CVSS: 2.9EPSS: 0%CPEs: 18EXPL: 0CVE-2024-22018 – nodejs: fs.lstat bypasses permission model
https://notcve.org/view.php?id=CVE-2024-22018
10 Jul 2024 — A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was iss... • http://www.openwall.com/lists/oss-security/2024/07/11/6 •
CVSS: 7.6EPSS: 0%CPEs: 19EXPL: 0CVE-2024-22020 – nodejs: Bypass network import restriction via data URL
https://notcve.org/view.php?id=CVE-2024-22020
09 Jul 2024 — A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports. Exploiting this flaw can violate network import security, posing a risk to developers and servers. Un fallo de seguridad en Node.js permite eludir las restricciones de importación de la red. Al incorporar importaci... • http://www.openwall.com/lists/oss-security/2024/07/11/6 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30584 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30584
09 May 2024 — A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30582 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30582
09 May 2024 — A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Multiple vulne... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30583 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30583
09 May 2024 — fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the `fs.openAsBlob()` API. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2023-30587 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-30587
09 May 2024 — A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, attackers can modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl. This vulnerability exclusively affects Node.js users employing the permission model mechanism. Please n... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases • CWE-284: Improper Access Control •
CVSS: 8.5EPSS: 0%CPEs: 18EXPL: 0CVE-2024-27982 – nodejs: HTTP Request Smuggling via Content Length Obfuscation
https://notcve.org/view.php?id=CVE-2024-27982
07 May 2024 — The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. El equipo ha identificado una vulnerabilidad crítica en el servidor http de la versión más reciente de Node, donde los encabezados con formato incorrecto pueden provoca... • https://hackerone.com/reports/2237099 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 10.0EPSS: 64%CPEs: 18EXPL: 1CVE-2024-27983 – nodejs: CONTINUATION frames DoS
https://notcve.org/view.php?id=CVE-2024-27983
09 Apr 2024 — An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. Un atacante puede hacer que el ser... • https://github.com/lirantal/CVE-2024-27983-nodejs-http2 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.4EPSS: 0%CPEs: 18EXPL: 0CVE-2023-46809 – nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)
https://notcve.org/view.php?id=CVE-2023-46809
26 Mar 2024 — Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key. A flaw was found in Node.js. The privateDecrypt() API of the crypto library may allow a covert timing side-channel during PKCS#1 v1.5 padding error handling. This issue revealed significant timing differenc... • https://nodejs.org/en/blog/vulnerability/february-2024-security-releases • CWE-208: Observable Timing Discrepancy CWE-385: Covert Timing Channel •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-22025 – nodejs: using the fetch() function to retrieve content from an untrusted URL leads to denial of service
https://notcve.org/view.php?id=CVE-2024-22025
19 Mar 2024 — A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potent... • https://hackerone.com/reports/2284065 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •