Vulnerabilities (CVE)

Vendor filter

Nodejs Subscribe

Product filter

Node.js Subscribe

Filter

50 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-7159 1 Nodejs 1 Node.js 2019-08-06 5.0
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the...
CVE-2018-5407 7 Nodejs, Openssl, Canonical and 4 more 20 Node.js, Openssl, Ubuntu Linux and 17 more 2019-07-23 1.9
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-0735 6 Netapp, Openssl, Canonical and 3 more 22 Cloud Backup, Oncommand Unified Manager, Santricity Smi-s Provider and 19 more 2019-07-23 4.3
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in...
CVE-2019-5737 2 Nodejs, Opensuse 2 Node.js, Leap 2019-07-22 5.0
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very...
CVE-2018-12123 1 Nodejs 1 Node.js 2019-07-22 4.3
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using...
CVE-2018-12122 2 Nodejs, Suse 4 Node.js, Suse Enterprise Storage, Suse Linux Enterprise Server and 1 more 2019-07-22 5.0
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources...
CVE-2018-12121 1 Nodejs 1 Node.js 2019-07-22 5.0
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion...
CVE-2018-12116 2 Nodejs, Suse 4 Node.js, Suse Enterprise Storage, Suse Linux Enterprise Server and 1 more 2019-07-22 5.0
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a...
CVE-2018-0734 6 Netapp, Openssl, Canonical and 3 more 19 Cloud Backup, Oncommand Unified Manager, Santricity Smi-s Provider and 16 more 2019-06-11 4.3
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL...
CVE-2019-5739 2 Nodejs, Opensuse 2 Node.js, Leap 2019-05-10 5.0
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and...
CVE-2018-12115 2 Nodejs, Redhat 2 Node.js, Openshift Container Platform 2019-03-12 5.0
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds...
CVE-2018-1000168 2 Nghttp2, Nodejs 2 Nghttp2, Node.js 2019-03-05 5.0
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via...
CVE-2018-7161 1 Nodejs 1 Node.js 2019-02-28 7.8
All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the...
CVE-2018-7167 1 Nodejs 1 Node.js 2019-01-01 5.0
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they...
CVE-2018-12120 1 Nodejs 1 Node.js 2018-12-28 6.8
Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with `node --debug` or `node debug`, it listens to port 5858 on all interfaces by default. This may allow remote...
CVE-2018-7166 1 Nodejs 1 Node.js 2018-11-07 5.0
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument...
CVE-2018-7162 1 Nodejs 1 Node.js 2018-08-06 7.8
All versions of Node.js 9.x and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by...
CVE-2017-16024 2 Nodejs, Sync-exec Project 2 Node.js, Sync-exec 2018-07-20 4.0
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an...
CVE-2016-6306 4 Hp, Openssl, Novell and 1 more 7 Suse Linux Enterprise Module For Web Scripting, Openssl, Icewall Sso and 4 more 2018-07-14 4.3
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
CVE-2018-7160 1 Nodejs 1 Node.js 2018-06-27 6.8
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another...