CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23085 – nodejs: GOAWAY HTTP/2 frames cause memory leak outside heap
https://notcve.org/view.php?id=CVE-2025-23085
07 Feb 2025 — A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x. A vulnerability was found in NodeJS when handling HTTP/2 co... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-23084
https://notcve.org/view.php?id=CVE-2025-23084
28 Jan 2025 — A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API. • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23083 – nodejs: Node.js Worker Thread Exposure via Diagnostics Channel
https://notcve.org/view.php?id=CVE-2025-23083
22 Jan 2025 — With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. A flaw was found in the Node.js diagnostics_channel. This vulnerability allows an attacker to reinstate and misuse work... • https://nodejs.org/en/blog/vulnerability/january-2025-security-releases • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-23090
https://notcve.org/view.php?id=CVE-2025-23090
22 Jan 2025 — With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. This is not limited only to workers but also exposes internal workers, where an instance of them can be fetched, and its constructor can be grabbed and reinstated for malicious usage. This vulnerability affects Permission Model users (--permission) on Node.js v20, v22, and v23. • https://hackerone.com/reports/2575105 • CWE-284: Improper Access Control •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37372
https://notcve.org/view.php?id=CVE-2024-37372
09 Jan 2025 — The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36138
https://notcve.org/view.php?id=CVE-2024-36138
07 Sep 2024 — Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-36137 – nodejs: fs.fchown/fchmod bypasses permission model
https://notcve.org/view.php?id=CVE-2024-36137
07 Sep 2024 — A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. A flaw was found in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. The Node.js Permission Model does not operate on fil... • https://nodejs.org/en/blog/vulnerability/july-2024-security-releases • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27982 – nodejs: HTTP Request Smuggling via Content Length Obfuscation
https://notcve.org/view.php?id=CVE-2024-27982
07 May 2024 — The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. El equipo ha identificado una vulnerabilidad crítica en el servidor http de la versión más reciente de Node, donde los encabezados con formato incorrecto pueden provoca... • https://hackerone.com/reports/2237099 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-27983 – nodejs: CONTINUATION frames DoS
https://notcve.org/view.php?id=CVE-2024-27983
09 Apr 2024 — An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. Un atacante puede hacer que el ser... • https://github.com/lirantal/CVE-2024-27983-nodejs-http2 • CWE-400: Uncontrolled Resource Consumption •