 6 more | 42 Iphone Os, Mac Os X, Tvos and 39 more | 2025-04-20 | 9.8 Critical |
| inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | ||||
| CVE-2016-9842 | 8 Apple, Canonical, Debian and 5 more | 22 Iphone Os, Mac Os X, Tvos and 19 more | 2025-04-20 | 8.8 High |
| The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. | ||||
| CVE-2016-9843 | 10 Apple, Canonical, Debian and 7 more | 27 Iphone Os, Mac Os X, Tvos and 24 more | 2025-04-20 | 9.8 Critical |
| The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. | ||||
| CVE-2017-1000381 | 4 C-ares, C-ares Project, Nodejs and 1 more | 4 C-ares, C-ares, Node.js and 1 more | 2025-04-20 | 7.5 High |
| The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. | ||||
| CVE-2017-11499 | 2 Nodejs, Redhat | 2 Node.js, Rhel Software Collections | 2025-04-20 | N/A |
| Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. | ||||
| CVE-2017-14849 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. | ||||
| CVE-2017-14919 | 1 Nodejs | 1 Node.js | 2025-04-20 | N/A |
| Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. | ||||
| CVE-2017-15896 | 1 Nodejs | 1 Node.js | 2025-04-20 | 9.1 Critical |
| Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. | ||||
| CVE-2017-15897 | 1 Nodejs | 1 Node.js | 2025-04-20 | 3.1 Low |
| Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases. | ||||
| CVE-2017-3731 | 3 Nodejs, Openssl, Redhat | 4 Node.js, Openssl, Enterprise Linux and 1 more | 2025-04-20 | 7.5 High |
| If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. | ||||