CVSS: 2.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-30261 – Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
https://notcve.org/view.php?id=CVE-2024-30261
04 Apr 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. Undici es un cliente HTTP/1.1, escrito desde cero para Node.js. Un atacante puede alterar la opción `integridad` pasada a `fetch()`, permitiendo que `fetch()` acepte solicitudes como válidas incluso si han sido manipuladas. • https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24750 – Backpressure request ignored in fetch() in Undici
https://notcve.org/view.php?id=CVE-2024-24750
16 Feb 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body. • https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24758 – Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
https://notcve.org/view.php?id=CVE-2024-24758
16 Feb 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30585
https://notcve.org/view.php?id=CVE-2023-30585
28 Nov 2023 — A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, ... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-39331 – nodejs: permission model improperly protects against path traversal
https://notcve.org/view.php?id=CVE-2023-39331
18 Oct 2023 — A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Una vulnerabilidad previamente revelada (CVE-2023-30584) no se parchó suficientemente en el commit 205f1e6. L... • https://hackerone.com/reports/2092852 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-38552 – nodejs: integrity checks according to policies can be circumvented
https://notcve.org/view.php?id=CVE-2023-38552
18 Oct 2023 — When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. Cuando la función ... • https://hackerone.com/reports/2094235 • CWE-345: Insufficient Verification of Data Authenticity CWE-354: Improper Validation of Integrity Check Value •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 0CVE-2023-39332 – nodejs: path traversal through path stored in Uint8Array
https://notcve.org/view.php?id=CVE-2023-39332
18 Oct 2023 — Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. • https://hackerone.com/reports/2199818 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.0EPSS: 1%CPEs: 4EXPL: 0CVE-2023-45143 – Undici's cookie header not cleared on cross-origin redirect in fetch
https://notcve.org/view.php?id=CVE-2023-45143
12 Oct 2023 — Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to a... • https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32558 – Gentoo Linux Security Advisory 202405-29
https://notcve.org/view.php?id=CVE-2023-32558
12 Sep 2023 — The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. El uso de la API obsoleta `process.binding()` puede omitir el modelo de permiso a través del Path Traversal. Esta vulnerabilidad afecta a todos los usuarios que utilizan el modelo de permisos experiment... • https://hackerone.com/reports/2051257 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •