CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24750 – Backpressure request ignored in fetch() in Undici
https://notcve.org/view.php?id=CVE-2024-24750
Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body. • https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw https://security.netapp.com/advisory/ntap-20240419-0006 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24758 – Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
https://notcve.org/view.php?id=CVE-2024-24758
Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • http://www.openwall.com/lists/oss-security/2024/03/11/1 https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 https://security.netapp.com/advisory/ntap-20240419-0007 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-30585
https://notcve.org/view.php?id=CVE-2023-30585
A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, the "msiexec.exe" process attempts to create the specified path in an unsafe manner, potentially leading to the creation of arbitrary folders in arbitrary locations. The severity of this vulnerability is heightened by the fact that the %USERPROFILE% environment variable in the Windows registry can be modified by standard (or "non-privileged") users. Consequently, unprivileged actors, including malicious entities or trojans, can manipulate the environment variable key to deceive the privileged "msiexec.exe" process. This manipulation can result in the creation of folders in unintended and potentially malicious locations. It is important to note that this vulnerability is specific to Windows users who install Node.js using the .msi installer. • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39331 – nodejs: permission model improperly protects against path traversal
https://notcve.org/view.php?id=CVE-2023-39331
A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Una vulnerabilidad previamente revelada (CVE-2023-30584) no se parchó suficientemente en el commit 205f1e6. La nueva vulnerabilidad de path traversal surge porque la implementación no se protege a sí misma contra la sobrescritura de funciones de utilidad integradas con implementaciones definidas por el usuario. Tenga en cuenta que en el momento en que se emitió este CVE, el modelo de permiso es una característica experimental de Node.js. • https://hackerone.com/reports/2092852 https://security.netapp.com/advisory/ntap-20231116-0009 https://access.redhat.com/security/cve/CVE-2023-39331 https://bugzilla.redhat.com/show_bug.cgi?id=2244413 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-38552 – nodejs: integrity checks according to policies can be circumvented
https://notcve.org/view.php?id=CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. Cuando la función de política de Node.js verifica la integridad de un recurso con un manifiesto confiable, la aplicación puede interceptar la operación y devolver una suma de verificación falsificada a la implementación de la política del nodo, deshabilitando así efectivamente la verificación de integridad. Impactos: esta vulnerabilidad afecta a todos los usuarios que utilizan el mecanismo de política experimental en todas las líneas de versiones activas: 18.x y 20.x. Tenga en cuenta que en el momento en que se emitió este CVE, el mecanismo de política era una característica experimental de Node.js. When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check. • https://hackerone.com/reports/2094235 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ https://lists.fedoraproject. • CWE-345: Insufficient Verification of Data Authenticity CWE-354: Improper Validation of Integrity Check Value •