CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23085 – nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap
https://notcve.org/view.php?id=CVE-2025-23085
07 Feb 2025 — A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. A vulnerability was found in NodeJS when handling HTTP/2 co... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23084
https://notcve.org/view.php?id=CVE-2025-23084
28 Jan 2025 — A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API. • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36138
https://notcve.org/view.php?id=CVE-2024-36138
07 Sep 2024 — Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27982 – nodejs: HTTP Request Smuggling via Content Length Obfuscation
https://notcve.org/view.php?id=CVE-2024-27982
07 May 2024 — The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. El equipo ha identificado una vulnerabilidad crítica en el servidor http de la versión más reciente de Node, donde los encabezados con formato incorrecto pueden provoca... • https://hackerone.com/reports/2237099 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-27983 – nodejs: CONTINUATION frames DoS
https://notcve.org/view.php?id=CVE-2024-27983
09 Apr 2024 — An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. Un atacante puede hacer que el ser... • https://github.com/lirantal/CVE-2024-27983-nodejs-http2 • CWE-400: Uncontrolled Resource Consumption •