CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-22019 – nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
https://notcve.org/view.php?id=CVE-2024-22019
20 Feb 2024 — A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits. Una vulnerabilidad en los servidores HTTP de Node.js permite a un atacan... • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •
CVSS: 9.8EPSS: 0%CPEs: 18EXPL: 0CVE-2024-21892 – nodejs: code injection and privilege escalation through Linux capabilities
https://notcve.org/view.php?id=CVE-2024-21892
20 Feb 2024 — On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. En Linux, Node.js ignora ciertas variables de entorno si p... • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24750 – Backpressure request ignored in fetch() in Undici
https://notcve.org/view.php?id=CVE-2024-24750
16 Feb 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body. • https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24758 – Proxy-Authorization header not cleared on cross-origin redirect in fetch in Undici
https://notcve.org/view.php?id=CVE-2024-24758
16 Feb 2024 — Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • http://www.openwall.com/lists/oss-security/2024/03/11/1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 2%CPEs: 3EXPL: 0CVE-2023-30585
https://notcve.org/view.php?id=CVE-2023-30585
28 Nov 2023 — A vulnerability has been identified in the Node.js (.msi version) installation process, specifically affecting Windows users who install Node.js using the .msi installer. This vulnerability emerges during the repair operation, where the "msiexec.exe" process, running under the NT AUTHORITY\SYSTEM context, attempts to read the %USERPROFILE% environment variable from the current user's registry. The issue arises when the path referenced by the %USERPROFILE% environment variable does not exist. In such cases, ... • https://nodejs.org/en/blog/vulnerability/june-2023-security-releases •
CVSS: 5.3EPSS: 0%CPEs: 17EXPL: 0CVE-2023-39333 – nodejs: code injection via WebAssembly export names
https://notcve.org/view.php?id=CVE-2023-39333
26 Oct 2023 — Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. Maliciously crafted export names in an... • https://nodejs.org/en/blog/vulnerability/october-2023-security-releases • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39331 – nodejs: permission model improperly protects against path traversal
https://notcve.org/view.php?id=CVE-2023-39331
18 Oct 2023 — A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. Una vulnerabilidad previamente revelada (CVE-2023-30584) no se parchó suficientemente en el commit 205f1e6. L... • https://hackerone.com/reports/2092852 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-38552 – nodejs: integrity checks according to policies can be circumvented
https://notcve.org/view.php?id=CVE-2023-38552
18 Oct 2023 — When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js. Cuando la función ... • https://hackerone.com/reports/2094235 • CWE-345: Insufficient Verification of Data Authenticity CWE-354: Improper Validation of Integrity Check Value •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39332 – nodejs: path traversal through path stored in Uint8Array
https://notcve.org/view.php?id=CVE-2023-39332
18 Oct 2023 — Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. • https://hackerone.com/reports/2199818 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-45143 – Undici's cookie header not cleared on cross-origin redirect in fetch
https://notcve.org/view.php?id=CVE-2023-45143
12 Oct 2023 — Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to a... • https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •